Last Updated on 8 July 2022 by Alastair Digby
The effectiveness of any approach to attack surface management depends on your company’s ability to monitor your attack surface for weaknesses and vulnerabilities. Since threat actors don’t keep a 9-5 schedule, and new entry points to networks emerge frequently in today’s dynamic IT infrastructures, real-time visibility into your evolving attack surface is crucial. But what exactly is attack surface monitoring, what are its benefits, and what should a suitable solution be able to detect? Read on to get the answers to these important questions.
What is Attack Surface Monitoring?
Attack surface monitoring is a central tenet of attack surface management that involves getting real-time visibility into vulnerabilities, weaknesses, and misconfigurations in any of the systems and assets that make up your attack surface. Real-time visibility only comes from continuous attack surface monitoring rather than point-in-time solutions that provide ad hoc visibility.
Since most malicious cyber threats arise from outside the organisation (insider errors are a threat, but they are often not malicious in nature), attack surface monitoring usually concentrates on your external attack surface. The external attack surface is the sum total of possible entry points accessible from the Internet that malicious outsiders can target to gain unauthorized access to your IT environment.
With things changing quickly across your Internet, cloud services, and mobile ecosystem, new weaknesses in your external-facing assets can crop up without you ever knowing about them. Someone could open up a port to share a file or run a vulnerable service, and you wouldn’t know about it without continuous visibility from an attacker’s perspective.
Attack surface monitoring tools help to get the ongoing awareness of what your attack surface looks like by providing some of the following important functions:
- Situational awareness of all discovered and catalogued assets (systems, devices, apps) across your company’s IT ecosystem.
- A detection engine leveraging alert rules that trigger when risky changes in the state of assets occur, such as opening up a port or IP addresses connecting from unexpected locations.
- Continuously scanning assets for application and infrastructure level vulnerabilities.
- Instant notification of vulnerable assets, misconfigurations, and changes to your IT environment as soon as they are detected so that you can remediate weaknesses rapidly, before malicious actors exploit them.
It’s important to combine attack surface monitoring with a solid level of threat intelligence that shines a light on the threat activities likely to target your attack surface.
Benefits of (Continuous) Attack Surface Monitoring
Now that you have a decent idea of what attack surface monitoring involves, what are some of its benefits?
- Attack surface monitoring provides visibility into how your attack surface appears from the perspective of cyber attackers wanting to find a way into your environment. This is useful for effective risk management because it helps to put you in the shoes of an attacker and really prioritize what to address based on what kinds of weaknesses outsiders are most likely to exploit.
- Rather than only finding amplified risks or weaknesses after running point-in-time scans, attack surface monitoring identifies these weaknesses as and when they’re introduced to your environment.
- Visibility into vulnerable applications outside of patch management cycles.
- You get information on and visibility into all IT assets, which is important given the distributed, multi-cloud infrastructures that many businesses run today
- Assurance that you have knowledge about any changes made to systems or software that might provide a means for hackers to get inside
- Attack surface monitoring acts like an extra pair of eyes and ears by looking at your environment from the outside in and augmenting your existing security capabilities
- Alerts can account for business context to focus on the most critical risks that pose danger to your digital assets
Types of Risks Attack Surface Monitoring Mitigates
There are many types of cyber risks that attack surface monitoring mitigates and protects against. Here is a brief run-through of some of the more significant risks you’ll be able to manage better with an attack surface monitoring solution. This list is non-exhaustive.
Risky Open Ports
When a port is open, it’s in a state where it receives connections and accepts data packets. There are many free scanners available to find open ports and report on the services running on those ports. It’s not that open ports are inherently risky, but when the service running on a port isn’t patched or has a vulnerability, this provides a relatively easy entry route into your network for adversaries.
Vulnerable Software, Operating Systems, or Firmware
From web applications hosted in the cloud to the operating systems on Internet-connected employee laptops, unpatched vulnerabilities remain one of the most common attack vectors today. By exploiting vulnerabilities, attackers might inject malicious code, install ransomware, or even exfiltrate sensitive data. The range of possible bad outcomes from unpatched vulnerabilities makes it crucial to monitor your entire attack surface and get rapid insight when those areas of weakness emerge.
Data Leak Exposure
Data leaks can happen in a number of different ways, but the most common are misconfigurations. These leaks expose potentially sensitive data (often protected by industry regulations) to the wider public, and anyone who knows how to look will have no trouble finding exposed data. Good attack surface monitoring solutions find the types of misconfigurations that lead to data leaks, such as leaving databases unprotected in the cloud or leaving source code in unsecured public repositories.
Domain Hijacking Threats
In recognition that many businesses depend heavily on their website for success, threat actors regularly try to hijack domains by brute force hacking admin passwords on hosting or domain registrar services. From an attack surface perspective, hijacking a domain makes it far easier to carry out social engineering attacks and gain additional access by sending emails from internal email addresses that even cyber-aware users will probably assume are legitimate.
Example Incidents That Attack Surface Monitoring Could’ve Prevented
Here are four examples of real-world cyber incidents resulting in severe financial, operational, or reputational outcomes that were preventable with effective attack surface monitoring in place.
Securitas S3 Exposure
As recently as January 2022, news emerged about Swedish company Securitas exposing sensitive data about employees on an unsecured AWS S3 bucket in the S3 web service for simple cloud storage. The incident resulted in three terabytes of employee data (over one million files) being accessible to anyone on the Internet. While the initial report about the incidents stemmed from security researchers finding the exposed data online, there’s no way to know whether malicious parties downloaded the information and are now using it for other purposes.
With Securitas being a security company, what’s clear here is that this incident is not a good look for their reputation. Four South American airports hired Securitas for their various security services, which evidently necessitated gathering information about employees. But in exposing this information to the outside world and not remedying the weakness on time, Securitas no doubt will lose potential business over this mishap. Attack surface monitoring could’ve efficiently identified the data exposure and allowed quick mitigation before security researchers found it and reported on it.
Colonial Pipeline Shutdown
In easily one of the most infamous cyber incidents in recent years, threat actors gained access to the Colonial Pipeline’s network leading to an enforced shutdown. The outcome was a $5 million ransom payment along with gas shortages felt by businesses and customers in several U.S. states.
Subsequent investigations into this incident found the initial entry point was a VPN account that was no longer in use. Since VPN accounts represent a significant Internet-exposed digital asset, attack surface monitoring capabilities could’ve alerted the Colonial Pipeline about the risk posed by this unused account.
Microsoft Database Exposure
In early 2020, Microsoft revealed details about customer records being exposed. These records, all 250 million of them, spanned 14 years. A security researcher found the records indexed on the search engine BinaryEdge where they were left exposed and unprotected by a password. Once again, continuous attack surface monitoring would’ve helped to quickly flag and deal with this issue before it became public knowledge.
The effects of the WannaCry ransomware attack continued to reverberate for years after it occurred. Temporarily crippling many organisations worldwide, including the NHS, WannaCry was a ransomware strain that spread to over 230,000 computers. The susceptibility of an organisation to WannaCry depended on whether they had applied an important security patch to devices running Windows operating system that mitigated an exploit known as Eternal Blue.
Even two years after the incident, some companies were still being targeted by WannaCry because they’d failed to apply the security patch. Vulnerabilities caused by out of date software or operating systems are straightforward to detect and fix on time using attack surface monitoring.
What Should An Attack Surface Management Solution Monitor?
The early stages of attack surface management include discovering and taking an inventory of all your Internet-accessible digital assets. It is these early stages that set the groundwork for defining the assets to include in attack surface monitoring. Most solutions should monitor the following:
- Your web applications and services, including the APIs that different applications and services use to communicate with each other. API vulnerabilities are a real concern as more organisations depend on an ecosystem of applications and services that all “speak” to each other using API calls.
- Cloud environments across all public cloud services in use at your company. This includes cloud storage services, SaaS applications, and Infrastructure as a Service (IaaS) assets on which you might host your website or use for disaster recovery.
- The domain names and SSL certificates that your company uses to provide information or services to customers and employees.
- All devices connected to your network, including endpoint laptops and BYOD mobile devices used by employees. Monitoring capabilities should extend to IoT devices because these sensors, actuators, and other smart devices are Internet-accessible and typically lack robust security features.
- Repositories such as Github, which are used to store and manage source code for any custom business applications. Hackers getting inside these repositories can make malicious code changes that give them access to your environment or let them breach sensitive data.
How About Monitoring the Human Attack Surface?
The definition of an attack surface includes both physical and digital components. Attack surface monitoring relates to the digital aspect of your attack surface. But it’s important not to downplay the inextricable role that people play in growing your attack surface or opening up weak points. After all, you’ve probably heard a statistic or two revealing that human error causes most data breaches.
Such is the influence of people in cyber attacks that there is a strong push towards expanding the definition of attack surface to include the human attack surface. This human attack surface includes the sum total of security gaps and weaknesses from actions and behaviours taken by your company’s human assets. Whatever way you want to define things, the actions taken by your employees, contractors, and suppliers are all potential sources of intrusion into your network.
A natural question that arises is how exactly can you monitor the human attack surface? For example, weak passwords created from frequent password changes or the susceptibility of remote workers to social engineering are not exactly easy to get constant visibility into.
Thankfully, an effective attack surface monitoring solution provides good visibility into the most common types of mistakes people make that open up potential intrusion points into your network. These mistakes include misconfigurations, remote workers connecting to internal networks without using a VPN, and storing sensitive data in unapproved cloud services.
Of the potential security gaps created by more intangible activities that are harder to monitor, such as susceptibility to clicking links in phishing emails, a proactive approach is to adopt a security-first culture. Combined with an attack surface monitoring solution, effective cybersecurity training programs can help monitor your human attack surface through quizzes and simulated exercises.
Comprehensive Attack Surface Management
Informer’s platform combines automated asset discovery with continuous monitoring of your changing environment for comprehensive external attack surface management. Instant notification about risky changes or new vulnerabilities combined with automated retesting lets you rapidly take action and validate fixes before malicious outsiders find a way in.