Reducing the Attack Surface
In the simplest terms, the “attack surface” is the sum total of resources exposed to exploit within your infrastructure. This is the battlefield where enterprise security teams and cybercriminals wage war. The attack surface has been branching out in multiple directions with the rise of new computing functions such as: virtual, software-defined networking, IoT, containers, cloud (private and public), and federated networks. Each of these hives becomes a new groove for cybercriminals to gain a toehold.
In a legal sense, criminal investigators look for three characteristics when assessing a suspect’s guilt: 1) Means, 2) Motive, 3) Opportunity. Looking at cyberwar through this frame gives us insight to examine our cyber defenses.
Cybercriminals have the means to exploit our networks. Recent events have demonstrated that not only are these adversaries equipped with supreme knowledge and skills, but they are well-resourced to carry out damaging campaigns. Combining skills and resources shows irrefutable evidence that cybercriminals have the means to do a lot of harm.
Second, motive. The infamous US bank robber, Willie Sutton, was once asked, “Why do you rob banks?” His answer: “Because that’s where the money is”. Cybercriminals are incented to break in and steal high-value data or extract ransoms from an increasing number of victims. Data can be snatched right out from under our feet and given a glowing FOR SALE sign on the Dark Web. Then, consider the rise of cryptocurrencies. This gives the cybercriminal underworld a currency of exchange. The financial rewards have never been more appealing for cybercriminals. Now, we can check the box for motive.
Opportunity completes our culpability triangle. This is where the attack surface comes into clear focus. Each component of the network represents a window of opportunity for cyberattack. Not only do the network permutations above take our lurid imaginations toward worst case scenarios, but we can be dumbfounded when it comes to entirely new devices we’ve never had to secure.
IoT, as an example, has helped to grow the attack surface, creating a bush of twiggy offshoots in irregular directions. A thermostat becomes a vulnerability to monitor…a thermostat! As the attack surface expands to lands we have not mapped, we can readily see how cybercriminals have the opportunity factor covered.
As with any scientific approach, we must look for exogenous causes, coming from outside the system, of cybercriminality and take prevention measures that can protect the enterprise. The first two variables, means and motive, are endogenous, coming from inside the cybercriminal; they spring from within the minds of the attacker. Outside of changing human nature, which requires something close to omnipotence, there is little security teams can do to suppress the means and motives that are endogenous to the criminal mind.
However, we can explore ways to compress the opportunity category; the only exogenous force in our triad of cybercrime. The attack surface is the one domain in which enterprise security teams can flex their muscle to reduce opportunity to nil.
There are four ways to help shrink the opportunity for attack:
- Visualize vulnerabilities (map the attack surface)
- Control endpoints (disarm cybercriminals)
- Segment the network (put barricades in the cybercriminal's path)
- Become addicted to analytics (introspect, introspect, introspect)
Each serves an integral part of our mission to change the combat zone. Many organizations are already implementing these methods. You can do the same.
We can take this journey to shrink the battlefield and leverage our powers to overcome any opportunities for cybercrime. In the end, what matters most is to have an honest understanding of the current state and take action to improve your security posture. Through careful and deliberate application of vulnerability management, endpoint control, segmentation, and a steady diet of analytics, security teams can have the confidence that they’re fighting the battle on their terms.
I have a voice that is, at times, irreverent. But it does not escape me that we have an existential war happening within enterprises the world over. I know that behind the anecdotes and graphs, there is a security team that has just learned a breach will cost each of them their jobs. There is a mother who has just received word that her identity was stolen. There is a family whose bank assets were drained because of unnamed cowards who systematically robbed them for months or years.
In the physical world, we can protect ourselves from intruders, thieves, and crooks. We can install extra locks, alarm systems, and dispatch the police when trouble comes. But here, on this digital front, our tactics must move at the speed of information. We must keep pace with the break-neck swiftness of cybercriminals who can leap continents in seconds.
We cannot change the incentives and resources that give rise to these attacks. What we can do is minimize their opportunity. We can force them through hot gates, demand they enter our domain under the most inhospitable circumstances, and we can disarm cybercriminals upon entry.
Reducing the attack surface is one of the most essential activities for security teams. It’s the only way to fight back and to protect our customers, our partners, and our fellow human beings from the most vexing of criminal behaviors.
Let’s squeeze the landscape, visualize the battlefield, and fight the war on our terms.
#firemon #infosec #cybersecurity