Attack surface analysis is the process of identifying and mapping the areas in your attack surface that need to be reviewed for gaps and vulnerabilities by way of continuous monitoring and remediation.
Before the rapid proliferation to the cloud, attack surfaces were much more controllable. They lacked the dynamic, ephemeral nature of today’s attack surfaces. Additionally, modern “cyber assets” encompass a lot more than they did; they now include anything and everything that is software defined and ephemeral. This new definition creates a lot more complexity for the average security team to handle.
Attack surface analysis can help wrangle your attack surface into a manageable size by not only searching for gaps that could lead to external exploitation, but also identifying the why behind your CVEs.
Looking beneath the attack surface
Conducting an attack surface analysis can only be effective if you have a solid foundation. Cyber asset attack surface management (CAASM) platforms such as JupiterOne serve as that foundation by giving you a comprehensive look into your attack surface.
Many security practitioners (and humans in general) work from spreadsheets and lists because they are easier for us to process. The caveat, however, is that as long as we’re thinking in lists rather than graphs, we remain at least one step behind the attacker. Attackers view your attack surface as a network of connected entities that eventually lead them to your business’ critical assets - the infamous crown jewels.
When conducting attack surface analysis, knowing your potential attack paths is equally as important as knowing how far your attack surface extends. We conducted an analysis of 2,285 organizations to identify common themes across attack surfaces and were shocked to find out that critical assets are often closer to the internet than non-critical assets. Furthermore, critical asset paths were less varied than their non-critical counterparts. While this could be attributed to a variety of factors, we hypothesized that security teams’ extra attention to the critical asset lifecycle breeds predictability and a scenario where attackers can reasonably assume its attack path. By leveraging a CAASM platform’s complex querying capabilities and relational context, these types of analyses and findings can be uncovered at a higher velocity than manually connecting the dots.
How to conduct your attack surface analysis
At JupiterOne, we’re guided by a few core questions:
- What do I have in my cyber asset environment?
- Of these assets, which ones are most important?
- Do these important assets have a problem?
- Who is responsible for fixing these problems?
- Are we getting better over time?
Because today’s digital environments are so large, dynamic, and complex, continuously answering these questions ensures that your priorities are still valid and up-to-date. Attack surface analysis lives in between the questions “what is important? and “who is the asset owner?
- Set your scope: Audit your environment to understand where your security team is in the most dire need of heightened security. This comes from understanding what assets live in your environment, as well as which assets are marked “critical” by your team.
- Visualize and understand your attack paths: JupiterOne provides out-of-the-box queries that can be useful in attack surface analysis and visualizations. For example, you can ask “where are my production hosts with medium or high vulnerability findings?” or “what are my vulnerable assets with relationships to hosts, production, or containers?” and visualize how those assets connect to others in your environment.
- Form a plan to remediation: Find the individual who can fix the weak area in question and work to remediate it.
Overall, the goal is always to reduce your attack surface as much as possible by formalizing criteria for when analysis is needed. While these criteria can differ from business to business, executing analysis around events like API additions, changes to IAM practices, or changes to critical infrastructure can help your security posture. Understanding where and when these changes are happening, however, all starts with comprehensive asset visibility and inventory.
