Why focus on Attack Surface? (Experience SSHD brute-force...)

Why focus on Attack Surface? (Experience SSHD brute-force...)


Experience Attack Surface

What is an attack surface?

An attack surface describes all of the different points that an attacker could get into a device or a network and where they could extract data out. Organizations must constantly monitor their attack surface to identify and block potential threats as quickly as possible. They must try to minimize the attack surface area to reduce the risk of cyberattacks succeeding. The smaller the attack surface, the easier it is to protect.

Why is attack surface management important?

It helps users to:
  • Identify which parts of the system needs to be reviewed/tested for security vulnerabilities
  • Identify high-risk areas that requires in-depth protection
  • Identify changes and any new attack vectors (means by which an attacker can gain access to a computer/network e.g. malware, email attachments) that have been created in the process
  • Mitigate against cyberattacks
Cyber-physical attacks require the following 3 conditions to succeed:
  • System Susceptibility (Value & Vulnerabilities)
  • Threat Capability (Tools, Techniques & Resources)
  • Threat Accessibility (Logical/Physical Reachability to Attack Surface)
By denying one or more condition, it will result in the failure of the attack. Looking at the 3-Tenets Model of Cybersecurity, the first two conditions, i.e. system susceptibility and threat capability are often easily met. Under system susceptibility, every system has vulnerabilities/loop-holes that can be exploited. Even fully patched systems are still susceptible due to the features implemented. Under threat capability, there are many free resources/tools for attackers to improve threat capability. As a result, it is costly for organizations to protect itself against every possible attack tool/resource due to the large number that are available online. Hence, the best option would be to tackle the condition of threat accessibility by limiting the number of possible ways an attacker could access the system.

How to reduce & monitor attack surfaces?

There are several ways to reduce the attack surface:
  • Reducing the number of code that is running in the system/server - less code means fewer software bugs and vulnerabilities
  • Network segmentation - minimizes the size of the attack surface by adding barriers that block attackers. Eg. Zero-Trust approach/mentality.
  • SDN segmentation - uses software-based controllers or APIs to communicate with underlying hardware infrastructure and direct traffic on a network. A SDN network delivers visibility into the entire network, providing a more holistic view of security threats. The network can be divided into separate zones, thus allowing compromised devices to be immediately quarantined so that they cannot infect the rest of the network.
  • Eliminate complexity - disable unnecessary or unused software and devices to reduce the number of endpoints being used
  • Constant monitoring of the network with the use of alerting tools