Attack Surface Discovery: How to Identify Your Organization's Attack Surface
Chris Goettl
Key Takeaways
- Attack surface discovery is a process that includes classifying asset types according to your level of visibility, then using software, such discovery tools, external attack surface management tools and others, to address visibility gaps and identify vulnerabilities.
- Attack surface discovery is a foundational element for a strong security posture, and it’s a critical first step in exposure management.
- Your attack surface comprises digital, physical and human elements.
- Once the attack surface is identified, you can assess and prioritize vulnerabilities in line with your organization’s risk appetite to effectively focus remediation efforts.
Much like your lawn after a good rain, your attack surface will grow rapidly if left unchecked. And an increase in cybersecurity risk comes along with that increase in attack surface size. While risk can’t be eliminated outright (because attack surfaces are always evolving), you can manage it to keep your overall risk levels in line with your risk appetite.
Why is attack surface discovery so important?
Managing cybersecurity risk begins with identifying your organization’s attack surface. More specifically, you must identify what lurks below the surface — the endpoints, vulnerabilities and other attack vectors that expose your environment.
Leading security frameworks agree that attack surface discovery is essential for a strong security posture. For instance, the first Function of the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) Version 1.1 is Identify, and NIST states, “The activities in the Identify Function are foundational for effective use of the Framework.” Similarly, CIS Controls v8 contains the following Controls:
- Control 1 — Inventory and Control of Enterprise Assets
- Control 2 — Inventory and Control of Software Assets
- Control 7 — Continuous Vulnerability Management
Put simply, you can’t defend what you don’t know you have. But how do you figure out what you have?
How do I get started with attack surface discovery?
Attack surface discovery requires you to take an attacker’s view of your organization to find exploitable assets and associated vulnerabilities.
Your attack surface has three components: a digital attack surface, a physical attack surface and a human attack surface. Here, we’ll focus primarily on discovering your digital attack surface, although we’ll touch briefly on the other two aspects as well.
Your digital attack surface includes traditional IT assets — hardware, such as endpoints and servers, as well as software applications — and external internet-facing assets, such as web applications, IPs, domain names, SSL certificates and cloud services.
Your first step is to account for each element of your digital attack surface and identify your visibility gaps. You can classify each element as:
- Known known: Cyber assets that you know are part of your attack surface.
- Known unknown: Cyber assets that you know are part of your attack surface but that you may not have visibility into and/or don’t have under management.
- Unknown unknown: Cyber assets that may or may not be part of your attack surface — you don’t know.
- N/A: Cyber assets that you know with 100% certainty are not part of your attack surface.
For a more comprehensive overview of your attack surface elements, use our editable attack surface checklist to take inventory.
Tools for discovering and managing your attack surface
The next step after classifying your asset types is to figure out what tools or approaches will allow you to close your visibility gaps, turning your known unknowns and unknown unknowns into known knowns.
There are more specific solutions that fall under the broad umbrella of attack surface management — cyber asset attack surface management (CAASM), external attack surface management (EASM) and digital risk protection services (DRPS). These tools aggregate findings to more easily identify vulnerabilities, and some also have capabilities for prioritizing and remediating these vulnerabilities, allowing you to quickly act on attack surface insights and reduce risk.
But organizations have needed to discover and manage their digital attack surfaces since before ASM solutions became available. Instead of ASM solutions, many organizations have leveraged — and continue to leverage — other approaches to do so.
| Approach | Description | Pros | Cons |
|---|---|---|---|
| Asset discovery tools | Find and inventory hardware and software assets connecting to your network. | Already deployed at most organizations. Better than spreadsheets. | Can have blind spots, such as shadow IT, third-party systems and line-of-business applications. |
| Breach and attack simulation (BAS) | Automatically test threat vectors to gain a deeper understanding of security posture vulnerabilities and validate security controls. | Generates reports on security gaps and prioritizes remediation based on risk. | Only focuses on known attacks. Doesn't provide remediation. |
| Cloud security posture management (CSPM) | Understand changes in cloud configurations. | Provides real-time visibility into cloud configurations. | Doesn't reveal when configurations drift out of compliance or the potential impact of emerging threats. |
| Configuration management database (CMDB) | Track changes made to systems. | Already deployed at most organizations. | Doesn't reveal when configurations drift out of compliance or the potential impact of emerging threats. |
| Homegrown approach | Combine spreadsheets, scripts and manual processes to manage attack surface. | Inexpensive or free from a pure cost perspective (overlooking analyst hours). | Time-consuming and error-prone. Not scalable or real-time. |
| IT asset management (ITAM) | Track and monitor assets through their full lifecycle. | Already deployed at most organizations. Better than spreadsheets. | Only covers known and managed assets while overlooking unknown or unmanaged facets of attack surface. |
| Penetration testing (e.g., automated penetration testing tools and penetration testing as a service) | Identify vulnerabilities within your network and applications by simulating a cyberattack. | Provides examples of security posture and associated budget priorities. | Only focuses on the first phase of the cyber kill chain: reconnaissance. Also, results are typically point-in-time and only as good as the penetration testers carrying out the simulation. |
| Red teaming | Provides a comprehensive picture of an organization’s cybersecurity posture by staging a cyberattack simulation against networks, applications, physical safeguards and employees. | Goes beyond penetration testing by focusing on other phases of the cyber kill chain. Also goes beyond digital attack surface and touches on physical and human attack surfaces. | Results are typically point-in-time and only as good as the penetration testers carrying out the simulation. |
| Threat intelligence | Access information on threats and other cybersecurity issues. | Arms security experts with intelligence on threats and vulnerabilities. | Geared toward organizations with highly mature security operations consisting of skilled personnel and extensive resources. |
| Vulnerability management tools (e.g., scanners) | Identify and manage vulnerabilities within your infrastructure and applications. | Already deployed at most organizations. | No visibility into unknown assets. Overwhelming amounts of data. |
While these methods don’t offer all the capabilities of a purpose-built ASM solution, they still play important roles in an organization’s IT and security practices.
In fact, CAASM tools can’t function without data from asset discovery, ITAM, vulnerability management and/or patch management tools. Similarly, EASM complements the threat intelligence and security testing services listed above.
How do I identify my organization’s physical attack surface?
The first major component of your organization’s physical attack surface overlaps with your digital attack surface. This is referred to as the endpoint attack surface, and it’s composed primarily of all the endpoints that connect to your network: desktop computers, laptop, mobile devices and IoT devices. The tools and techniques you use to discover your digital attack surface apply here, too.
The second major component of your physical attack surface is your offices, data centers and other facilities. Again, techniques already used to identify the digital attack surface overlap with the physical attack surface, too. In this case, that’s the physical penetration testing component of red teaming.
How do I identify my organization’s human attack surface?
Identifying your human attack surface begins by looking at your org chart. Anyone associated with your organization who can access sensitive information — or prevent others from accessing that information — contributes to your human attack surface. That includes not just full-time employees but also part-time employees, board members, contractors, partners, vendors, suppliers, temps and others.
Red teaming, a practice used to identify elements of both the digital and physical attack surfaces, can also be used to identify a major component of the human attack surface: employee susceptibility to social engineering.
Improper user privilege assignment is another major contributor to human attack surfaces. Reviewing the systems and data the people that contribute to your human attack surface have access to, plus the levels of access they possess, is another way you can identify parts of that surface.
I’ve identified my organization’s attack surface. Now what?
Discovering your attack surface is step one on the path to your end goal: remediating the vulnerabilities that pose the greatest risk to your organization. Taken as a whole, this process is called exposure management.
Attack surface discovery, as we’ve already discussed, is one of the foundations of your security strategy — if you don’t know it’s there, you can’t protect it. Exposure management adds one more foundational pillar, which is determining your risk appetite. This defines how much risk your organization is willing to take on in pursuit of your goals. (You can use this editable template for your risk appetite statement.)
With these two foundational elements addressed, you can then assess the vulnerabilities you’ve discovered in your attack surface to determine how much risk they pose for your organization, and whether they are within your risk appetite (a process that we cover in depth in this guide to objective cyber risk assessment).
The vulnerabilities that fall outside your risk appetite are your priorities for remediation, allowing you to focus your efforts where they have the greatest impact.
FAQ
What is an attack surface?
Your attack surface is all of the potential entry points that can be used to access an IT environment for the purpose of launching a cyberattack.
What are the parts of the attack surface?
Your attack surface includes a digital attack surface (traditional IT assets and external internet-facing assets), a physical attack surface (hardware and facilities) and a human attack surface.
Does Ivanti sell products to help discover and manage my attack surface?
Yes, Ivanti Neurons for Discovery, Ivanti Neurons for Risk-Based Vulnerability Management, Ivanti Neurons for External Attack Surface Management and Ivanti Neurons for Application Security Posture Management can all play a role in discovering and managing your attack surface.
