? Importance of Attack Surface Expansion ?

Jump to latest Follow Reply
Cyber Russ

Cyber Russ

Well-known member
    • Nov 5, 2019
    123
    1
    261
    18,906
    Raleigh, NC
    www.facebook.com
    #1
    ? Attention cybersecurity professionals! Let's discuss the significance of attack surface expansion and how it plays a crucial role in protecting organizations. ?

    Attack surface expansion refers to the process of identifying and assessing the various entry points and vulnerabilities within an organization's network, systems, and applications. By expanding the attack surface, we gain a better understanding of potential attack vectors and can take proactive measures to secure our digital assets.

    Here are some key points to consider:

    1️⃣ Comprehensive Threat Assessment: Expanding the attack surface allows us to identify potential weak spots and vulnerabilities that might otherwise go unnoticed. By analyzing a wider range of entry points, we gain a more comprehensive understanding of the threats we face.

    2️⃣ Proactive Risk Mitigation: By expanding the attack surface, we can proactively address vulnerabilities and implement appropriate security controls. This approach helps us stay one step ahead of potential attackers and reduces the likelihood of successful breaches.

    3️⃣ Holistic Security Strategy: A well-rounded security strategy should consider all aspects of an organization's attack surface. Expanding the attack surface enables us to include network infrastructure, cloud services, endpoints, IoT devices, and more. This holistic approach ensures a stronger defense against evolving threats.

    4️⃣ Third-Party Risks: Expanding the attack surface also involves evaluating the security posture of third-party vendors and partners. With interconnected systems and supply chains, assessing the vulnerabilities of external entities becomes critical to maintaining a robust security posture.

    What are your thoughts? ??

    #CyberSecurity #AttackSurface #ThreatAssessment #RiskMitigation #SecurityStrategy #ThirdPartyRisks #DigitalSecurity #InfoSec #DataProtection
     
    • Like
    Reactions: Fanuel and Jayaraj
    #2
    Two words.

    Zero Trust.

    These days, there's just no place in our outside of the network that is safe or trustable. With more and more attacks originating from inside the so-called network perimeter, there's no way to stem the tide without adopting, pretty much, an overly developed sense of paranoia. To review - the three edicts of Zero Trust:

    1️⃣ Verify Explicitly - It means every connection now, every request has to be authenticated. No more implicitly trusting a connection based on previous activity.

    2️⃣ Least Privilege - While this is nothing new, it's now more defined. No user, no process, no app, nothing gets any more permission than is specifically needed to do the job it needs to do.

    3️⃣ Assume Breach - In our very paranoid world now, we have to assume that every single connection, from all users, processes, apps, etc, is a bad guy, malware, or some attempt to gain control of the network and assets. We contain these things, audit them with SIEM's and SOARs, and risk information overload in order to protect the network.

    Now, in reality, all security is based on risk assessment and in the world of Zero Trust, that's no different. When discussing the topic of attack surface, every single app, user, endpoint, or process is evaluated. Do we REALLY need to have that port open or do we close it. Do we limit it to specific IPs during specific times of day, and with specific credentials? If we do security the way we're supposed to, the answer is a heartfelt "YES". But we're also seeing a lot of cyber fatigue from having to do all this 'Missile Command' style blue team operations, that is destroying blue team operatives within a couple years out of the gate.

    So the part of your post that is missing is the human element, which is the one that is most subject to compromise.

    Okay, I took my turn. Who's next?

    /r
     
    • Like
    Reactions: Jill West, Christian Nash, Fanuel and 4 others
    #3
    Rick Butler said:
    Two words.

    Zero Trust.

    These days, there's just no place in our outside of the network that is safe or trustable. With more and more attacks originating from inside the so-called network perimeter, there's no way to stem the tide without adopting, pretty much, an overly developed sense of paranoia. To review - the three edicts of Zero Trust:

    1️⃣ Verify Explicitly - It means every connection now, every request has to be authenticated. No more implicitly trusting a connection based on previous activity.

    2️⃣ Least Privilege - While this is nothing new, it's now more defined. No user, no process, no app, nothing gets any more permission than is specifically needed to do the job it needs to do.

    3️⃣ Assume Breach - In our very paranoid world now, we have to assume that every single connection, from all users, processes, apps, etc, is a bad guy, malware, or some attempt to gain control of the network and assets. We contain these things, audit them with SIEM's and SOARs, and risk information overload in order to protect the network.

    Now, in reality, all security is based on risk assessment and in the world of Zero Trust, that's no different. When discussing the topic of attack surface, every single app, user, endpoint, or process is evaluated. Do we REALLY need to have that port open or do we close it. Do we limit it to specific IPs during specific times of day, and with specific credentials? If we do security the way we're supposed to, the answer is a heartfelt "YES". But we're also seeing a lot of cyber fatigue from having to do all this 'Missile Command' style blue team operations, that is destroying blue team operatives within a couple years out of the gate.

    So the part of your post that is missing is the human element, which is the one that is most subject to compromise.

    Okay, I took my turn. Who's next?

    /r
    Click to expand...
    Absolutely!
     
    #5
    I'm a bit confused with using the term "expansion" to "attack surface"

    Attack surface is the sum of all points for possible attack.
    So, the ideal scenario is to reduce it; not expand it.

    "the process of identifying and assessing the various entry points and vulnerabilities" is analysis...

    So maybe, it would be better to say "attack surface analysis expansion"?
    Or, "deeper analysis of attack surface" perhaps?

    -------------------------------
    we do not want the expansion of attack surface:

    "Attack surface expansion refers to the increase in the potential vulnerabilities and entry points that a system or organization may have due to introducing new technologies, software, applications, or services."
    Reference: https://www.threatngsecurity.com/glossary/attack-surface-expansion
    -------------------------------
     
    • Like
    Reactions: Jill West, Fanuel and Hemlock
    #6
    Having said, here is a reference to Microsoft's take on "attack surface reduction"

    learn.microsoft.com

    Understand and use attack surface reduction - Microsoft Defender for Endpoint

    Learn about the attack surface reduction capabilities of Microsoft Defender for Endpoint.
    learn.microsoft.com

    But I also agree with Rick.
    Zero trust.

    Trust nothing.
    All are vulnerable.
    Attacks can be from anywhere, anytime.

    #cyberparanoia o_O
     
    • Like
    Reactions: Fanuel
    #7
    I thought the all new encompassing term was ASM - Attack Surface Management:
    www.mandiant.com

    Attack Surface Management | External Attack Surface Analysis

    Mandiant Advantage Attack Surface Management automates external asset discovery and analysis to uncover vulnerabilities, misconfigurations and exposures.
    www.mandiant.com www.mandiant.com

    What is Attack Surface Management? | CrowdStrike

    Attack surface management is the continuous discovery, monitoring, evaluation, prioritization and remediation of attack vectors within an organization's IT infrastructure.
    www.crowdstrike.com www.crowdstrike.com
    www.tenable.com

    What is Attack Surface Management?

    Attack surface management (ASM) is a process that enables your organization to get comprehensive visibility automatically and continuously into your assets so you're always aware of what you have.
    www.tenable.com www.tenable.com
    www.randori.com

    QRadar SaaS | IBM

    Palo Alto Networks recently completed the acquisition of IBM's QRadar Software as a Service (SaaS) assets. IBM continue to sale QRadar on-premises.
    www.randori.com www.randori.com
     
    • Like
    Reactions: Jill West and Michael Schmitz
    #11
    Gregory Childers said:
    Zero Trust. Great concept. I seriously doubt that anyone has fully implemented it yet. Or if they will. Cost-benefit analysis might prove it to be too expensive.
    Click to expand...
    I think you're right about that. With the insanely high cost for SIEMs and SOARs for small to medium business, as well as the lack of available blue-team personnel to manage these services, it's very tough to actually implement this. I think the easiest tenet of Zero Trust, that of least privilege, is the easiest one of the three to do. Least privilege also reduces attack surface because it requires only what is needed and no more. No unused services, no rampant use of administration principals and credentials, service accounts for only the service in question and nothing more, that sort of thing.

    It's a far cry from Windows 2000, where pretty much everything was turned on and ready to use (hack).

    /r
     
    You must log in or register to reply here.
    Top Bottom
    Back
    Jump to latest Follow Reply
    Jump to latest Follow Reply
    Home
    Media
    Resources
    Menu