A Security Leader’s Guide to Reducing Attack Surface Complexity
Security leaders across the globe are under increased pressure to manage their growing attack surface and ensure due diligence is being done to secure their business against cyber threats. To meet these demands, security leaders must have a comprehensive understanding of all entry points into their organization's network, including web applications, remote access points, network infrastructure, and cloud services.
However, only 9% of organizations think they monitor 100% of their attack surface, and considering organizations typically discover somewhere in the range of 40% more assets when using an automated scanner (CSO), it’s fair to have reservations about whether that 9% is truthful.
Since many organizations lack visibility into their entry points, even if they think otherwise, it begs the question of how can security leaders defend and build security processes around what they can’t see?
To help organizations navigate this complex digital environment, we sat down with Geoff Brown, VP of Global Intelligence Platforms at Recorded Future and Former CISO of New York City to learn how Recorded Future Attack Surface Intelligence is helping security teams secure their business. Below are five pieces of advice we learned to help you reduce attack surface complexity.
#1: There is Always an Adversary
In our first Exploring the Attack Surface video, Geoff describes looking at your attack surface the same way you would look at a chess board: “The technology is all the pieces and the environment that you’re playing the game in, but you always have an adversary sitting across the table from you who’s trying to thwart your every move.” The latter part of the quote is the critical piece to pick up on: there’s always an adversary.
Digital transformation initiatives have led to an explosion of assets on the public internet, making it increasingly difficult for organizations to maintain a persistent view of their internet-facing assets. To compound this problem, assets move, change, and appear constantly, and this dynamic nature means traditional manual asset inventory processes simply cannot keep up. On the other hand, attackers are using large scale automation to enumerate everything that’s vulnerable on the internet in minutes to hours. According to Recorded Future Threat Researcher Lindsay Kaye, many threat actors will use openly available tools to identify open ports or specific software installed on the system.
To highlight the importance of understanding your attack surface and securing your business from adversaries, 69% of organizations have experienced some type of cyberattack in which the attack itself started through the exploit of an unknown, unmanaged, or poorly managed internet-facing asset (CSO). Gaining an outside-in view of what an adversary sees gives defenders an important perspective on which assets could be at risk and where to prioritize remediation efforts before exploits happen, providing a significant advantage for defenders.
#2: You Need a Comprehensive Approach
Think of all the different applications that create digital doorways into your organization: web applications, email systems, remote access systems, websites, cloud services, login pages and more. Most enterprises have thousands of internet-facing assets, with more and more being added each day.
In the Dealing with Change video, Geoff mentions, “It’s pretty essential you’re taking a comprehensive approach… otherwise you’re in the dark”. We’ve already mentioned the perils of being in the dark when it comes to asset visibility, but having a comprehensive approach isn’t just about cataloging your assets, it’s also about knowing if an asset is vulnerable, if it’s being hosted in a location that’s out-of-policy, or if an adversary has shown an intent to exploit a specific vulnerability.
#3: Enforcing Security Policies Requires Regular Checks
Security leaders put in a significant amount of effort, time, and resources creating security policies that reduce risk and secure the business. However, these days 41% of employees can acquire, modify, or create technology outside IT’s visibility, a number that is likely to grow to 75% by 2027 (Gartner).
Employees may be innocently going outside of security policies for convenience, out of habit, or to avoid detection. Either way, the effect is the same. They’re setting you up for policy violations and security lapses.
To combat against this, Geoff remarks in our Policy Enforcement video that using Recorded Future Attack Surface Intelligence provides a “Check across your total asset base to see whether or not the compute infrastructure is up to policy and then is configured to the standards that your organization has adopted.”
We don’t want all effort that has gone into creating and enforcing security policy to go to waste, a continual check to make sure new assets are being spun up with proper hygiene is a critical aspect of making your organization truly defensible.
#4: Context is Key
Not all risks are the same, and not all risks deserve the same attention. An unpatched vulnerability on a critical server that is accessible from the internet poses a far greater risk to your organization than an end of life software application you have running. Context on what needs to be prioritized for remediation is crucial. Additionally, context is key when understanding the total attack surface that needs to be defended.
In our Taking Action video Geoff explains that, “Any security organization needs to really pursue two things. One, are all of their assets in a defensible environment? Two, are those assets up to the standards and configurations necessary for protecting your environment?”
Many organizations are surprised to find out how many hosting providers they have, how many assets aren’t behind a WAF, or that they have publicly exposed dev sites. In order to pursue these two components, context is required as to what assets truly belong to your organization, and if something needs to be done to ensure they’re protected.
#5: Access to Intelligence Leads to Informed Decisions
Security leaders spend their days in continual pursuit of information around what’s been identified as vulnerable and what to do about it. In the Prioritizing Threats video Geoff points out, “You need intelligence if you’re going to make an informed decision and if you’re going to advise to make a change to your technology or business environment”.
Intelligence provides an advantage to identify and get ahead of risks that matter, make the right decisions for your organization, and build resilience, at the speed and scale of today’s threat environment. Security leaders can leverage intelligence to gain an outside-in view of their infrastructure and an inside-out view of which adversaries could be targeting them, their peers, or critical vendors in their supply chain.
Operating in a digitally-connected global environment requires constant protection of your attack surface, as you never know when a new piece of malicious software can spread and impact your operations.
Your organization is likely undertaking some type of digital transformation project, layering more systems into your IT networks to support remote work, and increasing channels and digital interactions with employees and customers, all of which creates new attack vectors that must be secured. Staying ahead of this complexity requires real-time intelligence to craft a defensive strategy that makes it possible to identify infrastructure, prioritize remediation efforts, and ultimately automate the identification of exploitable internet-accessible assets.
If you’d like to learn more about how Attack Surface Intelligence shines a light on blind spots to protect what you can’t see, get started by requesting a demo.