5 Attack Elements Organizations Should Monitor: Anatomy of an External Attack Surface

istock 1280073453

In today’s landscape of cloud computing and decentralized work, external attack surfaces have grown to encompass multiple clouds, complex digital supply chains, and massive third-party ecosystems. For organizations, this means shifting their perception of comprehensive security in the face of ongoing global cyber threats.

Security teams now have to defend their organization’s presence across the Internet in the same way they defend operations behind their firewalls. And as more organizations adopt the principles of Zero Trust, protecting both internal and external attack surfaces becomes an Internet-scale challenge.

Microsoft acquired RiskIQ, a leader in global threat intelligence and attack surface management, in 2021 to help organizations assess the security of their entire digital enterprise. Take the RiskIQ Internet Intelligence Graph, for example. This pre-computed relationship database of Internet intelligence is updated daily, allowing organizations to discover and investigate threats across their many components, connections, services, IP-connected devices, and infrastructure to create a resilient, scalable defense. Following are some of the key considerations when assessing your organization’s attack surface.

5 ways to think about external attack-surface management

The first step to protecting your attack surface is understanding it. Microsoft has the tools, insights, and expertise you need to map out your organization’s Internet presence and identify your most vulnerable areas.

  1. The global attack surface grows with the Internet

 Every minute, 117,298 hosts and 613 domains are created, leading to a rapidly expanding global attack surface that grows and scales over time. Each of these web properties includes underlying operating systems, frameworks, third-party applications, plugins, tracking codes, and more — causing the scope of the threat landscape to increase exponentially over time.

Likewise, cyber threats are growing at scale with the rest of the Internet. There were 611,877 unique phishing sites detected in the first quarter of 2021, with 32 domain-infringement events and 375 new total threats emerging per minute.[1] These threats target employees and customers by encouraging them to click malicious links. This, in turn, allows malicious actors to phish for sensitive data and erode brand confidence and consumer trust. The result is that security teams now have to treat the Internet as part of their network.         

  1. Remote work leads to a rise in vulnerabilities

 COVID-19 led to a wave of digital growth as companies expanded their online footprint to accommodate a remote workforce and business model. While this trend has largely benefitted employee morale and flexibility, it has also provided attackers with more access points.

For example, the use of remote access technologies like Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) rose 41% and 33% respectively in 2020 — pointing to the sharp incline in remote workers during the pandemic.[2] This trend is set to continue growing. By 2027, the global remote desktop software market size will reach $4.69 billion — a 207% increase from 2019.[3]

RiskIQ uncovered many vulnerable instances of the most popular remote access and perimeter devices. Overall, 18,378 vulnerabilities were reported in 2021.[4] This means that security teams not only have to mitigate vulnerabilities for themselves but also third parties, partners, controlled and uncontrolled apps, and services within and among relationships in the digital supply chain.

  1. Shadow IT, M&A, and digital supply chains create a hidden attack surface

Many cyberattacks originate away from the network, with web applications being the most commonly exploited entry point. It’s critical for organizations to have a complete view of their Internet assets and how those assets are connected to the global attack surface. Three significant factors that can block visibility are shadow IT, mergers and acquisitions (M&A), and digital supply chains.

When employee needs aren’t being met by their company’s current toolset, they’ll often look elsewhere for support. These shadow IT activities leave security teams in the dark and create gaps in an organization’s cybersecurity posture. New RiskIQ customers typically find 30% more assets than they thought they had, and RiskIQ detects 15 expired services (susceptible to subdomain takeover) and 143 open ports every minute.

Critical business initiatives like M&A can also expand external attack surfaces — less than 10% of deals globally contain cybersecurity due diligence.[5] This can be because of the sheer scale of an acquired company’s digital scale. Large organizations often have thousands of active websites and publicly exposed assets, and their internal IT team doesn’t always have a complete asset register of websites.

Finally, because enterprise business is so dependent on digital alliances in the modern supply chain, we’ve been left with a complicated web of third-party relationships outside the purview of security teams. Third-party attacks are one of the most frequent and effective vectors for threat actors, and many come through the digital supply chain. Among IT professionals, 70% report having a moderate-to-high level of dependency on external entities, and 53% of organizations have experienced at least one data breach caused by a third party.[6]

  1. App stores across the world contain apps targeting organizations and their customers

Each year, businesses are investing more in mobile to support the proliferation of mobile apps. RiskIQ noted a 33% overall growth of available mobile apps in 2020, with 23 appearing every minute. Consumers are getting in on the action, too. Mobile app spending grew to $170 billion in 2021, a 19% year-over-year growth.[7]

This growing app landscape represents a significant portion of an enterprise’s overall attack surface that exists beyond the firewall. Threat actors often exploit security teams’ lack of visibility by creating “rogue apps” that mimic well-known brands and can be used to phish for sensitive information or upload malware. While these apps will appear in official stores on rare occasions, some less reputable stores are overrun. RiskIQ blocklists a malicious mobile app every five minutes.

  1. The global attack surface is a part of an organization’s attack surface, too

If you have an Internet presence, you are interconnected with everyone else — including those that want to do you harm. This makes tracking threat infrastructure just as important as tracking your own infrastructure.

Threat groups often recycle and share infrastructure — IPs, domains, and certificates — and use open-source commodity tools like malware, phish kits, and C2 components to avoid easy attribution. More than 560,000 new pieces of malware are detected every day, and the number of phishing kits advertised on underground cybercrime marketplaces doubled between 2018 and 2019. In 2020, the number of detected malware variants rose by 74%.[8] RiskIQ now detects a Cobalt Strike C2 server every 49 minutes.

While today’s security teams have a larger attack surface to protect, they also have more resources. Zero Trust is one way for organizations to secure their workforce — protecting people, devices, applications, and data regardless of where they’re located or the threats they’re facing. Microsoft Security can help you assess the Zero Trust maturity stage of your organization with our targeted evaluation tools.

Learn more about our comprehensive approach with Microsoft Security and view our in-depth report here.

[1] https://www.statista.com/statistics/266155/number-of-phishing-domain-names-worldwide/

[2] https://www.zdnet.com/article/rdp-and-vpn-use-skyrocketed-since-coronavirus-onset/

[3] https://www.globenewswire.com/news-release/2020/11/18/2128947/0/en/Remote-Desktop-Software-Market-to-Reach-USD-4-69-billion-by-2027-Rising-Popularity-of-E-learning-Distance-Learning-Platforms-to-Aid-Growth-Fortune-Business-Insights.html

[4] https://www.zdnet.com/article/with-18376-vulnerabilities-found-in-2021-nist-reports-fifth-straight-year-of-record-numbers/#:~:text=Log%20Out-,With%2018%2C378%20vulnerabilities%20reported%20in%202021%2C%20NIST%20records%20fifth%20straight,was%20lower%20than%20in%202020.&text=Jonathan%20Greig%20is%20a%20journalist%20based%20in%20New%20York%20City

[5] https://www.aon.com/unitedkingdom/insights/top-5-cyber-risks-in-mergers-and-acquisitions.jsp

[6] https://www.securehalo.com/services/third-party-cyber-risk/#:~:text=A%20Ponemon%20Institute%20re

[7] https://techcrunch.com/2022/01/12/app-annie-global-app-stores-consumer-spend-up-19-to-170b-in-2021-downloads-grew-5-to-230b/

[8] https://www.comparitech.com/antivirus/malware-statistics-facts/


Copyright © 2022 IDG Communications, Inc.