top of page

Understanding Attack Surface Management: A Comprehensive Guide


Attack Surface Management Overview

With growing trends in work from home, bring your own device, and cloud utilization the production attack surface is larger than at any other point in history. Attack Surface Management allows organizations to identity and prioritize key assets to monitor and protect as well as enabling organizations to identify unused or insecure assets and then remove them from the network, effectively reducing the possible attack surface an attacker could look to leverage. Attack Surface Management is an ongoing process that requires developing and enforcing policies for user education, personal device management, and upgrading or patching software and hardware. This document is meant to serve as an overview of the core concepts of Attack Surface Management as well as possible first steps an organization might take to start understanding and managing their attack surface.

Attack Surface Identification

Identifying an organization's attack surface involves understanding what physical and virtual assets are connected to the network, understanding how someone could gain access to the network and where they can connect from, as well as understanding what users are active and their respective permissions. When identifying physical or virtual assets the single greatest advantage an organization can have is an asset inventory. An asset inventory serves not only to show what assets are on the network, but also what assets should be on the network. Regularly scanning and mapping against an asset inventory can help to identify rouge devices created either maliciously via shadow IT or simply by mistake in the event of a testing lab that might have been built but never decommissioned. A network map is also useful to understand the grouping of devices as well as understanding what communication should or should not be allowed between asset groups. Almost all production environments include elements of external access by non-managed devices that are needed for the business to function. This could take the form of a guest Wi-Fi network, Bring Your Own Device (BYOD) policies and hybrid workspaces, or customer access via third party web tools. While this access may be required for business functions, these non-managed devices are still part of the organization's attack surface. In addition to serving as possible vectors for a threat actor, the actions taken by these devices may also create legal concerns such as downloading pirated media.

Attack Surface Prioritization

While the idea of defending an organization's entire attack surface may seem daunting, the process of Attack Surface Prioritization can identify the first key steps an organization would need to take. When prioritizing an organization's attack surface there are two key factors to consider, accessibility and impact.

Not all systems are equally accessible to an attacker, many systems sit behind layers of defense which may already serve as an early warning system to any possible intrusion. Systems that would be highly accessible to an attacker would be cloud assets, assets running outdated/unpatched OS versions, or operational technologies. Additionally, while devices on a guest Wi-Fi network may not be inherently part of the network they can serve as a means of accessing the production network unless proper segmentation is in place.

Organizational impact is determined by understanding either the role an asset plays in key business functions, or how valuable information stored on an asset might be to an attacker. In addition to the financial impact of valuable information (such as patient health records or classified documents) being stolen from the network, the organization’s reputation would no doubt suffer as well.

Attack Surface Reduction

While it is impossible to entirely remove an organization's attack surface, there are several key steps that can be taken to reduce possible vectors of attack. The key element for attack surface reduction is simply determining if an asset should exist, and what access it should have.

One method by which the attack surface can be reduced is by creating an acceptable use policy regarding network access for both users and BYOD assets. Ensure that all connected assets can either be managed by the organization to some degree or have limited access via a segmented and restricted guest network. By applying the principle of least privilege access not only to user accounts, but also network access for assets an organization can start to limit the potential impact of an attacker gaining access via an unmanaged or guest device.

Another method for reducing an organization's attack surface could be to identify a legacy, lab, or testing assets stood up either on premise or in the cloud that are no longer in use and disable the assets as needed. Additionally identifying and disabling any user or service accounts that have been inactive for an extended period of time and are not expected to be used in the near future.

Attack Surface Management

Ongoing management of an organizations attack surface can be a complex and daunting process. The organization must continue to identify, prioritize, and reduce new attack surfaces. Ongoing identification and reduction of the attack surface also serve as a means of reducing the organizations vulnerability to shadow IT attacks. Creating governance strategies around security requirements for asset connectivity can allow an organization to better reduce their attack surface by identifying potentially preventing unsecured devices from connecting to the network. Additionally performing regular vulnerability scans can allow the organization to preemptively detect vulnerable or non-compliant devices and patch or remove them from the network as needed.

Ultimately managing an organization's attack surface requires a strategic governance plan, configured and maintained security controls, and constant vigilance by a skilled security team. Thankfully Cyberforce|Q is here to help your organization every step of the way!


Reach out at or

55 views0 comments
bottom of page