The attack surface of a software environment is the sum of the different points (for "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment. Keeping the attack surface as small as possible is a basic security measure.
An attack surface (a.k.a. digital attack surface or external attack surface) is a set of points, system elements or endpoints whereby an attack could potentially breach, effect or control systems, and extract or manipulate information for nefarious purposes.
Attack surfaces are often referred to as a “digital footprint”, consisting of thousands of assets, components, and externally controlled information systems (e.g. internet infrastructure) and millions of signals across public and private cloud environments, the organization’s brand, social media, and mobile ecosystem.
In response to the COVID-19 pandemic, many organizations grew their attack surfaces significantly to account for work-from-home requirements, digital supply chain demands, and the necessity to serve customers without direct physical interaction.
Often, these developments have led to decentralized work environments, growth across cloud workloads and applications, including software-as-a-service (SaaS) and the increased technology development processes (DevOps) serving a crucial role in an organization’s ability to adapt. With each organization's security perimeter bleeding more and more into the internet, defending the extended enterprise is a global-scale challenge.
Elements of an attack surface
Worldwide digital change has accelerated the size, scope, and composition of an organization’s attack surface. The size of an attack surface may fluctuate over time, adding and subtracting assets and digital systems (e.g. websites, hosts, cloud and mobile apps, etc). Attack surface sizes can change rapidly as well. Digital assets eschew the physical requirements of traditional network devices, servers, data centers, and on-premise networks. This leads to attack surfaces changing rapidly, based on the organization’s needs and the availability of digital services to accomplish it.
Attack surface scope also varies from organization to organization. With the rise of digital supply chains, interdependencies, and globalization, an organization’s attack surface has a broader scope of concern (viz. vectors for cyber attacks). Lastly, the composition of an organization’s attack surface consists of small entities linked together in digital relationships and connections to the rest of the internet and organizational infrastructure, including the scope of third-parties, digital supply chain, and even adversary-threat infrastructure.
An attack surface composition can range widely between various organizations, yet often identify many of the same elements, including:
- Autonomous System Numbers (ASNs)
- IP Address and IP Blocks
- Domains and Sub-Domains (direct and third-parties)
- SSL Certificates and Attribution
- WHOIS Records, Contacts, and History
- Host and Host Pair Services and Relationship
- Internet Ports and Services
- Web Frameworks (PHP, Apache, Java, etc.)
- Web Server Services (email, database, applications)
- Public and Private Cloud
Examples of attack vectors
This section needs expansion. You can help by adding to it. (December 2019)
There are over 100 attack vectors and breach methods that hackers can use. However, some are more common than others. Here are some of the most common attack vectors:
- Compromised credentials
- Weak and stolen passwords
- Malicious insiders
- Missing or poor encryption
- Trust relationships
- Zero-day vulnerabilities
- Brute force attack
- Distributed Denial of Service (DDoS)
Understanding an attack surface
Due to the increase in the countless potential vulnerable points each enterprise has, there has been increasing advantage for hackers and attackers as they only need to find one vulnerable point to succeed in their attack.
There are three steps towards understanding and visualizing an attack surface:
Step 1: Visualize. Visualising the system of an enterprise is the first step, by mapping out all the devices, paths and networks.
Step 2: Find indicators of exposures. The second step is to correspond each indicator of a vulnerability being potentially exposed to the visualized map in the last step. IOEs include "missing security controls in systems and software".
Step 3: Find indicators of compromise. This is an indicator that an attack has already succeeded.
One approach to improving information security is to reduce the attack surface of a system or software. The basic strategies of attack surface reduction include the following: reduce the amount of code running, reduce entry points available to untrusted users, and eliminate services requested by relatively few users. By having less code available to unauthorized actors, there will tend to be fewer failures. By turning off unnecessary functionality, there are fewer security risks. Although attack surface reduction helps prevent security failures, it does not mitigate the amount of damage an attacker could inflict once a vulnerability is found.
- Vulnerability (computing)
- Computer security
- Attack Surface Analyzer
- Vector (malware)
- Vulnerability Management
- Vulnerability Scanner
- "Attack Surface Analysis Cheat Sheet". Open Web Application Security Project. Retrieved 30 October 2013.
- Manadhata, Pratyusa (2008). An Attack Surface Metric (PDF).
- Manadhata, Pratyusa; Wing, Jeannette M. "Measuring a System's Attack Surface" (PDF). Cite journal requires
- "What is Attack Surface Management?". RiskIQ. 2020-10-16. Retrieved 2021-06-02.
- "6 Brand Threats That Affect Your Organization". RiskIQ. 2020-10-05. Retrieved 2021-06-02.
- "Vulnerable Remote Access & Perimeter Devices: The Hidden Attack Surface That's Growing Out of Control". RiskIQ. 2020-08-04. Retrieved 2021-06-02.
- "Attack Surface Management Requires Deep Intelligence Both Inside and Outside the Firewall". RiskIQ. 2020-04-21. Retrieved 2021-06-02.
- "8 Common Cyber Attack Vectors and Breach Methods". Balbix. 2019-11-27. Retrieved 2020-07-12.
- Friedman, Jon (March 2016). "Attack your Attack Surface" (PDF). skyboxsecurity.com. Retrieved March 6, 2017.
- Michael, Howard. "Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users". Microsoft. Retrieved 30 October 2013.