How To Reduce Attack Surface: 6 Proven Tactics

Security-oriented organizations continuously identify, monitor, and manage internet-connected assets to protect them from emerging attack vectors and potential vulnerabilities. 

Security teams go through every element of the organization’s security posture – from firewalls and cloud-hosted assets to endpoint devices and entry points – looking for opportunities to reduce security risks.

This process is called attack surface management. It provides a comprehensive view into the organization’s cybersecurity posture, with a neatly organized list of entry points, vulnerabilities, and weaknesses that hackers could exploit in a cyberattack scenario.

Attack surface reduction is an important element of any organization’s overall cybersecurity strategy. Security leaders who understand the organization’s weaknesses can invest resources into filling the most critical gaps first and worrying about low-priority threats later.

What assets make up your organization’s attack surface?

Your organization’s attack surface is a detailed list of every entry point and vulnerability that an attacker could exploit to gain unauthorized access. The more entry points your network has, the larger its attack surface will be.

Most security leaders divide their attention between two broad types of attack surfaces:

The digital attack surface 

This includes all network equipment and business assets used to transfer, store, and communicate information. It is susceptible to phishing attempts, malware risks, ransomware attacks, and data breaches. Cybercriminals may infiltrate these kinds of assets by bypassing technical security controls, compromising unsecured apps or APIs, or guessing weak passwords.

The physical attack surface 

This includes business assets that employees, partners, and customers interact with physically. These might include hardware equipment located inside data centers and USB access points. 

Even access control systems for office buildings and other non-cyber threats may be included. These assets can play a role in attacks that involve social engineering, insider threats, and other malicious actors who work in-person.

Even though both of these attack surfaces are distinct, many of their security vulnerabilities and potential entry points overlap in real-life threat scenarios. 

For example, thieves might steal laptops from an unsecured retail location and leverage sensitive data on those devices to launch further attacks against the organization’s digital assets. Organizations that take steps to minimize their attack surface area can reduce the risks associated with this kind of threat.

Known Assets, Unknown Assets, and Rogue Assets

All physical and digital business assets fall into one of three categories:

• Known assets are apps, devices, and systems that the security team has authorized to connect to the organization’s network. These assets are included in risk assessments and they are protected by robust security measures, like network segmentation and strict permissions.
• Unknown assets include systems and web applications that the security team is not aware of. These are not authorized to access the network and may represent a serious security threat. Shadow IT applications may be part of this category, as well as employee-owned mobile devices storing sensitive data and unsecured IoT devices.
• Rogue assets connect to the network without authorization, but they are known to security teams. These may include unauthorized user accounts, misconfigured assets, and unpatched software. A major part of properly managing your organization’s attack surface involves the identification and remediation of these risks.

Attack Vectors Explained: Minimize Risk by Following Potential Attack Paths

When conducting attack surface analysis, security teams have to carefully assess the way threat actors might discover and compromise the organization’s assets while carrying out their attack. This requires the team to combine elements of vulnerability management with risk management, working through the cyberattack kill chain the way a hacker might.

Some cybercriminals leverage technical vulnerabilities in operating systems and app integrations. Others prefer to exploit poor identity access management policies, or trick privileged employees into giving up their authentication credentials. Many cyberattacks involve multiple steps carried out by different teams of threat actors. For example, one hacker may specialize in gaining initial access to secured networks while another focuses on using different tools to escalate privileges.

To successfully reduce your organization’s attack surface, you must follow potential attacks through these steps and discover what their business impact might be. This will provide you with the insight you need to manage newly discovered vulnerabilities and protect business assets from cyberattack.

Some examples of common attack vectors include:

• API vulnerabilities. APIs allow organizations to automate the transfer of data, including scripts and code, between different systems. Many APIs run on third-party servers managed by vendors who host and manage the software for customers. These interfaces can introduce vulnerabilities that internal security teams aren’t aware of, reducing visibility into the organization’s attack surface.
• Unsecured software plugins. Plugins are optional add-ons that enhance existing apps by providing new features or functionalities. They are usually made by third-party developers who may require customers to send them data from internal systems. If this transfer is not secured, hackers may intercept it and use that information to attack the system.
• Unpatched software. Software developers continuously release security patches that address emerging threats and vulnerabilities. However, not all users implement these patches the moment they are released. This delay gives attackers a key opportunity to learn about the vulnerability (which is as easy as reading the patch changelog) and exploit it before the patch is installed.
• Misconfigured security tools. Authentication systems, firewalls, and other security tools must be properly configured in order to produce optimal security benefits. Attackers who discover misconfigurations can exploit those weaknesses to gain entry to the network.
• Insider threats. This is one of the most common attack vectors, yet it can be the hardest to detect. Any employee entrusted with sensitive data could accidentally send it to the wrong person, resulting in a data breach. Malicious insiders may take steps to cover their tracks, using their privileged permissions and knowledge of the organization to go unnoticed.

6 Tactics for Reducing Your Attack Surface

1. Implement Zero Trust

The Zero Trust security model assumes that data breaches are inevitable and may even have already occurred. This adds new layers to the problems that attack surface management resolves, but it can dramatically improve overall resilience and preparedness.

When you develop your security policies using the Zero Trust framework, you impose strong limits on what hackers can and cannot do after gaining initial access to your network. Zero Trust architecture blocks attackers from conducting lateral movement, escalating their privileges, and breaching critical data.

For example, IoT devices are a common entry point into many networks because they don’t typically benefit from the same level of security that on-premises workstations receive. At the same time, many apps and systems are configured to automatically trust connections from internet-enabled sensors and peripheral devices. Under a Zero Trust framework, these connections would require additional authentication. The systems they connect to would also need to authenticate themselves before receiving data.

Multi-factor authentication is another part of the Zero Trust framework that can dramatically improve operational security. Without this kind of authentication in place, most systems have to accept that anyone with the right username and password combination must be a legitimate user. In a compromised credential scenario, this is obviously not the case.

Organizations that develop network infrastructure with Zero Trust principles in place are able to reduce the number of entry points their organization exposes to attackers and reduce the value of those entry points. If hackers do compromise parts of the network, they will be unable to quickly move between different segments of the network, and may be unable to stay unnoticed for long.

2. Remove Unnecessary Complexity

Unknown assets are one of the main barriers to operational security excellence. Security teams can’t effectively protect systems, apps, and users they don’t have detailed information on. Any rogue or unknown assets the organization is responsible for are almost certainly attractive entry points for hackers.

Arbitrarily complex systems can be very difficult to document and inventory properly. This is a particularly challenging problem for security leaders working for large enterprises that grow through acquisitions. Managing a large portfolio of acquired companies can be incredibly complex, especially when every individual company has its own security systems, tools, and policies to take into account.

Security leaders generally don’t have the authority to consolidate complex systems on their own. However, you can reduce complexity and simplify security controls throughout the environment in several key ways:

• Reduce the organization’s dependence on legacy systems. End-of-life systems that no longer receive maintenance and support should be replaced with modern equivalents quickly.
• Group assets, users, and systems together. Security groups should be assigned on the basis of least privileged access, so that every user only has the minimum permissions necessary to achieve their tasks.
• Centralize access control management. Ad-hoc access control management quickly leads to unknown vulnerabilities and weaknesses popping up unannounced. Implement a robust identity access management system so you can create identity-based policies for managing user access.

3. Perform Continuous Vulnerability Monitoring

Your organization’s attack surface is constantly changing. New threats are emerging, old ones are getting patched, and your IT environment is supporting new users and assets on a daily basis. Being able to continuously monitor these changes is one of the most important aspects of Zero Trust architecture.

The tools you use to support attack surface management should also generate alerts when assets get exposed to known risks. They should allow you to confirm the remediation of detected risks, and provide ample information about the risks they uncover.

Some of the things you can do to make this happen include:

• Investing in a continuous vulnerability monitoring solution. Vulnerability scans are useful for finding out where your organization stands at any given moment. Scheduling these scans to occur at regular intervals allows you to build a standardized process for vulnerability monitoring and remediation.
• Building a transparent network designed for visibility. Your network should not obscure important security details from you. Unfortunately, this is what many third-party security tools and services achieve. Make sure both you and your third-party security partners are invested in building observability into every aspect of your network.
• Prioritize security expenditure based on risk. Once you can observe the way users, data, and assets interact on the network, you can begin prioritizing security initiatives based on their business impact. This allows you to focus on high-risk tasks first.

4. Use Network Segmentation to Your Advantage

Network segmentation is critical to the Zero Trust framework. When your organization’s different subnetworks are separated from one another with strictly protected boundaries, it’s much harder for attackers to travel laterally through the network. Limiting access between parts of the network helps streamline security processes while reducing risk.

There are several ways you can segment your network. Most organizations already perform some degree of segmentation by encrypting highly classified data. Others enforce network segmentation principles when differentiating between production and live development environments.

But in order for organizations to truly benefit from network segmentation, security leaders must carefully define boundaries between every segment and enforce authentication policies designed for each boundary. This requires in-depth knowledge of the business roles and functions of the users who access those segments, and the ability to configure security tools to inspect and enforce access control rules.

For example, any firewall can block traffic between two network segments. A next-generation firewall can conduct identity-based inspection that allows traffic from authorized users through – even if they are using mobile devices the firewall has never seen before.

5. Implement a Strong Encryption Policy

Encryption policies are an important element of many different compliance frameworks. HIPAA, PCI-DSS, and many other regulatory frameworks specify particular encryption policies that organizations must follow to be compliant. These standards are based on the latest research in cryptographic security and threat intelligence reports that outline hackers’ capabilities.

Even if your organization is not actively seeking regulatory compliance, you should use these frameworks as a starting point for building your own encryption policy. Your organization’s risk profile is largely the same whether you seek regulatory certification or not – and accidentally deploying outdated encryption policies can introduce preventable vulnerabilities into an otherwise strong security posture.

Your organization’s encryption policy should detail every type of data that should be encrypted and the cipher suite you’ll use to encrypt that data. This will necessarily include critical assets like customer financial data and employee payroll records, but it also includes relatively low-impact assets like public Wi-Fi connections at retail stores.

In each case, you must implement a modern cipher suite that meets your organization’s security needs and replace legacy devices that do not support the latest encryption algorithms. This is particularly important in retail and office settings, where hardware routers, printers, and other devices may no longer support secure encryption.

6. Invest in Employee Training

To truly build security resilience into any company culture, it’s critical to explain why these policies must be followed, and what kinds of threats they address. One of the best ways to administer standardized security compliance training is by leveraging a corporate learning platform across the organization, so that employees can actually internalize these security policies through scenario based training courses. 

It’s especially valuable in organizations suffering from consistent shadow IT usage. When employees understand the security vulnerabilities that shadow IT introduces into the environment, they’re far less likely to ignore security policies for the sake of convenience.

Security simulations and awareness campaigns can have a significant impact on training initiatives. When employees know how to identify threat actors at work, they are much less likely to fall victim to them. However, actually achieving meaningful improvement may require devoting a great deal of time and energy into phishing simulation exercises over time – not everyone is going to get it right in the first month or two.

These initiatives can also provide clear insight and data on how prepared your employees are overall. This data can make a valuable contribution to your attack surface reduction campaign. You may be able to pinpoint departments – or even individual users – who need additional resources and support to improve their resilience against phishing and social engineering attacks. Successfully managing this aspect of your risk assessment strategy will make it much harder for hackers to gain control of privileged administrative accounts.