• John Lundgren

Understanding Your IT Attack Surface

Updated: Jul 16, 2020

Attackers are constantly assessing every possible vector to get in and stay in networks like yours. The compilation of all possible intrusion vectors they could use to get in can be collectively described as your organization’s IT attack surface. As IT infrastructures grow increasingly complex and the IoT era brings more connected devices into your environment, it can be easy to overlook critical intrusion vectors in your attack surface. Additionally, the growing size of an attack surface often means that the rate of change increases as well. To be able to accurately assess the security of your IT infrastructure and the data it holds, it is important to understand just what is included in your attack surface and how frequently it changes.

Ever Expanding: The Boundaries of Your IT Attack Surface

An organization’s attack surface can be broken into two broad categories – network attack surface and social attack surface. While both categories are broadly understood by most, the scope of these categories of attack surface are often not fully appreciated.

Your network attack surface contains all the hardware and software used to both provide and access your organization’s IT services. It will be no surprise that the routers, servers, workstations, as well as the operating systems, commercial and internal software that run on them is included in the network attack surface. However, all means to access these services must also be considered within the boundaries of your network attack surface. From an employee’s private mobile device that is used to access internal email from home to a customer’s laptop that joins your wireless network during visits, these can be just as effective access vectors into your core IT infrastructure for an attacker.

Just as important to consider is your social attack surface, which can be larger than many may think. Sure, the employees and the identities they use to access your IT services is within bounds of your social attack surface. In addition, however, other people that use the devices that access your organization’s IT infrastructure must also be counted as part of the social attack surface. An employee’s spouse or children that may use same device that the employee checks their work email on are just as likely to be susceptible to a social engineering attack, which may compromise the device the employee uses to check their work email.

It Never Stops: Changes in Your IT Attack Surface

Once the boundaries of your attack surface are identified, the pace of change within that attack surface must also be understood. Knowing where and how frequently your attack surface changes is critical to anticipating new access vectors that an attacker may leverage to gain access to your data.

Any organization’s network attack surface is always in a constant state of change, particularly when you include employees’ private mobile devices and personal computers as part of that attack surface. Most CIOs and/or CISOs will be aware of large changes in their network attack surface – an enterprise-wide patch being rolled out, a refresh of core servers or routers, etc.

However, small changes to a network attack surface can occur hundreds, thousands or millions (for large enterprises) times per day. Each time a new device joins or disconnects from a wireless access point, an employee fails to patch the private computer they work from after a security vulnerability is publicly disclosed, or a system administrator makes a configuration change to troubleshoot an issue, your network attack surfaces changes. Some changes may be harmless, but at the incredible frequency that these changes occur, it can be daunting for any organization to understand just how secure they are at any given time.

Appreciating the speed at which your social attack surface changes is critical as well. As employees are hired, fired, change positions or quit, your organization’s social attack surface changes with every action. Each new employee brings not only new skills and experiences to the organization they join, but also new risks and vulnerabilities for social engineering attacks. When they create a new social media account using the same password they use for their work accounts or add their work email address in a web form to be contacted, they are unintentionally affecting not just their social attack surface, but their organization’s as well.


The scope and rate of change of your organization’s attack surface is in constant flux, which presents a steady stream of unique challenges for CIOs and CISOs trying to keep their data and IT infrastructure secure. But knowing the boundaries of your attack surface is important to identifying where new risks and vulnerabilities may present themselves and prioritizing cybersecurity investments, assessments and policy reviews.

We know that keeping up with the changes in your organization’s attack surface can be daunting. To stay on top of the constant changes in your attack surface and the risks and vulnerabilities they bring, try Breachbits’ Continuous Intelligent Red Team (CIRT) Service.

We use machine learning and automation, rather than human hackers, to provide organizations with a constant, dedicated adversary that is searching for changes in your attack surface to exploit – 24 hours a day, 365 days a year.

Want to always know how secure your IT infrastructure is? Click here to find out more.

115 views0 comments

Recent Posts

See All

Attack on Demand: Darkside Group Ransomware Emulation

This guide provides a demonstration and details of the Darkside Group Ransomware Emulation that is a part of the Continuous Intelligent Red Team (CIRT) Insider Threat module. Background In May 2021, a

Attack on Demand: BreachBits Ransomware Emulation

This guide provides a demonstration and details of the BreachBits Ransomware Emulation that is a part of the Continuous Intelligent Red Team (CIRT) Insider Threat module. Background Ransomware attacks

Attack on Demand: Credential Access using LSASS

This article provides a demonstration and context for the Credential Access using LSASS Attack on Demand packages that are a part of the Continuous Intelligent Red Team (CIRT) Insider Threat module. B