A compilation of findings from the 2024 Attack Surface Threat Intelligence report with expert practitioner commentary
The 2024 State of Attack Surface Threat Intelligence report, conducted by Cybersecurity Insiders (a community of more than 600,000 cybersecurity professionals) and sponsored by TacitRed, aimed to provide a foundation to gain insight on the challenges, advantages, maturity, and best practices for applying threat intelligence and external attack surface management to mitigate cyber risk.
The comprehensive findings were based on a survey of over 300 cybersecurity and IT professionals from organizations of more than 1,000 employees across North America. All the respondents manage programs and teams or directly use threat intelligence and external attack surface management tools as part of their responsibilities.
This paper provides highlights of key survey findings and further shares insights by an expert panel derived from a related webinar. The panel comprised Ken Feil, Chief Data Officer at the Commonwealth of Virginia; David Monahan, Business Information Security Officer at Abbvie; Ross Warren, vice president of cyber risk at ATRI Insurance; and Thomas Johnson, manager of cyber threat reseach at Cogility.
When it comes to attack surface risk, the survey explored the impact of the growing external attack surface. In terms of attack vectors, incidents, and the frequency of attacks, cyber incidents are on the rise with over 90 percent of organizations reporting an increase in impactful incidents over the previous year. The most common vectors exploiting an expanding, external attack surface were, not surprisingly, ransomware and malware, compromised credentials, phishing and supply chain attacks.
Now the survey further reveals that 84 percent of respondents report an increase in their external attack service dynamics with 36 percent observing a sharp rise in asset changes over the past year. The key factor for this rise was the new normal of remote and hybrid work, along with continued BYOD exposures — cited by 60 percent of respondents. Remote work has significantly expanded the perimeter by introducing a variety of personal devices and home networks into enterprise ecosystems, often with insufficient security controls.
Adding to that is the adoption of new technologies, as growing, dispersed set of assets, including cloud services and IOT devices, continue to complicate defensive efforts. 56 percent of survey participants point to the expansion of web applications and APIs among new attack vectors frequently exploited. Additional vectors included exploiting weak system authentication and misconfigurations. Lastly, supply chain exposures were identified by a third of respondents where threat actor activity is targeting partner organizations.
Panel Perspective: Ross Warren
Attack surface dynamics and interconnections are having an impact with customers and cyber insurance providers. Cyber insurers provide a degree of risk or outcome mitigation — as when a business is breached, insurers step in to make sure the enterprise can become whole. This includes coverage to enable the business to continue operations, as well as recover their stolen data or mitigate their ransomware event. With the rise of ransomware as a service fortified by a criminal ecosystem, these attacks have really devastated a lot of small and medium sized enterprises, including school systems and municipalities.
With the big shift from working on a network to remote work and remote workers, there’s more of a chance for a mistakes. Beyond employing vulnerable technology, simply keeping up with external assets and services from an external attack surface perspective leads to enterprises potentially facing more extensive security incidents, such as ransomware. If you are operating externally blind — without some sort of external continuous threat assessment, you’re very likely risking your entire company due to threat actors and their effectiveness. Being able to monitor and explore attack surface threats for your company is critical. This is equally critical for cyber insurers, as we providing coverage for companies to gain a perspective of the likelihood of a breach — including an understanding how a business operates and reduces their range of cyber risks.
Exploring more of the findings, the survey explored the extent of external attack surface management program maturity across organization size and industry. The results show that maturity of EASM programs varies significantly. The survey question essentially has respondents self-assessing their organization’s EASM program maturity levels under similar criteria as NIST cyber program maturity. Nearly half of respondents report that their programs are in the early stages of development, either in the initial or repeatable phases — where processes remain fairly unstructured and reactive. Only a third of respondents are in the most advanced stages of maturity — 22 percent reporting proactive managed programs and 11 percent achieving optimized automation and continuous threat assessment.
Panel Perspective: Ken Pfeil
What key factors help “move the maturity needle” for attack surface management programs within an organization. From my viewpoint, having done this as a chief security officer in various different companies for the past 20 years — I expected about a quarter of organizations to have mature programs. To improve maturity, leaders should consider taking it one step at a time. There are a lot of factors that can be leveraged, even how you progress other programs. It starts with executive buy in and support for your full program — where attack surface management should be among forefront initiatives.
External attack surface management (EASM) should be a part of your regular vulnerability assessment (VA) and pen testing. The objective would be to correlate those results. It is a matter of integrating EASM and VA monitoring and findings results, and ensuring processes that set expectations on how you will address exposures into your incident response capabilities. Integration with your existing security tool sets and processes would be another factor to help move the maturity up a little bit. This would include SIEM, SOAR and other areas where you can leverage security orchestration. Starting small with defined improvements is a more assured way to move the needle forward rather than boiling the ocean.
Panel Perspective: David Monahan
Taking a slightly different perspective on maturing EASM programs, it starts with having a strong asset management set of practices because that is your attack surface. Ultimately, as a foundation, you need to know what you have. If you don’t know what you have, that puts an enterprise in a higher liability or risk of attack and breach. Second to that, organizations need an effective approach to assess their chosen tool sets, and the evolution of those tool sets to address program requirements. When you start to look at that maturity curve model, the tools (as well as processes) become a significant factor to scale and mature a program.
The third one is about people, inclusive of mentoring and training. People always are the last mile. Mentoring and training are key for teams to keep them up to date on the tools and more so the practices and the processes of investigation to remediation and resumption.
For EASM and the use of threat intelligence to be effective, building up people skills is important along with creating opportunities for the mentoring. The more that senior folks can advance the skill set and experience of junior members, the better. It not only improves program maturity, this has the added effect of retention which impacts repeatable and improved processes. Personnel are often the ones that must make a “go, no-go” decision on how to respond to issues and reduce risks — and the extent of whether that is automatic or automated. There is a difference between automatic and automated. While everyone wants automated, most are hesitant to go fully automatic. Even those that have highly mature and automated programs are only around 10 percent, where the system does all of the decision making at the end and flips the buttons and switches to take action. Better to start with semi-automated with defined conditions, tools, and tracking.
The last one is to have measurable and repeatable processes for attack surface management program maturity. If we don’t make those processes repeatable with appropriate controls, then we can’t automate them for one. Furthermore, this delays threat response because people are wondering what is the agreed upon practice to respond. And if processes are not reviewed, you can’t mature your EASM program.
The survey asked participants about their organization’s biggest external attack surface management challenges. Identifying active third-party exposures was cited as the highest pain point, at 45 percent. As organizations become more dependent on external vendors and partners, the complexity of securing these third-party connections increases attack vectors across the supply chain. The challenge of maintaining an accurate inventory of internet-facing assets was cited by 41 percent of respondents as a significant hurdle. The sheer scale of digital assets across cloud services, applications, and remote work environments make it quite difficult for security teams to maintain and protect operations and data.
Detecting and responding to active cyber adversary threats and breaches were cited by 40 percent of respondents. This demonstrates the burden and volume of potential security violations, threats, and issues that security operations teams must filter, validate, and respond to. Filtering through all the threat noise was highlighted by 39 percent of respondents as security teams struggle with excessive alerts and false positives. Compounding these obstacles, 37 percent of respondents cited difficulties with poor quality threat intelligence — where the intelligence is often inaccurate or inactionable. Poor and unactionable attack surface threat intelligence further impacts the ability to respond efficiently to security incidents.
Panel Perspective: Ken Pfeil
These attack surface pain points have stayed consistent over the years. Certainly, the adoption of cloud, BYOD and IoT assets and their connections to the enterprise have added security management complexity and exposures. Here too, the objective is to make things simple as possible — this includes asset authorization processes and tracking — including type, location, and ownership, as well as understanding the criticality of assets. Organizations have to know where the crown jewels are and to track potential threats and active exposures. The overwhelming volume of vulnerability and threat data is very real. Without a mechanism for alert reduction and threat prioritization of that, teams will be overloaded. Lastly, organizations have limited budget and personnel resources — both from a budget and people perspective. Examine parts of your EASM program and determine if there are program resource overlaps that can be combined to optimize people, spend and tools towards achieving the best outcome.
Panel Perspective: David Monahan
Considering a more extended attack surface, organizations need to manage threat data growth not only from an internal pipeline of work, but also inclusive of Mergers & Acquisitions and their supply chain. Threat management teams need to identify the threats from third parties where there is limited to no internal IT purview. EASM tools support this. Dealing with acquisitions and 3rd- party vendors, security teams should treat risk management efforts — from pre-acquisition assessment the through the ingestion stages — much the same as current assets under management.
It’s imperative to have tools, including EASM tools, to help find the unknowns assets and issues internally and for those external vendors that you work with. What is in their operating environments and what sort of a risk does that present to your organization taking on as part of that acquisition or with vendors and partners connecting to your network and systems? In a previous organization, for example, there was a potential acquisition that ended being passed on due to the extent of cyber risks involved that would have created a significant risk for the business.
Assess if the EASM tool can deliver more timely and more accurate data, and the effect of whether it does reduce the signal to noise ratio for the security analyst. Inaccurate, insignificant, or stale data (where an exposure has already been fixed), is not only useless — it’s detrimental because teams will spend time investigating issues that ultimately provide no value. EASM tools that reduce friction and overhead for analysts that investigate and respond to threats will make their ability to triage and take actions more efficiently.
Lastly, examine related reporting and case management areas to help scope, manage, escalate, and communicate resolving attack surface problems. EASM tools should integrate with other tools including the support for workflows and case management. This confirms the extent that tools are useful, and to verify their effective use. Beyond the scope of what is being found, how identified issues have been deal with and how future like risks can be proactively reduced. If security operations can’t report on this, it will diminish value from a management and investment perspective?
Read the full report "2024 State of Attack Surface Threat Intelligence", conducted by Cybersecurity Insiders.