Attack Surface Expansion
In cybersecurity, Attack Surface Expansion is the process by which an organization's total attack surface grows, creating new opportunities and entry points for attackers. The attack surface is the sum of all points where an unauthorized user can try to enter or extract data from a system. Expansion occurs when the number or variety of these potential entry points increases.
This is a critical concern because a larger attack surface correlates with a higher likelihood of a successful cyberattack. The expansion is often a byproduct of modern business practices and technological advancements, such as:
Digital Transformation: Moving from on-premise systems to cloud-based services and adopting new technologies like IoT devices creates new, often externally-facing, assets that an attacker can target.
DevOps and CI/CD: The rapid development cycles and automation inherent in DevOps can lead to the accidental exposure of sensitive data, such as hard-coded credentials in public code repositories.
Third-Party Integrations: Integrating with a wide range of vendors and partners introduces their attack surfaces into your own, as each new connection can be a potential vulnerability.
Remote Work: The proliferation of remote work has led to an increase in exposed services, like VPNs and RDP, as well as a greater number of unmanaged or less secure devices connecting to the corporate network.
Ultimately, Attack Surface Expansion makes an organization more difficult to defend because it becomes harder to maintain a complete inventory of all assets and to apply consistent security controls across an ever-growing perimeter.
ThreatNG, an external attack surface management, digital risk protection, and security ratings solution, would help manage Attack Surface Expansion by providing a continuous, outside-in view of an organization's growing digital footprint. It identifies and assesses newly exposed assets and vulnerabilities that contribute to the expansion, helping organizations understand and mitigate new risks as they appear.
ThreatNG's Role in Managing Attack Surface Expansion
ThreatNG performs purely external, unauthenticated discovery to find and map an organization's assets without requiring any connectors. This is the foundational step in addressing attack surface expansion, as it provides an inventory of all public-facing assets that have been added to the attack surface. ThreatNG discovers a wide range of assets that contribute to this expansion, including:
Subdomains: It performs a comprehensive analysis of a website's subdomains to evaluate its security.
Cloud and SaaS Exposure: It evaluates cloud services and Software-as-a-Service (SaaS) solutions, including both sanctioned and unsanctioned services, cloud service impersonations, and open exposed cloud buckets.
Mobile Apps: It discovers mobile apps related to the organization in marketplaces and analyzes their content for exposed credentials and identifiers.
Code Repositories: It discovers public code repositories and investigates their contents for sensitive data.
Online Sharing Platforms: It identifies organizational entities on platforms such as Pastebin, GitHub Gist, and others.
Example of ThreatNG Helping: An organization introduces a new cloud service to support a marketing campaign. ThreatNG's continuous discovery would find this new service and identify its associated subdomains and exposed APIs, immediately adding them to the organization's attack surface inventory.
ThreatNG assesses the risk of the newly discovered assets to provide context and prioritization for the expanding attack surface. It performs various assessments that directly relate to the vulnerabilities introduced by this expansion:
Cyber Risk Exposure: This assessment considers parameters like certificates, subdomain headers, vulnerabilities, and sensitive ports. It also factors in "Code Secret Exposure" and "Cloud and SaaS Exposure" to determine an organization's cyber risk.
Example: ThreatNG discovers a new subdomain for a development environment that has an exposed sensitive port and a leaked API key found in a public code repository. This would lead to a high "Cyber Risk Exposure" score, indicating the severity of the attack surface expansion.
Subdomain Takeover Susceptibility: The platform evaluates a website's susceptibility to subdomain takeover by analyzing its subdomains, DNS records, and SSL certificate statuses. This is crucial for managing expansion, as misconfigured subdomains are a common source of new vulnerabilities.
Breach & Ransomware Susceptibility: This assessment is based on external intelligence, which includes domain intelligence (exposed sensitive ports and known vulnerabilities), dark web presence (compromised credentials and ransomware events), and sentiment and financials. This helps an organization understand if the new elements of its attack surface are susceptible to being breached.
ThreatNG's reports, including Executive, Technical, and Prioritized (High, Medium, Low, and Informational), are essential for communicating the state of the expanding attack surface. These reports would detail newly discovered assets, their associated risks, and the specific vulnerabilities found.
Example of ThreatNG Helping: A technical report from ThreatNG would list a newly discovered mobile app and detail its security vulnerabilities, such as an exposed API key or a weak security credential. The report would also provide recommendations for mitigating these risks, allowing the organization to address the new attack surface exposure.
ThreatNG performs continuous monitoring of an organization's external attack surface, digital risk, and security ratings. This is the most crucial capability for managing Attack Surface Expansion, as it ensures that the organization's inventory of public-facing assets is always up-to-date. As new assets are added, ThreatNG automatically discovers and assesses them, preventing them from becoming blind spots.
Example of ThreatNG Helping: An organization launches a new marketing website hosted on a new server. ThreatNG's continuous monitoring would automatically detect this new server, scan its exposed ports, identify its technology stack, and assess any associated vulnerabilities.
ThreatNG's investigation modules allow for a deep dive into specific areas of the attack surface, which is vital for understanding new exposures.
Subdomain Intelligence: This module analyzes subdomains for various factors, including HTTP responses, header analysis, cloud hosting, and open ports, and checks for subdomain takeover susceptibility.
Sensitive Code Exposure: This module discovers public code repositories and investigates their contents for sensitive data such as API keys, access tokens, and cloud credentials. This is crucial for identifying accidental exposure of credentials that contribute to attack surface expansion.
Cloud and SaaS Exposure: This module evaluates an organization's cloud services and SaaS solutions, identifying open exposed cloud buckets and other vulnerabilities.
Dark Web Presence: It monitors for compromised credentials, which are a typical result of a successful attack on an expanding attack surface.
Example of ThreatNG Helping: A developer accidentally pushes code with a hard-coded API key to a public repository. Using its Sensitive Code Exposure module, ThreatNG would find the repository and flag the exposed API key as a critical risk, allowing the security team to remediate the exposure before an attacker can use it.
ThreatNG's intelligence repositories, known as DarCache, provide critical context for assessing the risks associated with an expanding attack surface.
Vulnerabilities (DarCache Vulnerability): This repository includes information from NVD, EPSS, and KEV, providing a holistic approach to managing external risks by understanding their real-world exploitability and potential impact. This helps prioritize remediation efforts for newly discovered vulnerabilities on the expanded attack surface.
Compromised Credentials (DarCache Rupture): This repository contains information on compromised credentials. When new assets are added to the attack surface, a breach can result in these credentials being leaked. ThreatNG would use this repository to determine if any credentials associated with the new assets have been compromised.
Example of ThreatNG Helping: ThreatNG discovers a new, externally facing web application. It uses its DarCache Vulnerability repository to identify that the application's software version has a known, actively exploited vulnerability (from KEV). This allows the security team to prioritize patching the new application immediately.
Synergies with Complementary Solutions
Other security solutions can complement ThreatNG's external focus on attack surface expansion.
Complementary Solutions: Configuration Management and Patch Management Tools: ThreatNG's external assessment identifies newly discovered vulnerabilities and misconfigurations. This information can be used by configuration management and patch management tools to automatically patch new systems and enforce secure configurations, preventing the attack surface from expanding with known weaknesses.
Complementary Solutions: Cloud Security Posture Management (CSPM): ThreatNG's external discovery of exposed cloud assets and services can be complemented by a CSPM. The CSPM would perform a deeper, internal scan of the cloud environment to ensure that the newly discovered assets adhere to internal security policies and do not have misconfigurations that could lead to further attack surface expansion.
Complementary Solutions: Secrets Management Solutions: ThreatNG's discovery of hard-coded credentials in public code repositories and mobile apps can be used to justify and enforce the use of a secrets management solution. This allows organizations to securely manage and rotate credentials, preventing them from being accidentally exposed in the future.
Complementary Solutions: Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) Platforms: ThreatNG's alerts on newly discovered assets or critical vulnerabilities can be ingested by a SIEM for consolidated logging. A SOAR platform can then use these alerts to automate response actions, such as isolating a newly discovered, vulnerable asset or triggering a workflow to notify the team responsible for the asset.
