In IT security, the term "attack surface" is one that you hear again and again. An attack surface is basically what an attacker targets to reach a specific goal. In German-speaking regions, you often hear the English term: "Attack Surface". The attack surface can be digital, physical, or social. Generally, the attack surface is larger the more assets a company has. These can be IP addresses, services, employees, buildings, or even suppliers. Minimizing the attack surface is an important step towards better IT security.
Attack Surface or Attack Vector - What's What?
Unfortunately, in practice, both terms have become commonly used interchangeably. However, this often leads to confusion. One should distinguish between attack surface and attack vector.
- An attack vector is a specific security vulnerability, an email attachment, a weak password, or a specific attack technique.
- The attack surface, on the other hand, is more like an asset, a service, a website, a person, or a building, window, or door - depending on the context.
What Types of Attack Surfaces Are There?
Digital Attack Surfaces
As mentioned at the beginning, digital attack surfaces are, for example, ASN, CIDR, individual IP addresses, or specific services running on a host. An attack surface can also be an API or website. Login forms or contact forms can also be attack surfaces. An attacker might try to guess weak administrator passwords using Brute Force (which would be an attack vector).
Physical Attack Surfaces
In the context of physical penetration tests or Red Teaming, a building and its access points, such as gates, windows, or doors, would be an attack surface. People can also be attack surfaces. An attacker might try to pose as an employee to gain access to a building. Within a security zone, endpoints such as laptops, smartphones, or tablets would be attack surfaces. A printer or server can also be attack surfaces.
Social Engineering Attack Surfaces
Social Engineering is a special case. Generally, the attack surface here is the human or employee, supplier, mail carrier, or other person who has a specific function in a company. Attackers try to obtain something from the target person or get them to perform a specific action through certain methods (for example, Phishing).
External Attack Surfaces
This category is one that DSecured likes to use. This includes assets that are difficult to control because they formally don't fall under one's own responsibility. These could be portals where company internal information is stored but managed by a third party. Supply Chain Security also falls into this category. What suppliers, service providers, or partners do is often difficult to control. However, one should prepare for the possibility that these parties might become the target of an attack and thus affect one's own company. Strictly speaking, this category basically belongs to each of the other three categories, as it can always have a physical, digital, or social component.
Attack Surface Management as a Solution
If you want to protect something, you need to know that it exists. This is the task of ASM software. There are various subcategories of this that specialize in only certain areas of this topic complex. An example would be DSecured Argos eASM - this is software that continuously tries to capture the entire external attack surface of a company and scan for vulnerabilities. New assets and Shadow IT can also be discovered and monitored with it. The ultimate goal here is to reduce the attack surface and minimize risks. With the help of the data provided by software of this kind, penetration tests and Red Teamings can also be conducted more efficiently.
Tips for Minimizing the Attack Surface
What sounds simple is often difficult to implement in practice - the larger a company, the larger the attack surface, the more responsible parties exist. The first step in the right direction is usually always the attempt to get an overview and create an asset list. There are various tools and service providers (like us) for this. In the second step, it often makes sense to implement the "simple" things - 2FA is a term that should be examined more closely here. Afterward, you can get lost in detailed work - important steps here are the decommissioning of old irrelevant services, patching systems, and regularly scanning the attack surface in combination with penetration tests, Red Teaming, and training.
Thank you for your feedback! We will review it and optimize this content.
