Managing through uncertainty requires facing security unknowns head on

Security professionals find themselves perpetually on the brink of the unknown. The very nature of their work has always demanded a readiness to confront unforeseen cyber threats and to adapt swiftly to the unpredictable.

However, the strategy for managing these uncertainties requires a fundamental shift. It’s no longer sufficient to react to threats as they emerge; the imperative now is to foster a deeper understanding of the business’s attack surface. This is not merely a tactical adjustment, but a strategic necessity.

The argument is straightforward, yet critical: with an in-depth knowledge of their attack surface, organisations can pre-emptively counteract threats earlier in the attack chain. This perspective moves practitioners and their teams away from the traditional, reactive posture of cybersecurity and towards a proactive, anticipatory stance.

The why over the how

The cybersecurity landscape is evolving at an unprecedented pace, driven in large part by the relentless advancement of technology and the ingenuity of those who seek to exploit it.

According to the Rapid7 ‘2024 Attack Intelligence Report’, in 2023 — for the second time in three years — more mass compromise events arose from zero-day vulnerabilities than from n-day vulnerabilities. In fact, 53% of new widespread threat vulnerabilities through the beginning of 2024 were exploited before software producers could implement fixes. This is a return to 2021 levels of widespread zero-day exploitation (52%) after a slight abatement (43%) in 2022.

In this environment, the question of ‘how’ to prepare for risks, while important, is overshadowed by the ‘why’. Why is it crucial for organisations to understand their attack surface with such granularity? The answer lies in the very nature of the threats we face.

Cyber attackers are becoming increasingly sophisticated, employing methods that are not only highly advanced, but also exceedingly covert. By the time a threat becomes visible, the damage may already be irreparable. It is akin to noticing the tip of the iceberg while being unaware of the massive structure lurking beneath the surface. Hence, a deep understanding of one’s attack surface, comprising all the potential points where an unauthorised user can try to enter data into or extract data from an environment, becomes indispensable.

Stopping threats earlier

The essence of understanding the attack surface is not just about identifying vulnerabilities; it’s about recognising the potential pathways through which threats can permeate. This encompasses a wide array of elements, from software and networks to human error and system complexities. By comprehensively mapping out these vulnerabilities, organisations can devise strategies that are not merely reactive, but are also inherently preventive.

Mass compromise events stemming from exploitation of network edge devices have doubled since the start of 2023, with 36% of widely exploited vulnerabilities occurring in network perimeter technologies. In fact, more than 60% of the vulnerabilities Rapid7 analysed in network and security appliances in 2023 were exploited as zero-days.

Most of the widely exploited CVEs from the past few years have arisen from simpler, more easily exploitable root causes, like command injection and improper authentication issues. In fact, 41% of incidents Rapid7 MDR observed in 2023 were the result of missing or unenforced multi-factor authentication on internet-facing systems, particularly VPNs and virtual desktop infrastructure.

Stopping threats earlier in the attack chain means detecting and neutralising potential vulnerabilities before they can be exploited. This approach requires a shift from a mindset focused solely on defence to one that also encompasses an element of anticipation. It demands constant vigilance, a thorough assessment of emerging technologies and a willingness to invest in understanding the evolving tactics of adversaries.

A call to action

The call to action for security professionals is clear: champion the cause of deepening an organisation-wide understanding of the business’s attack surface. This entails a commitment to continuous learning and education, an openness to adopting new methodologies and a resolve to think like the adversary. Practitioners must engage with their IT infrastructure, applications and services, not just as protectors, but as strategists anticipating the moves of potential attackers and pre-empting their actions.

The road ahead is undoubtedly challenging. The complexity of modern IT environments, coupled with the sophisticated nature of contemporary cyber threats, makes the task daunting. Yet, the stakes are too high — and the potential fallout from attacks too grave — to settle for a posture that is anything less than proactive.

Understanding the attack surface in its entirety is not just a tactical advantage; it is a strategic imperative. It is the foundation upon which we can build more resilient defences, develop more effective responses and, ultimately, foster a more secure digital world.

Image credit: iStock.com/gorodenkoff