What is Attack Surface Analysis?

By

Attack surface analysis is the process of identifying and mapping the areas in your attack surface that need to be reviewed for gaps and vulnerabilities by way of continuous monitoring and remediation.

Before the rapid proliferation to the cloud, attack surfaces were much more controllable. They lacked the dynamic, ephemeral nature of today’s attack surfaces. Additionally, modern “cyber assets” encompass a lot more than they did; they now include anything and everything that is software defined and ephemeral. This new definition creates a lot more complexity for the average security team to handle. 

Attack surface analysis can help wrangle your attack surface into a manageable size by not only searching for gaps that could lead to external exploitation, but also identifying the why behind your CVEs. 

Looking beneath the attack surface

Conducting an attack surface analysis can only be effective if you have a solid foundation. Cyber asset attack surface management (CAASM) platforms such as JupiterOne serve as that foundation by giving you a comprehensive look into your attack surface. 

Many security practitioners (and humans in general) work from spreadsheets and lists because they are easier for us to process. The caveat, however, is that as long as we’re thinking in lists rather than graphs, we remain at least one step behind the attacker. Attackers view your attack surface as a network of connected entities that eventually lead them to your business’ critical assets - the infamous crown jewels.

When conducting attack surface analysis, knowing your potential attack paths is equally as important as knowing how far your attack surface extends. We conducted an analysis of 2,285 organizations to identify common themes across attack surfaces and were shocked to find out that critical assets are often closer to the internet than non-critical assets. Furthermore, critical asset paths were less varied than their non-critical counterparts. While this could be attributed to a variety of factors, we hypothesized that security teams’ extra attention to the critical asset lifecycle breeds predictability and a scenario where attackers can reasonably assume its attack path. By leveraging a CAASM platform’s complex querying capabilities and relational context, these types of analyses and findings can be uncovered at a higher velocity than manually connecting the dots.

How to conduct your attack surface analysis

At JupiterOne, we’re guided by a few core questions:

  • What do I have in my cyber asset environment? 
  • Of these assets, which ones are most important? 
  • Do these important assets have a problem? 
  • Who is responsible for fixing these problems?
  • Are we getting better over time? 

Because today’s digital environments are so large, dynamic, and complex, continuously answering these questions ensures that your priorities are still valid and up-to-date. Attack surface analysis lives in between the questions “what is important? and “who is the asset owner? 

  1. Set your scope: Audit your environment to understand where your security team is in the most dire need of heightened security. This comes from understanding what assets live in your environment, as well as which assets are marked “critical” by your team. 
  2. Visualize and understand your attack paths: JupiterOne provides out-of-the-box queries that can be useful in attack surface analysis and visualizations. For example, you can ask “where are my production hosts with medium or high vulnerability findings?” or “what are my vulnerable assets with relationships to hosts, production, or containers?” and visualize how those assets connect to others in your environment. 
  3. Form a plan to remediation: Find the individual who can fix the weak area in question and work to remediate it. 

Overall, the goal is always to reduce your attack surface as much as possible by formalizing criteria for when analysis is needed. While these criteria can differ from business to business, executing analysis around events like API additions, changes to IAM practices, or changes to critical infrastructure can help your security posture. Understanding where and when these changes are happening, however, all starts with comprehensive asset visibility and inventory.

Tanvi Tapadia
Tanvi Tapadia

Born and raised in Raleigh, North Carolina, Tanvi is a marketer who strives to create the perfect balance between data-driven decisions and creative marketing. She is an NC State graduate who loves to explore, eat, and play with her dog Butter.

To hear more from Tanvi, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

Keep Reading

The top 10 questions that every engineering leader should be able to answer
February 2, 2023
Blog
The top 10 questions that every engineering leader should be able to answer

We polled some of our engineering leaders to see what it takes to succeed. In part two, we see if their answers align with the CISOs we talked to.

Identify compromised versions of Github using JupiterOne
January 31, 2023
Blog
Identify compromised versions of GitHub apps using JupiterOne

As a preventative measure, Github will be deprecating the Mac and Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-

The top 11 questions that every CISO should be able to answer
January 30, 2023
Blog
The top 11 questions that every CISO should be able to answer

In part one of this two-part series, we polled some of our top security experts to see what it takes to succeed secure and manage resources effectively.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.