Preliminary research on attack surface reveals use cases for list vs. graph-based analysis

by

In “A Tacky Graph and Listless Defenders: Looking Beneath the Attack Surface,” JupiterOne researchers expand upon the 2022 State of Cyber Assets Report analysis to better understand the attack surface and attack paths.

The team analyzed more than 272 million nodes from 2,285 organizations, and was guided by a few questions as they performed this research:

  • Where are defenders in the most dire need of graph-based security techniques?
  • How dynamic are attack surfaces and paths?
  • What do 880m triplets* reveal about attack surfaces and paths?
  • What do connectivity and local and global risk exposure reveal about control coverage?


*A triplet is defined as “a unique occurrence of two nodes and one edge.”

Initial findings related to attack paths and the average attack surface


This research into attack surfaces is ongoing, but this preliminary research phase revealed key findings in the following areas:

  • The percentage of the attack surface with a first-degree relationship to the public internet
  • How the attack path to critical assets differs from the path to non-critical assets
  • The difference in attack path variety between critical and non-critical assets
  • What asset connectedness implies in terms of control coverage
  • Whether local and global risk exposure correlated with asset connectivity


Our research team concluded that although defenders are racking up some big wins, there is still a lot defenders don’t understand about attack surfaces. While security basics like MFA and database encryption can greatly reduce your attack surface, there are attack paths that defenders simply cannot discover without understanding the relationships between their assets. These relationships often cannot be recognized without applying a graph-based model.

Lists vs. graphs: Why it matters


John Lambert, a well-known, distinguished engineer at Microsoft, famously said, “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.”

For many security practitioners, this quote represents the first moment they realized the value of using graphs to visualize data. It highlights how their reliance on alerts and logs from tools that spit out spreadsheets doesn’t provide a holistic view of their systems and interconnectedness.

This research intends to clarify when a graph-based versus list-based attack surface analysis is most effective.

By understanding just how connected and complex the average attack surface is, security practitioners can make more intentional decisions about what kind of actions they should take to reduce their organization’s attack surface.


Download the paper

This 15-page paper expands on these topics and presents the early findings from JupiterOne’s ongoing attack surface research. You can download your copy anytime, here.

Download the Paper

Sarah Hartland
Sarah Hartland

Sarah is the Director of Demand Generation at JupiterOne. She has been a content creator and curator since 2012, with experience in the media, adtech, and cybersecurity industries. Sarah is passionate about making technical concepts accessible for all.

Keep Reading

Proactive IAM Security: Transforming Identity Security with Actionable Insights | Okta Integration with JupiterOne
December 19, 2024
Blog
Unlocking Proactive Security: How Okta and JupiterOne Elevate IAM Insights

Unlock proactive IAM security with Okta and JupiterOne, gaining real-time insights, enforcing least privilege, and reducing risks in dynamic cloud environments.

Transitioning from Vulnerability Management to Exposure Management | JupiterOne
December 13, 2024
Blog
Transitioning from Vulnerability Management to Exposure Management with JupiterOne

Explore Gartner's latest report on Exposure Management and learn how your organization can prioritize vulnerabilities and minimize exposures.

The Ultimate CAASM Guide for 2025 | JupiterOne
November 20, 2024
Blog
The Ultimate CAASM Guide for 2025

Discover how Cyber Asset Attack Surface Management (CAASM) is providing enhanced visibility of internal and external assets in 2025.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.