Attack Surface
What is an Attack Surface?
An enterprise organization’s attack surface includes all of its network infrastructure, applications, endpoints, IoT devices, and cloud services that could be targeted by a cyber criminal or digital threat actor to gain unauthorized access to the organization’s network or sensitive data assets.
For enterprise IT and SecOps teams, comprehensively mapping, monitoring, and securing the enterprise attack surface is a critical aspect of maintaining security oversight and preventing or mitigating against cyberattacks.
What is an Attack Vector?
An attack vector is a single pathway, means, method, or scenario by which a digital adversary can gain unauthorized access to a targeted organization’s IT systems, sensitive data, or other secured assets.
Attack vectors are described in terms of specific network elements that may be vulnerable to cyberattacks from digital adversaries (e.g. cloud deployments, domains and subdomains, internet ports, etc.). Often, discussion of attack vectors also includes the specific techniques, tactics, and processes (TTPs) that might be used to carry out a cyberattack (e.g. phishing attacks, malware, DDoS attacks, exploiting software vulnerabilities, etc.).
Four Types of Attack Surface You Should Know
Each attack vector that comprises an organization’s attack surface represents a single point on the overall surface of vulnerability. Grouping known attack vectors by type can help enterprise SecOps teams choose the right security interventions to effectively protect against cyber attacks.
Below, we introduce four different types of enterprise attack surface and the attack vectors they typically include.
Digital Attack Surface
An organization’s digital risk surfaces include all of its web-exposed assets that could serve as attack vectors for a digital adversary or malicious hacker with an Internet connection. An organization’s digital attack surface can be further broken down into two categories: private and public.
Private Attack Surface
An organization’s private attack surface includes infrastructure elements, applications, endpoints, cloud deployments, and IoT devices that are deployed inside the organization’s network and are not exposed on the public Internet. The private attack surface includes network elements like:
- Servers, routers, and switches,
- Data storage infrastructure,
- Private and public cloud deployments,
- SaaS applications,
- VPN gateways,
- IDAM services,
- LOB applications,
- Windows, OSX, and Linux clients,
- In-network endpoint devices (e.g. laptops and computers, printers, POS terminals, IoT devices, smartphones and tablets, etc.),
- And more…
Digital adversaries frequently target enterprise networks with viruses, ransomware, or malicious scripts that exfiltrate sensitive data.
External Attack Surface
An organization’s external attack surface consists of its digital assets that live outside the enterprise network and are exposed across the Internet. An organization’s external attack surface often includes assets like:
- IP addresses,
- Web domains,
- Social media profiles,
- Email accounts
- Business collaboration software platforms,
- Profiles on recruitment, bidding, or business networking websites,
- And more…
A common tactic for digital adversaries is to copy the targeted organization’s digital assets and create web domains, email addresses, or social media accounts to impersonate the organization’s brand, employees, or executives. These fraudulent assets can then be used to scam or defraud the organization’s customers.
Physical Attack Surface
Enterprise security teams also need to think about securing the physical attack surface, which includes organizational assets and data that are generally accessed by employees of the business with authorized physical access to secured locations, systems, or devices.
An organization’s physical attack surface can include servers, computers, mobile devices, and other on-site operational hardware that may be accessed by employees.
While an organization’s digital attack surface may be targeted by digital adversaries around the world, its physical assets are most likely to be compromised by disgruntled employees, malicious insiders, criminals engaged in device theft, or in-person social engineering attacks that manipulate employees into installing malicious software on secure devices.
Three Ways to Secure Your Private Attack Surface
Deploy Antivirus Software
Antivirus software scans programs and files entering your enterprise network to detect, quarantine, and delete malicious software before it can infect and damage the in-network assets that make up your organization’s private attack surface.
Deploy Intrusion Detection System (IDS) Software
Enterprise security teams can deploy IDS software tools to monitor the network, detect suspicious activity that could indicate a network intrusion or data breach, and alert on the activity to SecOps teams who can initiate further investigations.
Adopt a Security Information and Event Management (SIEM) Tool
SIEM software tools aggregate security and event logs from inside the enterprise network to detect and alert on suspicious events or activity and support the incident response process for enterprise SecOps teams.
Three Ways to Secure Your Public Attack Surface
Deploy Antivirus Software
Antivirus software scans programs and files entering your enterprise network to detect, quarantine, and delete malicious software before it can infect and damage the in-network assets that make up your organization’s private attack surface.
Deploy Intrusion Detection System (IDS) Software
Enterprise security teams can deploy IDS software tools to monitor the network, detect suspicious activity that could indicate a network intrusion or data breach, and alert on the activity to SecOps teams who can initiate further investigations.
Adopt a Security Information and Event Management (SIEM) Tool
SIEM software tools aggregate security and event logs from inside the enterprise network to detect and alert on suspicious events or activity and support the incident response process for enterprise SecOps teams.
Three Ways to Secure Your External Attack Surface
Monitor the External Attack Surface at Scale
Publicly exposed assets like web domains, executive email addresses, and social media accounts are vulnerable to cyberattacks that originate outside the organization’s security perimeter, including impersonation attacks, brand abuse, and fraud.
To detect and identify these attacks, enterprise security teams need AI-driven tools that can monitor the external attack surface at scale, including the surface, deep, and dark web, social media, and other channels, for attack chatter, impersonating brand assets, and other threats.
Invest in Proactive Threat Intelligence
Threat Intelligence (TI) is curated, timely, actionable information that helps enterprise security teams mitigate or disrupt a security threat. Cybersecurity services vendors like ZeroFox provide their customers with TI coverage that includes domain, social, and digital channel monitoring, as well as protection from account takeover and brand impersonation attacks.
These managed intelligence services help enterprise security teams detect and disrupt targeted brand abuse and impersonation attacks before digital adversaries can defraud their customers.
Leverage Adversary Disruption Capabilities
When attack surface monitoring reveals a credible security threat, enterprise security teams need the ability to launch countermeasures that disrupt and dismantle the attacker’s infrastructure. Adversary disruption capabilities empower security teams with a proactive approach to shielding the external attack surface against cyberattacks.
Secure Your External Attack Surface with ZeroFox
The ZeroFox platform provides digital risk protection, tactical threat intelligence, and adversary disruption to dismantle threats to brands, people, assets, and data across the external attack surface.
Ready to learn more?
Download our free report External Cybersecurity: Protecting Your Organization from Cyberattacks in the Gray Space Outside the Perimeter.