Attack surface and attack paths research - what's next?

By

Understanding the attack surface of your organization is a prerequisite for a strong cyber defense. Many cybersecurity reports (from Gartner, Trend Micro, and JupiterOne, to name a few) indicate that attack surfaces are expanding as organizations move to the cloud and expand their digital footprints. 

The term “attack surface” refers to “the total number of exposed weaknesses or attack vectors where attackers can access a system.” Attack paths are visual representations of how attack vectors are connected, which help defenders understand where they may be vulnerable once an attacker has already gained access (and where they can cut an attacker off). 

Research on the attack surface and attack paths

Throughout 2022, the JupiterOne research team has been exploring questions around the attack surface and attack paths, such as, “How much of the attack surface is exposed to the public-facing internet?” and “Do attack paths vary between critical vs. non-critical assets?”

In pursuit of understanding an average organization’s attack surface, the team has already analyzed data from 2,285 organizations, spanning millions of nodes and triplets (groups of two nodes + one edge).

The team recently released a preliminary research paper to share their initial findings titled, “A Tacky Graph and Listless Defenders: Looking Beneath the Attack Surface”. This paper reveals early findings and observations from the research team here at JupiterOne - but also acknowledges how much we still need to understand.

So what’s next?

What we’ve learned so far

Attack paths to critical vs. non-critical assets are not the same

We talk a lot about critical versus non-critical assets (or ‘pets’ versus ‘cattle’) and the importance of securing your “crown jewels.” We intuitively understand that not all assets are the same in value or risk, but too often operate as if the attack paths to those assets will be similar. 

Our early research revealed that many of our assumptions about attack paths were incorrect - as it turns out, attack paths to critical assets are often less varied and no more connected than any other assets. 

You need a graph-based model to see and understand attack paths

We could not have analyzed the relative connectivity of assets without a graph-based model. 

These attack paths are only discoverable by applying a graph-based model that values understanding what organizations have (i.e., do they have a database and is it encrypted?) but also understands the relationships between those assets. 

While our paper discusses the important use cases of both list and graph-based analysis, it also underscores the value of the graph.

Early findings regarding the attack surface

  • The percentage of the attack surface with a first-degree relationship to the public internet
  • How the attack path to critical assets differs from the path to non-critical assets
  • The difference in attack path variety between critical and non-critical assets
  • What asset connectedness implies in terms of control coverage
  • Whether local and global risk exposure correlated with asset connectivity

What we’re researching next

Much like our research into cyber assets, our research into the attack surface is ongoing. While we’ve already covered attack surface connectivity and attack path lengths in “A Tacky Graph and Listless Defenders: Looking Beneath the Attack Surface,” we have more to explore through this next phase of research:

Opportunities to reduce the attack surface

Findings around the attack surface are only useful so far as they enable security teams to reduce their organization’s attack surface. In our next phase of research, we’re working to provide a comprehensive view of what a “typical” attack surface looks like. This should be a useful way to benchmark your own attack surface and identify opportunities to reduce your risk. 

Understanding attack paths for different classes of assets

We’ve already established that attack paths for critical assets are not the same as attack paths for non-critical assets, but we have more work to do to understand how attack paths vary to different classes of assets. 

How defenders should prioritize 

Our early findings reveal how lists and graphs help defenders prioritize, but questions remain. We’re interested in understanding how security teams can understand their organization’s attack surface better.

Stay to up-to -date 

As we continue this important research into the attack surface and attack paths, we’ll release our early findings for the community to digest and comment on. We hope to share our Attack Surface and Attack Paths Report in 2023. In the meantime, you can download our initial findings below or subscribe to our newsletter for ongoing updates.

New call-to-action
Sarah Hartland
Sarah Hartland

Sarah is the Senior Demand Generation Manager at JupiterOne. She has been a content creator and curator since 2012, with experience in the media, adtech, and cybersecurity industries. Sarah is passionate about making technical concepts accessible for all.

Keep Reading

JupiterOne and AWS together help customers strengthen security posture
November 30, 2022
Blog
JupiterOne and AWS together help customers strengthen security posture

To help organizations of all sizes secure their cloud assets, JupiterOne announced a number of key initiatives with AWS this week at re:Invent.

How to visualize your data by use case with JupiterOne
November 23, 2022
Blog
How to visualize your data by use case with JupiterOne

The new Properties Panel and Managed Dashboards in the JupiterOne platform empower you to prioritize speed, efficiency, and organization!

Security will give up on users as a line of defense in 2023
November 23, 2022
Blog
Security will give up on users as a line of defense in 2023

In a recent debate on cybersecurity predictions for 2023, panelists disagreed on plenty. But they agreed: in 2023, security will give up on users as a line of defense

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.