Attack Surface

What Is an Attack Surface?

An organization’s attack surface is the total number of potential entry points which attackers can exploit systems and data. The larger the attack surface, the harder it is to protect.

Most cybersecurity teams face an ever-expanding attack surface, especially with the increase in digital, internet-enabled devices on or connected to etworks. As the attack surface expands, the level of difficulty in identifying, monitoring, securing, and managing potential entry points rises.

Gartner raised the alarm on expanding attack surfaces in 2022: “Enterprise attack surfaces are expanding. Risks associated with the use of cyber-physical systems and IoT, open-source code, cloud applications, complex digital supply chains, social media and more have brought organizations’ exposed surfaces outside of a set of controllable assets. Organizations must look beyond traditional approaches to security monitoring, detection and response to manage a wider set of security exposures.”

 

Digital vs Physical Attack Surface

The attack surface exists in two dimensions, the digital attack surface and the physical one.

Digital attack surface

The digital attack surface encompasses all hardware and software that connect to an organization’s network. This includes user devices, office equipment, servers, websites, ports, web applications, APIs, code, credentials, malware, and cloud environments. Security risks grow with misconfigurations, outdated software, or when unauthorized access from third-party integrations happens or when employees are duped by phishing attempts in email. The challenge is exacerbated even further by shadow IT, as users circumvent security policies with unapproved apps and devices on the network.

Physical attack surface

The physical attack surface encompasses all endpoint devices which attackers can physically access. These include computers, mobile phones, hard drives, USBs, or any other object containing data or credentials.

Organizations protect their physical attack surface by implementing access control, surveillance, and disaster recovery procedures for all of their physical locations.

Employees are part of the digital and physical surface. Attackers often use phishing to gain unauthorized access through employees or use brute force by targeting weak or easily guessed passwords into your systems.

This glossary page focuses on the digital attack surface, not the physical one.

 

The Ever-Expanding Digital Attack Surface

There’s no question that most organizations have benefitted tremendously from moving data, applications, and infrastructure to the cloud. The move has made them more flexible and agile. Yet, the tradeoff is that every cloud asset – SaaS applications, development environments, edge compute, cloud databases, and more – exist outside the traditional enterprise network perimeter. The same is true for many IoT and OT (operational technology) devices.

With OT devices, the problems of outdated software and security, as well as misconfigurations, are typically more pronounced, because these devices were not originally designed to operate in connected environments or for IT-OT interaction.

You need to know your entire attack surface

When an organization lacks visibility into its connected assets – whether they are internal or external – it simply cannot protect them from digital threats. Thus, cybersecurity and IT teams need visibility into each and every asset, at all times.

 

Attack Surface Discovery Provides Visibility

Attack surface discovery is the process of identifying and mapping all the potential openings and vulnerabilities within an organization’s digital environment to fully understand and manage all attack vectors. Attack surface discovery involves three core activities:

Asset Inventory & Discovery: IT needs to identify all connected assets, including on-premises infrastructure, cloud assets, mobile devices, applications, APIs, third-party systems, and anything else that connects to the network. Performing regular or continuous asset discovery ensures that IT identifies all new, unknown, or unmanaged assets and can apply security protocols to them. Once complete, IT should update its asset inventory and perform ongoing asset inventory management.

Network and System Scanning: This allows IT teams to quickly identify network-related vulnerabilities that have not been addressed, such as misconfigured firewalls, open ports, and exposed services. Similarly, vulnerability checks discover software that needs patching, outdated systems, and security flaws. To ensure all vulnerabilities are discovered, organizations should perform penetration testing to simulate attacks and discover any additional vulnerabilities.

“Conduct regular vulnerability scanning to identify and address vulnerabilities, especially those on internet-facing devices, to limit the attack surface.” [i] —  Cybersecurity & Infrastructure Security Agency (CISA)

Risk-Based Assessment: Some vulnerabilities present more risk than others. As a result, organizations must prioritize vulnerabilities based on several factors:

1. Probability of exploitation
2. Potential impact (e.g., operational impact, exposure of customer data, etc.)
3. Ease of remediation (how fast, effectively, and efficiently a vulnerability can be patched).

By using a threat intelligence feed, IT security teams can track active exploits and emerging threats, enabling them to focus resources on the most critical risks.

 

What Is Attack Surface Management (ASM)?

Attack Surface Discovery is only one portion of an overall Attack Surface Management strategy. It is impossible to perform without visibility into all network-connected assets, which is why Attack Surface Discovery is a prelude to Attack Surface Management. The latter involves three core functions:

1. Attack Surface Discovery (as described above)
2. Attack Surface Monitoring (described below)
3. Attack Surface Reduction (described below)

Attack Surface Monitoring

This involves the ongoing observation of all network-connected assets to identify attack vectors. The goal is similar to the discovery phase – to identify weaknesses and potential entry points which attackers could exploit.

Once an attack surface has been mapped via discovery, IT must test for vulnerabilities and continuously monitor to:

1. Identify changes and any new attack vectors that may have arisen
2. Determine which types of users can access each part of a system
3. Mitigate against targeted attacks and attack vectors

Attack Surface Reduction

Attack Surface Reduction is a bit of a misnomer, especially as most organizations’ attack surfaces are expanding. What Attack Surface Reduction actually represents are the steps you should take to limit the exploitability of your attack surface. Doing so relies on four critical steps, all of which should be taken on an ongoing basis:

1. Implementing a Zero Trust strategy: Zero Trust assumes that the network and its systems will be breached (or that a breach has already occurred) and designs security accordingly, as if there is no perimeter or implicit trust. It grants least-privilege access to only what is needed.
2. Eliminating complexity: Unnecessary complexity introduces more policy and security action mistakes that allow attackers and criminals to gain unauthorized access to corporate systems and data. Organizations must disable unnecessary or unused software and devices. This reduction in the number of endpoints simplifies the network and counter-balances the attack surface expansion taking place today.
3. Scanning for vulnerabilities: Regular network checks quickly identify potential vulnerabilities. This is especially helpful when it is integrated with an active, up-to-date catalog or database of known vulnerabilities that are being exploited as malware.
4. Segmenting to isolate issues: Network segmentation enables organizations to minimize the size and scope of their attack surface. Digital transformation has resulted in converged IT, IoT, and OT networks. Instead of patching, these devices must often be segmented from other parts of the network and monitored to detect anomalies. Otherwise, communication links may go unchecked and vulnerabilities hide in plain sight.

 

How Forescout Can Help

There’s another name for the digital dimension of Attack Surface Management: Cyber Asset Attack Surface Management (CAASM). It is the process of identifying, evaluating, and managing the vulnerabilities and risks linked to an organization’s digital assets and infrastructure.

A comprehensive CAASM strategy enables organizations to protect their digital assets effectively and mitigate the impact of attack vectors.

Key components of Forescout’s CAASM capabilities consist of:

• Asset Discovery: This involves pinpointing all the digital assets within an organization’s network, including devices, applications, and systems. A comprehensive inventory is necessary to manage the attack surface effectively.
• Vulnerability Assessment: Once the assets are identified, a thorough vulnerability assessment is conducted to identify weaknesses and potential entry points for attackers. This assessment aids in prioritizing remediation efforts and reducing the overall risk from identified attack vectors.
• Continuous Monitoring: The attack surface constantly evolves due to various factors such as software updates, new devices, or changes in network configurations. Continuous monitoring ensures prompt identification and addressing of any changes to attack vectors.
• Threat Intelligence: To stay ahead of threats, organizations need access to current information about emerging vulnerabilities and attack techniques. Integrating threat intelligence into CAASM helps organizations proactively defend against potential attacks.

Some major benefits of CAASM conducted by Forescout include:

1. Comprehensive Asset Visibility and Management: CAASM offers a complete view of an organization’s cyber assets, including on-premises, cloud-based, and remote systems. This visibility helps organizations better understand and manage their attack surface, leading to a more robust security posture. By automating asset inventory and streamlining management, Forescout simplifies the process of discovering and fixing security gaps.
2. Enhanced Security Hygiene and Threat Prioritization: CAASM offers valuable insights into an organization’s security controls, overall security posture, and exposure of assets. This enables security teams to address vulnerabilities and misconfigurations, improving overall security hygiene proactively. By evaluating asset criticality and vulnerability severity, Forescout helps prioritize threats, ensuring that the most critical risks are dealt with first, thus minimizing the potential impact of cyber-attacks.
3. Real-time Monitoring, Remediation, and Integration: Forescout continuously monitors an organization’s attack surface, detecting changes and new vulnerabilities in real time to swiftly identify and address threats. It integrates with existing security infrastructure from other vendors, such as endpoint protection solutions, to facilitate data sharing and coordinated response across the security ecosystem.
4. Improved Compliance, Cyber-Resilience, and Productivity: CAASM promotes data-driven decision-making, assisting in regulatory compliance and bolstering cyber-resilience by identifying and mitigating vulnerabilities before they are exploited. Forescout’s automation of asset list maintenance and streamlining of management processes enables security teams to prioritize strategic tasks, thereby enhancing overall productivity.

Experience the power of advanced visibility, policy enforcement, and automation – schedule your demo today and protect your expanding attack surface from new and evolving cyber threats.

---

[i] CISA. Stop Ransomware Guide. Accessed March 30, 2025 from the following source:   https://www.cisa.gov/stopransomware/ransomware-guide