Widespread digital transformation initiatives over the last decade mean that most IT environments are more complex and heterogeneous than ever. Cloud computing, virtual machines on multiple operating systems, and remote work arrangements are cornerstone infrastructural elements that blur the boundary between the internal network and external Internet at most organizations. From a cybersecurity perspective, dissolved network perimeters and high levels of network dynamism rapidly expand the external attack surface and make it more challenging to adequately defend against threats.
Constant visibility into your evolving attack surface is a critical step in keeping today’s cyber threats at bay. But manual efforts to map out and track your attack surface are unlikely to succeed due to resource constraints. Organizations need dedicated and unified attack surface monitoring for visibility into emerging vulnerabilities, weaknesses, misconfigurations, and other risks. This article provides a definitive guide on attack surface monitoring, including its benefits, the types of risks mitigated, and more.
What is Attack Surface Monitoring?
Attack surface monitoring is a proactive security approach that provides constant visibility into vulnerabilities, weaknesses, data leaks, and misconfigurations that emerge in your external attack surface. The external attack surface is the total number of digital assets exposed to threat actors and accessible via the Internet. Hackers can attempt to enter your network through any one of these points, so it’s critical to have a malicious outsider’s perspective on what your attack surface looks like.
Manual efforts to monitor attack surfaces typically depend on using multiple tools to cover many different channels. The result is usually incomplete coverage. Dedicated attack surface monitoring solutions attempt to provide visibility into your evolving attack surface through a single pane of glass.
Attack surface monitoring is a central principle of a wider attack surface management approach that also involves asset discovery, inventory, and classification. Standalone solutions are available that solely focus on attack surface monitoring, but it’s more common that monitoring slots into a more comprehensive attack surface management solution that automates other important steps, including asset discovery and inventory.
A recent study highlighted the need for attack surface monitoring by finding that 43 percent of organizations admitted their attack surface is spiraling out of control and 62 percent have attack surface blind spots that hamper security.
So, what are the specific functions of attack surface monitoring that can close these visibility gaps and reduce cyber risks? Here are some common features of these solutions.
- A detection engine that generates real-time alerts when risky changes are spotted, such as a misconfiguration that opens up a cloud storage bucket to anyone with the link, expired or insecure SSL certificates, open ports, software vulnerabilities, or even source code leaks in repositories like Github.
- Rule-based monitoring that accounts for potential compliance violations when triggering alerts.
- Continuous monitoring of web applications, services, and APIs for vulnerabilities that outsiders could exploit.
What Assets Should a Comprehensive Attack Surface Solution Monitor?
In general, any comprehensive solution should monitor the following assets as a bare minimum for vulnerabilities, misconfigurations, and other security risks:
- Cloud computing on public cloud services, including storage, SaaS applications, and infrastructure that you access and configure based on custom needs, such as hosting an application.
- Company website infrastructure (hosting accounts, SSL certificates, content management systems).
- Entire web application infrastructure, including libraries, dependencies, APIs, and web servers.
- Shadow IT assets that employees use without the approval of central IT departments. This includes physical personal devices, messaging or collaboration apps, and personal cloud storage services. Full-suite external attack surface management solutions usually include features that enable the discovery of these assets, bringing them out of the shadows and into visibility so they can be mapped and monitored.
- Remote work infrastructure, which includes employee laptops connecting to the corporate network and VPN or RDP applications that provide internal network connectivity.
There’s a strong argument that organizations should view employee credentials as a type of asset that needs monitoring. After all, these credentials could end up on the dark web, where threat actors purchase them and use them as a way to get inside your network. Many attack surface monitoring solutions don’t extend their capabilities to monitor credentials…more on how Flare differs in that regard later.
Benefits of Effective Attack Surface Monitoring
The outside-in perspective that attack surface monitoring provides is invaluable for effectively managing cybersecurity risks. When you see what malicious actors see, it becomes much clearer what kinds of vulnerabilities and misconfigurations pose the most immediate risks to your data and applications.
The real-time alerting and continuous monitoring enables much faster remediation compared to the traditional ad hoc or scheduled vulnerability scans that organizations run. Furthermore, since attack surface monitoring focuses on more risks than typical vulnerabilities, coverage is much greater.
Data leaks or exposures only become full-scale breach incidents when an unauthorized outsider accesses and/or downloads the information. These leaks present threat actors with low-hanging fruit, and it’s usually a race against time before someone finds exposed data on the Internet. In a world of increased regulatory oversight where various regulations protect customer data and data breaches cost upwards of $4 million, it’s pivotal to have processes in place to detect the kinds of errors that leave sensitive data exposed. Attack surface monitoring provides the rapid detection needed to remediate misconfigurations that leave data exposed.
High-Profile Incidents That Attack Surface Monitoring Could’ve Mitigated
To better understand the powerful difference attack surface monitoring can make to your cyber defenses, it’s worth analyzing a couple of high-profile recent security incidents and pointing out how dedicated attack surface monitoring could’ve mitigated them.
Securitas S3 Misconfiguration
In January 2022, cybersecurity research and technical product review site SafetyDetectives reported on a major data leak affecting Securitas. The company provides security services, including airport security, in well over 50 countries.
The leak in question came from an exposed AWS S3 cloud bucket which was left unsecured without any password authentication. The exposed information included sensitive data about airport employees in both Colombia and Peru. With one million files, this data leak totaled 3 terabytes of data.
It remains unclear whether any threat actors managed to find and download the exposed data. But it is likely that the cloud misconfiguration went unnoticed by Securitas for a considerable length of time. With an effective attack surface monitoring solution in place that monitors cloud assets for security risks, the Securitas IT team would’ve received an immediate alert about this misconfiguration and been able to rapidly mitigate the risk.
Colonial Pipeline VPN Compromise
An enforced shutdown due to a ransomware attack on The Colonial Pipeline was one of 2021’s most discussed security incidents. The initial entry point that led to panic-driven gas shortages came from a legacy VPN system being broken into by compromising an inactive user’s account with a leaked password.
Much has been spoken and written about this incident, but the actual root cause went somewhat under the radar. It’s critical to bear in mind that VPNs are Internet-exposed digital assets that cybercriminals often focus on, especially in a landscape where remote workers use these services to connect to company networks.
Since this legacy VPN account belonged to an inactive user, comprehensive attack surface monitoring would have alerted IT about the risk of this account. Swiftly deprovisioning the account or revoking access in response to this high-risk alert would’ve prevented the incident and its subsequent fallout.
Flare: External Attack Surface Management
Our platform provides all the features you’d expect from external attack surface management but with extra monitoring capabilities. Reflecting the fact that employee credentials continue to provide an entry route into corporate networks, Flare monitors the dark web, Pastebin, and other external sources for leaked credentials from previous breaches. You can then prevent data breaches by resetting accounts that have the potential to be compromised. Get your Flare demo today.
