Ever since humans decided to wage war, reducing the engagement attack surface has been a strategic consideration (e.g., castle moats and Kevlar body armor) that minimizes vulnerabilities and improves the odds of surviving.
SEE: IT leader’s guide to the threat of cyberwar (Tech Pro Research)
What are real-world digital attack surfaces?
With cybersecurity morphing into cyberwarfare, military strategy such as attack-surface reduction is becoming an important part of a cybersecurity professional’s repertoire.
Case in point: In the paper Cyber Resiliency Design Principles (PDF), coauthors Deborah Bodeau and Richard Graubart spend a great deal of time describing digital attack surfaces and the implications of their presence. The report from the Mitre Corporation (a company well-versed in warfare, cyber and otherwise) defines attack surfaces of information systems as:
“Exposed areas that make those systems more vulnerable to cyberattacks. The exposed areas include any accessible areas where weaknesses or deficiencies in information systems (including the hardware, software, and firmware components) provide opportunities for adversaries to exploit vulnerabilities.”
In Stephen Northcutt’s SANS Security Laboratory: Defense In Depth article The Attack Surface Problem, he offers the following examples of real-world attack surfaces:
- Open ports on outward-facing web servers;
- Services available inside the firewall perimeter;
- Code that processes incoming data, email, XML, and office documents; and
- An employee with access to sensitive information is socially engineered.
Additionally, Katherine Brocklehurst writes in her Tripwire article Understanding What Constitutes Your Attack Surface, “A typical attack surface has complex interrelationships among three main areas of exposure: software, network, and the often-overlooked human attack surface.”
Here is what Brocklehurst says about each of these areas.
Software attack surfaces are unwanted vulnerabilities found across various types of software, including applications, email services, configurations, compliance policies, databases, executables, DLLs, web pages, mobile apps, and operating systems.
Network attack surfaces are weaknesses associated with networking components, applications, and firmware: in particular, ports, protocols, channels, devices, and their interfaces. Depending on the organization’s infrastructure, cloud servers, data, systems, and processes may also need to be considered as network attack surfaces.
Human attack surfaces are a complex range of vulnerabilities. “Many breaches begin with an exploit directed at humans, and it’s very clear that malicious intent, inadvertent errors, and misplaced trust can all be exploited to cause great harm,” writes Brocklehurst. “Examples of successful attacks vary widely (most notably phishing and spear-phishing), and a comprehensive index should include processes, physical security, and privileges–in particular, the ability to attach, read, and write to removable devices.”
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Attack surfaces are growing in size
The size of attack surfaces matters, and these surfaces are getting larger. The press release for the Trend Micro report Paradigm Shifts: Trend Micro Security Predictions for 2018 notes:
“Trend Micro predicts an increase in Internet of Things vulnerabilities as more devices are manufactured without security regulations or industry standards. Overall, the increased connectivity and enlarged attack surfaces present new opportunities for cybercriminals to leverage known issues to penetrate a corporate network.”
How to eliminate attack surfaces as a cybersecurity problem
Bodeau and Graubart suggest large attack surfaces are difficult to defend due to the amount of ongoing effort needed to monitor, analyze, and respond to anomalies. The coauthors of the Mitre report added, “Reducing attack surfaces lowers ongoing costs and makes the adversary concentrate efforts on a small set of locations, resources, or environments that can be more effectively monitored and defended.”
To eliminate attack surfaces as a problem, Bodeau and Graubart suggest the following.
Reduce the area and exposure of the attack surface by applying the principles of least privilege and least functionality (i.e., restricting ports, protocols, functions, and services), employing layered defenses, deprecating unsafe functions, and eliminating Application Programming Interfaces (APIs) that are vulnerable to cyberattacks.
Reduce the accessibility of the attack surface by limiting the amount of time adversaries have (i.e., the window of opportunity) to initiate and complete cyberattacks.
SEE: Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse (cover story PDF) (TechRepublic)
For businesses that do not have the expertise or personnel to reduce the area, exposure, and access to attack surfaces, there is help. Illusive Networks, a company started in 2014, unveiled Attack Surface Manager (ASM) at RSA 2018. The company’s announcement includes the following quote:
“Illusive’s Attack Surface Manager preempts advanced attacks by identifying hidden credentials that enable lateral movement and otherwise facilitate advanced attacks. Representing a transformational expansion of the role of deception-based cyber defense in the kill chain, ASM proactively reveals policy violations, and empowers security professionals to make the first move by depriving attackers of the keys they need to reach critical assets before an attack ever takes place.”
Ofer Israeli, CEO of Illusive Networks, in this YouTube video further explains, “For years, organizations have felt at the mercy of sophisticated attackers who maneuver within their network undetected for months. By removing the very elements attackers need to progress, ASM stops the attack before it creates a business crisis.”
Put simply, the idea is to move the uncertainty from the defenders to the attackers using deception. The company has garnered both interest and recognition for ASM, including being selected to The Wall Street Journal’s 2017 List of Tech Companies to Watch.