By Marc Laliberte, Director of Security Operations at WatchGuard
Over the last decade, many organizations have rapidly accelerated their digital transformation. The rise in cloud hosted Software-as-a-Service (SaaS) applications, continued proliferation of Internet of Things (IoT) devices, and a global pandemic forcing an overnight transition to a remote workforce have forced most IT teams to quickly adopt and deploy new technologies to keep the business moving. While these new technologies have obvious productivity benefits, they also significantly expand an organization’s potential attack surface. If security isn’t a motivating factor when acquiring or managing new technologies, it can lead to significant gaps in your organization’s defenses.
Your attack surface is the total collection of all possible attack vectors that could enable an adversary to access, cause an effect on, or extract data from a system in your organization. To understand this better, you can split your attack surface into three main components: digital attack surface, physical attack surface and human attack surface.
Digital Attack Surface
Your digital attack surface is, put simply, anything digitally accessible to an adversary. This includes known assets like your corporate website, server infrastructure, and user workstations. It also includes unknown assets like shadow IT, forgotten or employee-installed software and devices. Your digital attack surface also includes rogue assets, malicious infrastructure and systems set up by a threat actor like existing malware infections or typo-squatted domains.
Physical Attack Surface
Your physical attack surface includes all vulnerabilities an attacker could access with physical access to your office or an endpoint system. This includes everything from exposed network jacks in your lobby to unencrypted user laptops left in a car. While an attack against your physical attack surface may feel unlikely, it often enables effortless privilege escalation and lateral movement to adversaries who target it.
Human Attack Surface
Your human attack surface is the total number of individuals in your organization who are susceptible to social engineering. We’ve all experienced the common forms of social engineering like Phishing and Smishing (text message phishing), but this also includes techniques like media drops, in which adversaries ship a malware-laced USB drive to victims hoping a curious individual connects it to their laptop. Your human attack surface can also include fake employees tricking your real employees into performing a damaging action.
The most common shortfall for an IT or security team in managing their attack surface is simply not understanding the breadth of it. It’s very easy for technical debt to accumulate over the years or to spin up “quick fixes” which are then neglected or long forgotten. To address this, make a regular asset and data audit a part of your security program. At a minimum, identify business owners and run a risk assessment to understand the data or system’s value and risk of compromise. You can lean on the business owners themselves to complete questionnaires for their environment and asset discovery tools to identify things that are missed.
A recent Thales research study found only 40% of non-IT staff have adopted multi-factor authentication (MFA). While this is better than previous years, it’s still a significant gap for organizations that have not fully adopted MFA. Compromising a user’s credential is unfortunately a very low bar for threat actors and, without MFA, that is enough to get a foot in the door. Even with unprivileged accounts, you won’t meet a seasoned penetration tester that doesn’t have a near 100% success rate of elevating their access in an organization from any account at all.
Eliminating complexity is another important step towards reducing your overall attack surface. Complexity often masks configuration or management mistakes that can lead to additional gaps in your defenses. This is especially important when it comes to your protection and detection capabilities. A Gartner survey earlier this year found 75% of organizations are pursuing security vendor consolidation to help reduce complexity and speed up response times.
No attack surface management program can be successful without addressing the human element too. Make sure your social engineering training covers not just traditional email phishing but other common social engineering techniques and risky behaviors as well. As we’ve seen throughout the course of 2022, with major breaches targeting Uber, Microsoft, and others, the strongest technical controls can often be circumvented by a single employee mistake.
Addressing your attack surface isn’t a one and done type of event. It is an ongoing and evolving process that requires continuous focus and iterative improvements over time. It also isn’t an easy task, especially for large or old organizations. If you start with the basics though, you can knock out enough low hanging fruit to make your organization a less vulnerable target to cyber adversaries and continue strengthening your security program over time.
About the Author
Marc Laliberte is the Director of Security Operations at WatchGuard Technologies. Marc joined the WatchGuard team in 2012 and has spent much of the last decade helping shape WatchGuard’s internal security maturation from various roles and responsibilities. Marc’s responsibilities include leading WatchGuard’s security operations center as well as the WatchGuard Threat Lab, a research-focused thought leadership team that identifies and reports on modern information security trends. With regular speaking appearances and contributions to online IT publications, Marc is a leading thought leader providing security guidance to all levels of IT personnel. Marc can be found on LinkedIn at https://www.linkedin.com/in/marc-laliberte/.