Cybersecurity is more important today than ever before, and one of the key concepts in this context are attack paths and attack surface. But what do these terms actually mean and why is understanding them essential for every organization? Matias Haapaniemi explains these basics in his blog post this time.
Attack Paths and Attack Surface
In cybersecurity, you often hear two terms: attack surface and attack paths. They sound technical, but there’s a simple idea behind them.
The attack surface includes all the points that an outsider can “touch”. Think of your organization as a house: doors, windows, mail slots are part of the attack surface.
In the digital world, the attack surface includes, for example:
- Public web services and websites
- Employee usernames and passwords
- Cloud services, integrations between public services, and interfaces
- Laptops, phones, and servers
- Third-party add-ons and services
The more “openings” your organization has, the larger the attack surface and consequently, more opportunities for misuse.
An attack path is the route an attacker takes from the starting point to their goal.
- In the house example, an attack path could be:
Mail slot → Entrance hall → Living room → Safe - A digital attack path could be:
Phishing email → Single user account → VPN access to internal network → Server with unpatched vulnerabilities → File server with valuable data
It’s important to understand that a single “opening” doesn’t always bring down the whole house. The situation becomes dangerous when small weaknesses combine into a smooth path.
From Basics to Practice
Why does all this matter? Simply put, you should care about attack paths and attack surface because:
- Reducing the attack surface decreases opportunities to initiate an attack
- Breaking attack paths prevents the progression of an attack, even if the initial breach is successful
How should organization’s IT departments act in practice?
- Map – you can’t protect services you’re not aware of
- Trim – remove unnecessary servers, accounts, devices, and services
- Strengthen – activate MFA, add security hardening, implement Endpoint Detection & Response (EDR) and configure device firewalls
- Break attack chains – does a workstation need to allow RDP connections to another workstation? Does a printer need to allow RDP connections to the Domain Controller?
- Audit – are the firewall settings working as they should? Are there new devices in the network that haven’t been accounted for?
Come to Above IT’s Afterwork event and learn how Microsoft Defender solutions manage the attack surface and break attack paths. We’ll share best practices to get more out of products you already have, while significantly reducing manual work.