Businesses are striving consistently to meet the expectations of their customers and stakeholders in the current age of remote workforce, pertaining to evolved cyber threats. While organizations choose their best options to update their internal security posture constantly, little is usually done for monitoring threats from outside on its attack surface. For effective and continuous monitoring of Risk posture, it’s equally important to understand and monitor what the organization looks like from an attacker’s point of view. This is where the “Attack Surface and Threat Intelligence” (ASTI) plays a vital role in gathering data, monitoring, and evaluating the risks that need to be mitigated from an external context of an organization.

ASTI can be explained as a systematic process that assists businesses in monitoring their external presence and attack surface. Unlike a standard vulnerability monitoring tool, the ASTI service goes beyond identifying security flaws in network systems, services, and applications on a regular basis. These tools are not only aimed at monitoring and gathering information from various data points in the public internet for the source code, newly found open/closed ports, identifying compromised email accounts, newly registered domain names in focus, and compromised source code; but also correlates the data points to provide intelligence for the Organisation to prioritize the issues for resolution. Thus, the ASTI service helps enterprises strengthen their information security program by continually monitoring for possible risks that might result in a successful assault against the organization's assets and data. When this service is used with an established vulnerability management system, the total rate at which possible attack vectors become available can be significantly reduced.

Importance of Attack Surface and Threat Intelligence

Understanding Attack Surface

The Attack Surface refers to all the numerous places at which an attacker can get access to a system and steal data.

For example, an application's Attack Surface can be:

1) - The total of all data/command pathways into and out of the program

2) - The code that secures these data/command paths

3) - Any important data utilized in the program, including keys, proprietary information, essential business data, personal data, and personally identifiable information (PII), as well as the code that safeguards this data

Understanding Threat Intelligence from the Attack Surface

Threat Intelligence refers to data regarding cyber threats and threat actors that assist in mitigating and preventing cyberattacks and enhancing the organization’s security posture. The various data points gathered from the attack surface are correlated to generate a meaningful report. One may superimpose this model on top of the user types, i.e., roles and privilege levels who have access to the system (whether authorized or not) for complete visibility. Complexity grows as the number of distinct user types increases and with constant changes to IT and web infrastructure leading to constant changes to the attack surface. However, it is critical to concentrate on two extremes: unauthorized anonymous users and highly empowered administrators (e.g., database and system admins).

Each attack point is classified according to its risk (external or internal), goal, implementation, design, and technology. One may tally the number of attack points for each kind and focus the evaluation on a few examples for each category.

This technique eliminates the requirement to know every endpoint to comprehend the Attack Surface and prospective risk profile of a system. One may count several broader types of endpoints and the quantity of each category. This allows the organization to budget for the time required to assess risk at scale and to determine when an application's risk profile has drastically altered.

Attack Surface and Threat Intelligence: Process

Attack Surface and Threat Intelligence process involves identifying, investigating, prioritizing, and mitigating external digital risk continually. Dynamic and continual discovery identifies potential exposures for the brand on the public internet, public clouds, and vulnerabilities in the organization’s Information Technology assets. The ASTI tools display what attacker sees when they target the organization’s digital brand, providing continuous coverage to gradually minimize the risk.

The process of ASTI goes as follows:

ASTI tools conduct automatic attack surface scans to identify significant areas of risk with an emphasis on providing actionable and tailored context. Machine-led discovery sifts through billions of data points to uncover all digital assets linked with the company's brand. This includes:

  • Exposure of domains, including subdomains and those susceptible to attacks
  • Exposure to the code repositories
  • Exposure to the public cloud
  • Vulnerabilities in the organization’s systems, networks, services, applications, misconfigurations, websites, and Email addresses that have been compromised
  • Internet Protocol (IP) addresses / open ports
  • Certificates that have expired or have been abandoned
  • Servers, websites, and pages that have been abandoned
  • Brand exposure
  • Unchanged default settings

The actionable advantage of ASTI tools is due to its AI-driven capability in correlating and analyzing results, prioritizing risk, and giving high-touch remediation techniques. Correlating and detecting false positives, as well as making risk assessments, are all part of the analysis activity. Security professionals can further verify the AI-driven recommendations, for swift action to address the most critical threats first.

Use Cases for Threat Intelligence

The following use cases can be considered as part of Threat Intelligence applications:

Breach alerts : Near-real-time notification of breaches enables rapid identification of emerging trends and tactics being actively exploited.

Monitoring third-party risk : Quickly learn about serious security events involving vendors or providers. By saving searches on pertinent terms, receive pertinent notifications as and when they occur for proactive inquiry.

Insight into vulnerabilities : Optimize patch efforts based on specific information about vulnerabilities related to current threats.

Final Thoughts

While organizations may not be controlling the public internet that is beyond the organization’s firewall, one may nevertheless act to safeguard Organization’s brand. Businesses may respond more quickly and gradually improve their efficiency and proactiveness by adopting ASTI tools to focus on results and action. Further, the ASTI tool can identify risk areas within an application to educate developers and security specialists about which components of the application are vulnerable to attack and identify ways to mitigate these vulnerabilities.

Intelligence about threats and attacks on the surface enables :

1) - Determination of functions and components of the system that require examination or testing for security vulnerabilities.

2) - Identification of parts of code that are more vulnerable and require protection.

3) - Determination of when the attack surface has altered and to consider mitigation strategy after risk evaluation.

References :

Netenrich Introduces a Threat and Attack Surface Intelligence Solution for Faster Detection, Insight, and Response to Immediate Threats: Attack Surface Intelligence (ASI) and Knowledge Now (KNOW) Integrate to Mitigate Brand Exposure, Bridge Skills Gaps, and Reduce SecOps Efforts by 15x. (2020). PR Newswire.

Netenrich Presents SANS Webcast: Understanding Your Threat and Attack Surface with Netenrich’s Attack Surface Intelligence. (2021). Plus Company Updates.

V. Mavroeidis and S. Bromander, "Cyber Threat Intelligence Model: An Evaluation of Taxonomies, Sharing Standards, and Ontologies within Cyber Threat Intelligence," 2017 European Intelligence and Security Informatics Conference (EISIC), 2017, pp. 91-98, doi: 10.1109/EISIC.2017.20.

By: Surya Jatavallabhula

Senior Director | ISSQUARED Information Security

Surya Jatavallabhula is a Cyber Security and Risk professional with an extensive history in Banking, Biotech, Medical, and Education sectors. Surya has played various roles under security domains including CISO, Security Partner/SME for Information and Cyber Security, DevSecOps, Risk Management, Data privacy, Enterprise Security Architecture, Data Architecture, Technology Risk, and Portfolio Management after graduating in MS Risk Management from Stern School of Business, New York University, U.S and M.B.A from Leeds University Business School, U.K.