What is an Attack Surface? 

An attack surface is, essentially, the overall vulnerability that is created by a business’ digital network over which it conducts certain operations. The network in this case is the “surface.” Threat actors attempt to penetrate this surface at any point they believe access can be gained.

According to the National Initiative of Cybersecurity Careers and Studies of the United States Government, the attack surface of an application represents the number of entry points exposed to a potential attacker of the software. The larger the attack surface, the larger the set of methods that can be used by an adversary to attack. The smaller the attack surface, the smaller the chance of an attacker finding a vulnerability and the lower the risk of a high impact exploit in the system.

Types of Attack Surfaces

In starting to think about what an attack surface actually looks like, it helps to contextualize it in terms of individual organizations. Every organization has different goals, therefore each one's attack surface management methodologies will look different.

Digital Attack Surface

A digital attack surface comprises all of the web applications deployed on any device, APIs, cybersecurity programs, and anything else that can be categorized as “digital” – or non-physical – on a network. If a business contracts with supply chain partners, then their attack surface naturally extends beyond the perimeter of their specific organization.

Physical Attack Surface

A physical attack surface encompasses any non-digital hardware that is critical to maintaining a network. This can be an exhaustive list including servers, ports, wiring or network cables, physical endpoints like phones/laptops/smartwatches/smart headphones, and data centers.

Attacks on this type of surface require different behaviors on the part of would-be attackers as they would have to physically acquire or access these tangible assets in order to manipulate them.

Social Engineering Attack Surface

As referenced above, humans primarily make up the attack surface tied to social engineering. This includes phishing attacks, honeypots, link spoofing, and piggybacking. This type of attack is designed to convince a human user on a network that what they are seeing is entirely valid.

It could be a fake email designed to get a user to click a link that installs malware on that endpoint; it could be someone piggybacking into an office, attempting to convince an actual employee they forgot their badge; or social engineering could come in the form of a text message sent to a user that appears to be from their manager or someone else in the company.

Attack Surface vs. Attack Vector

An attack vector simply refers to a single pathway through which a threat actor attempts to access a network. An attack surface consists of all of the vectors along an entire network that threat actors can potentially exploit.

An attack vector is essentially the break-in point where the attacker enters a system. From there, the attacker would take a thought out attack path to their desired information or resource. Malware, for example, has three main vector types – trojan horse, virus, and worms – that leverage typical communications like email.

Individual attack vectors create small openings, but the combination of all of those entry points creates a larger vulnerability that can turn common networks into dynamic attack surfaces. If your network has become a dynamic attack surface, then it’s probably a good idea to start thinking about the security program as a whole, including extended detection and response (XDR), cloud security, and vulnerability risk management (VRM).

The humans that operate computers, systems, security, and networks can also be thought of as attack vectors when social engineering attacks like phishing scams come into play.

How to Identify Your Attack Surface

Identifying the pathways along your attack surface where a threat actor could strike is an exercise in creating the most critical part of a cybersecurity program – one that is dynamic, multifaceted, and continuous.

According to the Open Worldwide Application Security Project (OWASP), attack surface analysis can help to identify: 

  1. What functions and parts of the system you need to review/test for security vulnerabilities
  2. High-risk areas of code that require defense-in-depth protection as well as what parts of the system that you need to defend
  3. When you have changed the attack surface and need to do some kind of threat assessment

That last point aligns with the need to analyze and identify the attack surface continuously. It also requires security practitioners to know when company and security objectives have changed so they can then adjust risk profiles. What might have been considered a priority for remediation in order to shore up defenses along the attack path yesterday might fall lower on the list today. 

If an attack surface encompasses the collection of points along a network that an attacker could exploit, think about how often that collection can change according to adjusted risk profiles.

Attack Surface Reduction Best Practices

Let's dive into a few best practices that can help security organizations to minimize the many vulnerabilities/vectors/break-in points threat actors are looking to exploit. 

  • Leverage automation: Security organizations can use automation to institute removal of outdated data (old passwords, former employee data, old backups, etc.) or identity and access management (IAM) policies that rather simply can keep out a significant percentage of would-be threat actors attempting to gain access. Automated vulnerability scanning can also help to reduce weak points, and thus the attack surface.
  • Educate employees: Employees are often the weakest link in the security chain. There’s no replacement for training a team on how attackers use digital footprints to steal credentials in attempts to breach an attack surface. For example, it’s important not to use any personally identifiable information (PII) or publicly accessible information. It also helps to identify key employees who have access to the most sensitive systems and invest the time to educate them in further protecting those critical systems.
  • Understand the digital attack surface: To know where weak points lie, security organizations should understand their complete digital footprint and look at it as an attacker would. It is, of course, critical to take an exhaustive look internally at digital assets and how they tie together and affect each other on the backend. But, with basic internet search techniques, organizations can also start to map and quickly understand their internet presence like a non-employee or attacker would.
  • Insititute continuous threat exposure management (CTEM): CTEM is a framework that focuses primarily on surfacing and helping security teams remediate the ongoing and/or immediate threats that matter most to their specific businesses. This framework can include attack simulation so that the security organization can prioritize threats according to their severity.

Leveraging tools like cloud risk management (CRM), extended detection and response (XDR), and now AI-driven cloud anomaly detection can accelerate a security team's attack surface reduction mission and help them eliminate threats with speed and precision.

Read More About Attack Surface Security 

Blog: Cyber Asset Attack Surface Management 101

Attack Surface Management: Latest Rapid7 Blog Posts