🔒 Importance of Attack Surface Expansion 🔒

Cyber Russ · May 15, 2023

Attention cybersecurity professionals! Let's discuss the significance of attack surface expansion and how it plays a crucial role in protecting organizations.

Attack surface expansion refers to the process of identifying and assessing the various entry points and vulnerabilities within an organization's network, systems, and applications. By expanding the attack surface, we gain a better understanding of potential attack vectors and can take proactive measures to secure our digital assets.

Here are some key points to consider:

Comprehensive Threat Assessment: Expanding the attack surface allows us to identify potential weak spots and vulnerabilities that might otherwise go unnoticed. By analyzing a wider range of entry points, we gain a more comprehensive understanding of the threats we face.

Proactive Risk Mitigation: By expanding the attack surface, we can proactively address vulnerabilities and implement appropriate security controls. This approach helps us stay one step ahead of potential attackers and reduces the likelihood of successful breaches.

Holistic Security Strategy: A well-rounded security strategy should consider all aspects of an organization's attack surface. Expanding the attack surface enables us to include network infrastructure, cloud services, endpoints, IoT devices, and more. This holistic approach ensures a stronger defense against evolving threats.

Third-Party Risks: Expanding the attack surface also involves evaluating the security posture of third-party vendors and partners. With interconnected systems and supply chains, assessing the vulnerabilities of external entities becomes critical to maintaining a robust security posture.

What are your thoughts?

#CyberSecurity #AttackSurface #ThreatAssessment #RiskMitigation #SecurityStrategy #ThirdPartyRisks #DigitalSecurity #InfoSec #DataProtection

Rick Butler · May 15, 2023

Two words.

Zero Trust.

These days, there's just no place in our outside of the network that is safe or trustable. With more and more attacks originating from inside the so-called network perimeter, there's no way to stem the tide without adopting, pretty much, an overly developed sense of paranoia. To review - the three edicts of Zero Trust:

Verify Explicitly - It means every connection now, every request has to be authenticated. No more implicitly trusting a connection based on previous activity.

Least Privilege - While this is nothing new, it's now more defined. No user, no process, no app, nothing gets any more permission than is specifically needed to do the job it needs to do.

Assume Breach - In our very paranoid world now, we have to assume that every single connection, from all users, processes, apps, etc, is a bad guy, malware, or some attempt to gain control of the network and assets. We contain these things, audit them with SIEM's and SOARs, and risk information overload in order to protect the network.

Now, in reality, all security is based on risk assessment and in the world of Zero Trust, that's no different. When discussing the topic of attack surface, every single app, user, endpoint, or process is evaluated. Do we REALLY need to have that port open or do we close it. Do we limit it to specific IPs during specific times of day, and with specific credentials? If we do security the way we're supposed to, the answer is a heartfelt "YES". But we're also seeing a lot of cyber fatigue from having to do all this 'Missile Command' style blue team operations, that is destroying blue team operatives within a couple years out of the gate.

So the part of your post that is missing is the human element, which is the one that is most subject to compromise.

Okay, I took my turn. Who's next?

/r

Cyber Russ · May 15, 2023

Rick Butler said:
Two words.

Zero Trust.

These days, there's just no place in our outside of the network that is safe or trustable. With more and more attacks originating from inside the so-called network perimeter, there's no way to stem the tide without adopting, pretty much, an overly developed sense of paranoia. To review - the three edicts of Zero Trust:

Verify Explicitly - It means every connection now, every request has to be authenticated. No more implicitly trusting a connection based on previous activity.

Least Privilege - While this is nothing new, it's now more defined. No user, no process, no app, nothing gets any more permission than is specifically needed to do the job it needs to do.

Assume Breach - In our very paranoid world now, we have to assume that every single connection, from all users, processes, apps, etc, is a bad guy, malware, or some attempt to gain control of the network and assets. We contain these things, audit them with SIEM's and SOARs, and risk information overload in order to protect the network.

Now, in reality, all security is based on risk assessment and in the world of Zero Trust, that's no different. When discussing the topic of attack surface, every single app, user, endpoint, or process is evaluated. Do we REALLY need to have that port open or do we close it. Do we limit it to specific IPs during specific times of day, and with specific credentials? If we do security the way we're supposed to, the answer is a heartfelt "YES". But we're also seeing a lot of cyber fatigue from having to do all this 'Missile Command' style blue team operations, that is destroying blue team operatives within a couple years out of the gate.

So the part of your post that is missing is the human element, which is the one that is most subject to compromise.

Okay, I took my turn. Who's next?

/r

Absolutely!

Brian Ford · May 15, 2023

It's important to note that both Attack Surface and Zero Trust are SY0-601 topics and from my experience important additions to a successful candidates vocabulary.

Jarrel · May 16, 2023

I'm a bit confused with using the term "expansion" to "attack surface"

Attack surface is the sum of all points for possible attack.
So, the ideal scenario is to reduce it; not expand it.

"the process of identifying and assessing the various entry points and vulnerabilities" is analysis...

So maybe, it would be better to say "attack surface analysis expansion"?
Or, "deeper analysis of attack surface" perhaps?

-------------------------------
we do not want the expansion of attack surface:

"Attack surface expansion refers to the increase in the potential vulnerabilities and entry points that a system or organization may have due to introducing new technologies, software, applications, or services."
Reference: https://www.threatngsecurity.com/glossary/attack-surface-expansion
-------------------------------

Jarrel · May 16, 2023

Having said, here is a reference to Microsoft's take on "attack surface reduction"

Understand and use attack surface reduction

Learn about the attack surface reduction capabilities of Microsoft Defender for Endpoint.

learn.microsoft.com

But I also agree with Rick.
Zero trust.

Trust nothing.
All are vulnerable.
Attacks can be from anywhere, anytime.

#cyberparanoia

Joao Farinha · May 16, 2023

I thought the all new encompassing term was ASM - Attack Surface Management:

Attack Surface Management | External Attack Surface Analysis

Mandiant Advantage Attack Surface Management automates external asset discovery and analysis to uncover vulnerabilities, misconfigurations and exposures.

www.mandiant.com

What is Attack Surface Management? - CrowdStrike

Attack surface management is the continuous discovery, monitoring, evaluation, prioritization and remediation of attack vectors within an organization's IT infrastructure.

www.crowdstrike.com

What is Attack Surface Management?

Attack surface management (ASM) is a process that enables your organization to get comprehensive visibility automatically and continuously into your assets so you're always aware of what you have.

www.tenable.com

IBM Randori Recon

Learn about attack surface management SaaS that continuously monitors to look for unexpected changes, blind spots, misconfigurations and process failures.

www.randori.com

Michael Schmitz · May 18, 2023

Here you can find also more information about Zero Trust:
Cloud Security Alliance - Zero Trust

Zero Trust

Advancement Center

Leading the development of tools and resources to guide zero trust implementation.

Michael Schmitz · May 18, 2023

Joao Farinha said:
I thought the all new encompassing term was ASM - Attack Surface Management:
-....

Names are changing so fast..

Gregory Childers · May 19, 2023

Zero Trust. Great concept. I seriously doubt that anyone has fully implemented it yet. Or if they will. Cost-benefit analysis might prove it to be too expensive.

Rick Butler · May 19, 2023

Gregory Childers said:
Zero Trust. Great concept. I seriously doubt that anyone has fully implemented it yet. Or if they will. Cost-benefit analysis might prove it to be too expensive.

I think you're right about that. With the insanely high cost for SIEMs and SOARs for small to medium business, as well as the lack of available blue-team personnel to manage these services, it's very tough to actually implement this. I think the easiest tenet of Zero Trust, that of least privilege, is the easiest one of the three to do. Least privilege also reduces attack surface because it requires only what is needed and no more. No unused services, no rampant use of administration principals and credentials, service accounts for only the service in question and nothing more, that sort of thing.

It's a far cry from Windows 2000, where pretty much everything was turned on and ready to use (hack).

/r

🔒 Importance of Attack Surface Expansion 🔒

Well-known member

Well-known member

Well-known member

Well-known member

Well-known member

Well-known member

Well-known member

Well-known member

Zero Trust​

Advancement Center​

Leading the development of tools and resources to guide zero trust implementation.​

Well-known member

Well-known member

Well-known member

Zero Trust

Advancement Center

Leading the development of tools and resources to guide zero trust implementation.