What Is the Attack Surface and How to Analyze, Manage, and Reduce It

• The Attack Surface and How to Analyze, Manage, and Reduce It
• What is Attack Surface Monitoring
• What is External Attack Surface Management (EASM)
• What is Attack Surface Management (ASM) and a 5-Step ASM Process
• What Are Attack Vectors and 8 Ways to Protect Your Organization

8 Minute Read

An attack surface consists of all possible entry points, or attack vectors, that can potentially allow threat actors to breach into a system, application, device, or an entire network. A larger attack surface is more difficult to protect because it means a system or organization is exposed to more threats.

The attack surface is generally categorized into two types—a digital attack surface and a physical attack surface. A digital attack surface consists of vulnerable software and hardware, while a physical attack surface consists of physical facilities, data centers, and physical computer equipment.

This is part of an extensive series of guides about hacking.

In this article:

• Attack Vectors vs. Attack Surfaces
• What are the different types of attack surfaces?
• What is Attack Surface Analysis and Monitoring?
• How Can You Address Your Digital and Physical Attack Surface?
  • Addressing the Digital Attack Surface
  • Addressing the Physical Attack Surface
• What is Attack Surface Reduction and Management?
• Attack Surface Management with HackerOne

An attack vector is a pathway—a vulnerability or a technique—that threat actors can exploit to access a digital target, such as a network, a system, or a database. Threat actors use attack vectors to gain unauthorized access and privileges to digital targets. An attack surface is comprised of all potential attack vectors. A larger attack surface includes more possible attack vectors.

Attack vectors enable threat actors to potentially breach the target and obtain access to confidential data. Threat actors use attack vectors for various purposes, such as spreading malware or ransomware. Organizations are exposed to many attack vectors that pose potential security issues. However, many are not visible, leaving the organization exposed to attacks.

Related content: Read our guide to attack vectors

An attack surface refers to all potential points where an attacker can exploit weaknesses in a system or network. Attack surfaces can be broadly classified into two categories: digital and physical.

Digital Attack Surfaces

A digital attack surface includes all software, hardware, and network components that may be susceptible to cyberattacks. Elements of a digital attack surface involve:

• Web applications: Websites and web-based services that process user inputs and interact with databases.
• APIs (Application Programming Interfaces): APIs enable various software systems to communicate, potentially exposing sensitive information if not properly secured.
• Endpoints: Devices connected to a network, such as laptops, smartphones, servers, and IoT devices, which can be exploited by attackers for unauthorized access or data theft.
• Network infrastructure: Components like routers, switches, and firewalls that manage communication between devices on a network; secure configurations are necessary to prevent attacks from spreading throughout the entire network.

Physical Attack Surfaces

A physical attack surface pertains to security risks associated with an organization's tangible assets. Examples include:

• Data centers: Physical locations housing servers and other hardware; unauthorized access can lead to data theft or damage.
• Employee workstations: Desktops, laptops, and mobile devices used by employees that can be targeted for theft or tampering.
• Access control systems: Security measures like keycards, biometric scanners, and surveillance cameras must be properly maintained to prevent unauthorized entry into secure areas.

To effectively safeguard an organization's assets from cyber threats, it is essential to address both digital and physical attack surfaces through a comprehensive security strategy.

Attack surface analysis involves mapping all attack vectors within the organization. It enables organizations to find risk areas and vulnerable systems so they can minimize as many attack vectors as possible.

Attack surface analysis can help organizations identify areas that require more security testing for vulnerabilities and locate high-risk areas for defense-in-depth. You can also use this analysis to determine when changes to the infrastructure also cause new changes to the attack surface.

There are two main ways to perform attack surface analysis—manually with the help of penetration testers and security architects and through automated tools. Attack surface management software can continuously monitor the infrastructure for new and emerging vulnerabilities and misconfiguration.

Related content: Read our guide to attack surface monitoring

Addressing the Digital Attack Surface

A network attack surface consists of all vulnerabilities and security weaknesses in connected software and hardware. Here are several ways to help reduce the digital attack surface:

• Reduce the amount of executed code—the more code runs on a system, the greater the chance it has an exploitable vulnerability. Reducing the amount of executed code can help you minimize the attack surface.
• Microsegmentation—this technique enables you to split the network into isolated, logical units, each with its own security policies. Isolating these units helps contain threats to the unit a threat breached and prevents actors from moving laterally.

Addressing the Physical Attack Surface

A physical attack surface consists of all endpoint devices on a network, including desktops, laptops, USB ports, mobile devices, and hard drives. Threat actors with physical access to a computing device can use it to look for entry points into digital attack surfaces, such as default security settings, unpatched software, misconfigurations, or vulnerabilities.

The physical attack surface can be exploited by insider threats, such as rogue employees, employees tricked by social engineering schemes, and malicious intruders impersonating service workers. It is also exposed to external threats, such as physical break-ins, carelessly discarded hardware containing passwords, and sticky notes displaying passwords.

Here are several ways to help reduce the physical attack surface:

• Access control and testing—involves placing obstacles to prevent potential break-ins and hardening physical sites against accidents, environmental disasters, or attacks. For example, you can use fencing, access control cards, locks, fire suppression systems, and biometric access control systems.
• Surveillance and notification—involves installing surveillance cameras and notification systems to monitor physical locations and provide alerts. For example, you can use intrusion detection sensors, smoke detectors, and heat sensors.
• Disaster recovery—involves setting policies and procedures for disaster recovery and testing them regularly to ensure effectiveness and relevance. These policies can help ensure safety and reduce recovery times from disruptive disasters.

Addressing the Digital Attack Surface

A network attack surface consists of all vulnerabilities and security weaknesses in connected software and hardware. Here are several ways to help reduce the digital attack surface:

• Reduce the amount of executed code—the more code runs on a system, the greater the chance it has an exploitable vulnerability. Reducing the amount of executed code can help you minimize the attack surface.
• Microsegmentation—this technique enables you to split the network into isolated, logical units, each with its own security policies. Isolating these units helps contain threats to the unit a threat breached and prevents actors from moving laterally.

Addressing the Physical Attack Surface

A physical attack surface consists of all endpoint devices on a network, including desktops, laptops, USB ports, mobile devices, and hard drives. Threat actors with physical access to a computing device can use it to look for entry points into digital attack surfaces, such as default security settings, unpatched software, misconfigurations, or vulnerabilities.

The physical attack surface can be exploited by insider threats, such as rogue employees, employees tricked by social engineering schemes, and malicious intruders impersonating service workers. It is also exposed to external threats, such as physical break-ins, carelessly discarded hardware containing passwords, and sticky notes displaying passwords.

Here are several ways to help reduce the physical attack surface:

• Access control and testing—involves placing obstacles to prevent potential break-ins and hardening physical sites against accidents, environmental disasters, or attacks. For example, you can use fencing, access control cards, locks, fire suppression systems, and biometric access control systems.
• Surveillance and notification—involves installing surveillance cameras and notification systems to monitor physical locations and provide alerts. For example, you can use intrusion detection sensors, smoke detectors, and heat sensors.
• Disaster recovery—involves setting policies and procedures for disaster recovery and testing them regularly to ensure effectiveness and relevance. These policies can help ensure safety and reduce recovery times from disruptive disasters.

Attack surface reduction (ASR) and management is the practice of reducing as much of the attack surface through various means. It involves continuously assessing the attack surface based on the understanding that the surface constantly changes and requires constant visibility. As you gain a better understanding of the surface, you can take steps to reduce it and protect vectors you cannot eliminate.

The importance of attack surface reduction

In the past, networks had clear borders guarded by firewalls, and the attack surface existed outside these borders. However, modern networks are complex and chaotic with no clear border—threats are both inside and outside. The attack surface is extended wherever corporate data is at rest or in transit.

For example, an organization's attack surface may include propriety source code stored in Azure Repos, documents in Google Workspace, customer data stored on SAP, storage bucket and application servers on Amazon Web Services (AWS), emails in Microsoft 365, and more. Each of these assets is located in different areas in the ecosystem and may transfer data in between.

This type of attack surface is the reality of the modern corporate technology architecture. It provides flexibility and enables remote work, but it creates an increasingly complex attack surface. This issue is further aggravated by new software development paradigms like DevOps and cloud native paradigms that utilize microservices, significantly increasing the attack surface.

Attack surface reduction and management tools

Organizations can leverage various tools to obtain continuous visibility into the attack surface, determine existing and changing attack vectors, and work to eliminate or protect against these attack vectors. Here are several tools to help achieve this level of visibility:

• Inventory management—helps organizations create a repository of known systems. It typically involves asset discovery to scan for all systems and inventory all assets, including shadow IT.
• Vulnerability management—these tools scan external and internal systems for known vulnerabilities. It helps prioritize vulnerabilities so organizations can address the most critical vulnerabilities first.
• External risk ratings—involves allowing external parties to perform ongoing assessments of the organization's public-facing security posture.
• Red teaming and penetration testing—these teams provide expert information about attack vectors that allow surface attackers to breach the target. These insights help prioritize the most pressing attack vectors to address to reduce the attack surface.

Visibility alone is not enough to minimize risk and resist attacks. Organizations need to know their attack surface. They need to risk rank their assets based on how a bad actor would prioritize and execute their attacks.

HackerOne Assets blends intelligence from ethical hackers with asset discovery, continuous assessment, and process improvement to reduce risk across your ever-expanding digital landscape. You can identify, analyze, manage testing scopes, and track testing results in one place for a complete asset inventory.

Once identified, asset risk can be ranked, coverage gaps addressed and remediation resources assigned. Our community of ethical hackers can enrich asset data to include technology mapping to enable asset tracking and foot-printing. With HackerOne Assets, organizations will know their attack surface and be armed to effectively resist attacks.

Learn more about HackerOne Attack Surface Management.