The concept of "attack surface" was born of a simple observation: to protect your information system effectively, you need a complete view of all your assets and their vulnerabilities. Assessing the attack surface is therefore an essential step in any approach to reducing IT risks.
How can you assess your attack surface? How can it be reduced and monitored to strengthen cybersecurity? Let's take a look at the subject with François Devienne, Head of Operational Security at OverSOC.
What is the "attack surface" in cybersecurity?
Attack surface: definition
The term "attack surface", also known as " Attack Surface Management (ASM)", is used in the field of cybersecurity. It corresponds to theset of entry points to an information system, a set of poorly secured doors that an unauthorized user could use to try to break into an IS.
The various components of the etching surface
"The notion of attack surface is very broad. It covers everything that can be used to connect to or reach services or resources on an information system," explains François Devienne. In short, the attack surface covers all IT system components (systems, physical equipment, applications, networks, etc.) and their misconfigured entry points.
.jpeg)
The evolution of the attack surface with digital transformation
Information systems have become much more complex in recent years, as the digital transformation of organizations has accelerated. This increased use of digital technology has had the effect of increasing access points and extending the attack surface of organizations, as IS comprise more and more layers and overlays.
Digital assets - true entry points for cyber threats - are also increasingly interconnected and exposed on the Internet. This exposure reinforces their vulnerability. Visualizing and controlling their attack surface is becoming a necessity if we are to assess cyber risks and protect ourselves effectively.
Why evaluate your attack surface?
Risks associated with an unevaluated attack surface
Assessing your attack surface is a prerequisite for any good information system security policy. Without an assessment of your attack surface, it's impossible to become aware of the flaws in your IS (misconfigured router, insecure WiFi network, etc.) and to correct them. Put another way, failing to assess your attack surface means leaving the field wide open to malicious actors, who are only too happy to spot vulnerabilities in your IS and exploit them to gain access to your services and resources.
The expansion of organizations' attack surface goes hand in hand with the proliferation of cyber risks. Unauthorized access and exploitation of resources, elevation of privileges, remote control of IT systems... these are just some of the threats to which organizations that do not control their attack surface are exposed.
Recommendations and best practices
"Assessing your attack surface is not mandatory, but it is one of ANSSI's recommendations for cyber hygiene," explains François Devienne. Good cyber hygiene practices for reducing the attack surface focus first and foremost on architecture, the way in which the network is configured and filtered, and the processes deployed to reduce risks: patch management, vulnerability scanning, application lifecycle, identity management, etc.
.jpeg)
Step 1: Identify assets and vulnerabilities
Use of inventory and scanning tools
There are a multitude of inventory and scanning tools available. Nmap is the most "basic" of these tools, but it can still be used to map your IS, including both assets and their vulnerabilities.
How can we go even further? By aggregating and correlating various data sources: EDR, antivirus, CMDB, results of vulnerability scans, etc. "Cross-referencing all this data allows us to highlight deltas and gaps (Shadow IT, for example) and to bring all the bases up to date. In this way, we can search for assets that may not have been inventoried, and which may not be covered by an EDR or included in the patch management policy, for example", explains François Devienne. The aim is to correlate various data sources to ensure that you have an exhaustive, up-to-date picture of your IT assets, and a complete view of the various assets, so that you can monitor them more effectively.
Monitoring common vulnerabilities: a few examples
"Leaving a server exposed on the Internet with default configurations is a common vulnerability," explains François Devienne. The problem? This default configuration will enable an attacker to enter the IS, perform actions and exploit resources, right up to the point of successfully elevating privileges and becoming domain administrator. "Vulnerabilities can also creep in through the use of protocols that have not been properly encrypted, or behind security updates that have not been carried out".
Step 2: Assess asset criticality and associated risks
Assessing the criticality of assets
"The level of criticality of assets is specific to each company. For a retailer, the entire supply chain is critical, since it is the foundation on which the stores are supplied", notes François Devienne. Being able to determine the criticality level of assets depends precisely on the company's ability to carry out an exhaustive mapping of its information system. This mapping defines the place of each asset within the IT system, its role and its links with other assets. It is also possible to associate a level of criticality with certain users, depending on the services and resources they use.
Threat scenarios and potential impacts
The threat scenarios are numerous: a hacked corporate e-mail account, a Trojan horse or rootkit triggered by opening an attachment, a poorly secured wired WiFi network, an exposed and vulnerable server, etc. Once this first stage has been completed, the attacker can then bounce around the network and proceed to elevate privileges. They then have a free hand to extort data, distribute ransomware and more. These are all scenarios that can jeopardize data security, paralyze or severely slow down business activity, and cause financial damage.
Risk analysis and management methods
Risk analysis methods are based on IT system mapping, and come under the heading of governance. "First and foremost, the company needs to determine which risks are acceptable and which are not. Once this has been done, measures can be taken to minimize the risks that the company cannot afford to accept. Being able to quantify the cost of service interruptions in euros makes the impact on business very concrete", notes François Devienne.
In addition to ISO standards and best practices in risk analysis, the EBIOSRisk Manager method is recommended for assessing cyber risks and determining the security measures to be deployed to better control these risks.
Step 3: Reduce the attack surface
Strategies for reducing the attack surface
Once you're aware of your attack surface and have assessed the associated risks, the next key step is to determine strategies for reducing your attack surface and implementing appropriate protection measures. Various processes, including architecture, patch management, hardening (the process of securing a system) and monitoring, help to protect the attack surface.
Network segmentation and isolation of critical assets
Combined with firewall filtering, network segmentation makes it possible to isolate and dissociate users and internal resources, allowing users to access only those resources that are useful to them (according to their role or IP). "One of the best practices in network architecture is to segment the internal and external parts, so that servers exposed to the Internet and those that are not are not grouped together in the same zone," adds François Devienne. ZeroTrust* access goes even further than network protection.
Security updates and patch management
The management of updates and the implementation of a patch management policy to correct vulnerabilities also contribute to reducing the attack surface (making updates available, checking security bulletins, etc.). The use of encrypted protocols (TLS 1.2 minimum) is another important point.
Step 4: Monitor and maintain
Continuous surface monitoring
Assessing the attack surface is a long-term process. The attack surface must be constantly monitored and updated. Regular use of inventory and scanning tools (with vulnerability scans in mind) enables you to keep a close eye on your attack surface and ensure that the processes in place are effective. There are a number of actions you can take to protect your attack surface on an ongoing basis: monitor changes to your network infrastructure, keep an eye on vulnerabilities and security bulletins, implement an access and authorization management policy, control the management of security configurations, etc.
Penetration testing and periodic evaluation
Penetration testing can be part of an approach to managing your attack surface. In the case of an information system-wide test, the pentester generally starts with a login and a user account. His or her mission: to test all entry points to the information system, and to identify vulnerabilities that could be used in computer attacks.
Pentests can also focus on specific services." The frequency of pentests depends on the criticality of the services to be tested. For exposed services, we recommend 1 to 2 pentests per year. You could, for example, plan two phases: one in black box mode, and the second with a little more data (a user account to log in, for example)", advises François Devienne.
Attack surface control is an integral part of IT protection and risk reduction. Carried out methodically (identification of assets and vulnerabilities, assessment of the criticality of assets and risks, reduction of the attack surface, continuous monitoring), attack surface assessment contributes to the development of a proactive cybersecurity posture.
*Zscaler's Zero Trust definition: Zero Trust is a framework for securing businesses in a mobile and cloud world. It stipulates that no user or application should be considered trusted by default.
The aim of zero trust is to add contextual elements to allow or block access to one or more corporate resources, regardless of where they are installed (cloud or on-premise).
Before guaranteeing access, a number of additional checks are carried out (type of corporate device or not / presence of an EDR or antivirus / validity of updates / origin of the connection - country / MFA, etc.).
