Where does the Attack Surface end? 

It’s time to broaden our conception of the external attack surface to include all common attack vectors. 

Traditionally, the external attack surface is thought of as all of an organization’s external IT assets: domains, addresses, web servers, SSL certificates, externally-visible software, and so on. However, the attack surface extends far beyond an organization’s external IT infrastructure to include other digital assets: brand trademarks, sensitive data like credentials, and trusted third-party organizations.  

This blog post will explain why it’s necessary for security leaders to adopt a broader conception of the external attack surface, provide strategies for uncovering the full extent of the attack surface, and discuss a few recent updates to Cyberint’s Attack Surface Monitoring module. 

The Attack Surface: It Just Keeps Getting Bigger 

Over the past few years, one of the most common refrains in cybersecurity has been that the corporate digital footprint is larger than ever before and only continues to grow. The number of domains, IP addresses, websites, customer-facing applications, and Internet-facing services continues to climb for businesses across all industries and regions. 

This is true and it presents real challenges for security teams, as the potential for blind spots and unknown vulnerabilities increases with the digital footprint.  

However, this characterization of the growing attack surface misses an important contributing factor: the threat landscape is also expanding. Even if the number of external IT assets that an organization manages remains constant, their attack surface is still growing, as threat actors adopt new techniques. For example, adversaries may develop a new exploit to an old CVE that has been known for several years. 

On top of that, many common attack vectors begin far beyond an organization’s external IT infrastructure. Brand impersonation, which encompasses everything from impersonation on social media and phishing sites to rogue applications and counterfeit goods, can lead to serious financial damages. Leaked credentials, which bad actors steal through a number of distinct techniques, may give attackers an easy way into the corporate network. And supply chain attacks can result in the breach of many organizations through the compromise of a single trusted third-party. 

Let’s take a closer look at some of these evolving attack vectors.  

Brand Impersonation 

Threat actors impersonate trusted brands in a number of ways: social media profiles, lookalike domains and phishing websites, and even imposter applications. By impersonating a trusted brand, bad actors can more easily fool their victims into clicking a link, giving up their credentials, or downloading malicious files and applications.  

Recent research from IBM found that 41% of corporate security incidents involve phishing. The Anti-Phishing Working Group observed over 600 different brands impersonated in phishing attacks in Q3 2022 alone. 

Because brand abuse has become such a major threat in recent years, security leaders must consider their brand trademarks and logos part of the attack surface. 

Leaked Credentials 

Threat actors have a number of techniques for getting their hands on credentials. They create convincing phishing websites, which coax unsuspecting users into handing over their personal data and passwords. They also deploy malware, like InfoStealers, that exfiltrate username and password combos from infected machines. 

When threat actors steal credentials, they can simply take over the accounts of both customers and employees, leading to even more risks and threats. But because the attack surface is normally thought of in terms of external IT infrastructure, exposed credentials are not covered in this model. Yet another reason to broaden our understanding of the term “attack surface.” 

Trusted Third-Party Organizations 

Bad actors love supply chain attacks because they make it possible to claim multiple victims with the effort of just one attack. Instead of putting in the effort to compromise each victim individually, threat actors can simply breach one large organization and leverage that internal access to easily compromise many additional third-party companies. According to the Verizon DBIR 2022, the digital “supply chain was responsible for 62% of System Intrusion incidents.” 

It’s well understood that supply chain attacks and third-party risk are serious challenges in the cyber domain. And yet, these risks are not typically considered part of the attack surface. To get the full picture of external risks and threats, it’s essential to start looking beyond one’s own external infrastructure when conceptualizing the external attack surface. 

Strategies For Uncovering & Managing Your Extended Attack Surface 

When you begin thinking about your external attack surface as the sum total of possible attack vectors—rather than just all your external IT assets—you get a clearer picture of your biggest cyber risks. Brand impersonation, phishing attacks, malware infections, data leakages, compromised credentials, and third-party risks are all prominent attack vectors that must be properly detected and mitigated.  

Mitigation Strategies  

While traditional attack surface management practices—conducting external IT asset discovery, maintaining a complete asset inventory, remediating issues in external assets—is essential, there are other steps that should be taken to mitigate external threats. 

• Monitor the web for unauthorized use of your brand names and logos. 
• Monitor the deep and dark web for leaked data and exposed credentials. 
• Investigate malware logs for indications of infections on corporate devices. 
• Monitor vendors, partners, and other digital suppliers for major security risks. 

Cyberint’s Argos platform natively combines threat intelligence with attack surface management capabilities and digital risk protection services, so you get visibility and targeted alerts on all the external threats relevant to your infrastructure, brands, and data. 

To better understand the Argos platform, request a free attack surface analysis here. 

Updates To Cyberint’s Attack Surface Monitoring Module 

The Cyberint team recently released an upgrade to the Attack Surface Monitoring module: automatic bulk scoping. This new feature automates the process of validating discovered assets to save time and automatically bring newly-detected assets into scope for monitoring and alerting. As a result, Cyberint will monitor, identify risks, and issue alerts are new assets that are automatically scoped in, all without the customer’s involvement. 

One of the main value drivers of external attack surface management products has always been to automate the process of external IT asset discovery and inventory. This frees up resources to focus on other high-priority projects.  

This new capability assigns a confidence level to every discovered asset—for example, an 80% confidence score that the asset belongs to the user organization. Customers can customize the level at which they want assets to be automatically scoped in. Some customers may choose 90%, meaning that only assets with a 90% confidence score or higher will be added into scope, while the rest will require manual review. Other customers may want to manually review a greater share of assets before they are monitored and assessed, setting the bar at just 70% confidence. 

In all cases, customers can choose the confidence level they are most comfortable with, helping them to save time and maintain full visibility on their assets and risks with minimal commitment of time and resources.