How to Optimise Attack Surface Management

By James Rees, MD, Razorthorn Security

Introduction: The Growing Challenge of Digital Security

Organisations face significant challenges in maintaining visibility over their expanding technology footprint. Attack surface management addresses the need to understand what technology assets exist, where they’re located, how vulnerable they are and how supply chains might impact security posture.

For InfoSec professionals, understanding the attack surface remains a fundamental concern. It echoes Sun Tzu’s wisdom: “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” While this philosophy doesn’t guarantee victory in cybersecurity, it provides the foundation for effective defence.

As organisations embrace digital transformation, the attack surface extends beyond traditional perimeters to include cloud resources, supply chain partners and shadow IT. In this complex landscape, the ability to comprehensively map and monitor attack surfaces has become essential for protecting digital assets and maintaining regulatory compliance.

The Evolution of Cybersecurity Challenges

From Simple Networks to Complex Ecosystems

The cybersecurity landscape of the 1990s and early 2000s bears little resemblance to today’s environment. Basic security controls like firewalls weren’t common and IT departments struggled to keep pace with rapidly developing technology. Organisations prioritised connectivity over security, with network administrators focusing more on making systems work than protecting them.

Shadow IT flourished in this environment, with unauthorised devices and software proliferating across corporate networks. Without sophisticated monitoring tools, these unauthorised systems could remain undetected for months, creating significant security blind spots.

Primitive Tools and Manual Processes

Security tools back then were primitive, offering little in the way of visualisation or actionable insights. Reports were often hundreds of pages long with minimal formatting, making it challenging to identify critical issues. Investigating incidents meant physically searching facilities for rogue devices or manually examining log files – a time-consuming process that could take days to complete.

Threat actors have evolved dramatically from individual hackers exploring systems to sophisticated criminal organisations operating like legitimate businesses, complete with HR departments and dedicated targeting teams. As networks transitioned from physical infrastructure to virtual environments and cloud services, the definition of an organisation’s attack surface expanded beyond physical boundaries, creating cascading vulnerability chains across industries.

Why Attack Surface Management Matters Today

The Velocity Challenge: From Days to Hours

The urgency stems from the dramatic increase in attacker velocity. It may have taken malicious actors 30 to 40 days to discover critical vulnerabilities or exposed services in the past, but this can now happen within three hours. Major defence suppliers report that misconfigurations in their external-facing systems are found by attackers almost immediately.

Well-funded criminal syndicates drive this acceleration. Some ransomware operations generate hundreds of millions in annual revenue, providing resources for high performance computing capable of sending millions of password attempts per second to exposed interfaces. The stakes have never been higher, with organisations facing financial losses, regulatory penalties and reputational damage from successful compromises.

Dynamic Business Environments and Supply Chain Risks

The external attack surface has become increasingly dynamic. Business needs drive rapid deployment of new services with little consideration for security implications. Development timelines continue to compress, with continuous deployment practices pushing multiple changes daily, creating opportunities for attackers to exploit temporary misconfigurations.

Supply chain attacks represent another critical concern. Compromising one vendor can provide access to thousands of networks, as demonstrated by incidents like SolarWinds, where attackers injected malicious code into software updates. The value of the potential target often determines how quickly attackers will exploit vulnerabilities, with financial institutions and critical infrastructure experiencing the most aggressive attention.

“Supply sprawl” compounds the problem as cloud providers make it easy for any department to deploy internet-facing infrastructure with a credit card, often bypassing governance frameworks. These shadow deployments create blind spots that security teams cannot secure because they remain unaware of their existence.

Key Components of Effective Attack Surface Management

Continuous Assessment: The Daily Imperative

Effective attack surface management requires continuous rather than periodic assessment. If you’re examining your attack surface less than daily, you’re already at a disadvantage against modern threat actors who constantly scan for new opportunities.

Comprehensive visibility across all internet-facing assets is essential, including identifying assets through certificates, domains and IP ranges. Attribution matters significantly – an exposed server with a certificate linking it to a critical infrastructure provider becomes an especially valuable target.

Exposure duration represents a critical metric that directly correlates with breach likelihood. Many organisations discover vulnerabilities that have remained exposed for months or years. Reducing this exposure time should be a primary goal, with mature security programmes measuring remediation times in hours rather than days.

Business Context and Vulnerability Management

Vulnerability prioritisation must occur within the business context rather than relying solely on technical severity ratings. Some vulnerabilities may exist on business-critical systems where immediate patching could disrupt operations. Others might exist on less critical systems but provide direct access to sensitive networks. Understanding these relationships allows for risk-based remediation decisions.

Third party risk management has become inseparable from attack surface management. Organisations must monitor their suppliers’ security postures with the same vigilance as their own, validating that security claims match reality. Many vendors claim compliance with security requirements on questionnaires, but observable security practices often tell a different story.

Integration with security operations workflows enhances effectiveness. When new vulnerabilities are discovered, immediate notifications should flow to SIEMs and vulnerability management solutions, triggering appropriate response processes without manual intervention.

Real World Impact of Attack Surface Vulnerabilities

Healthcare Under Attack: The Medical Device Threat

Consider a hospital network where security researchers deployed a honeypot designed to mimic an MRI scanner running Windows Server 2012. Within just two minutes, an infected x-ray film printer on the same network uploaded malware to the simulated medical device, instructing it to scan for patient records and contact external command-and-control servers.

Further investigation revealed that the printer manufacturer had been compromised at the source, with firmware being poisoned before distribution. With over 100,000 compromised devices in circulation and a single medical record fetching £40 on black markets, the scale of potential damage was enormous.

This example illustrates how seemingly innocuous devices connected to critical networks can serve as attack vectors. Medical equipment frequently runs outdated operating systems that cannot be easily patched due to certification requirements, creating persistent vulnerabilities.

Critical Infrastructure in the Crosshairs

The Colonial Pipeline incident in 2020 demonstrated how ransomware could cripple fuel delivery across the US East Coast, resulting in a £4.5 million ransom payment. The attackers exploited ordinary external-facing vulnerabilities, highlighting how traditional security failures can impact essential services.

Internet-facing Remote Desktop Protocol (RDP) services are particularly vulnerable. Modern cloud computing resources enable attackers to send millions of password attempts per minute against these services. If credentials have been leaked to the dark web – an increasingly common scenario – these exposed interfaces become straightforward entry points.

The financial impact of these attacks continues to grow. Beyond direct ransom payments organisations face costs related to incident response, system recovery, regulatory penalties and reputational damage, often exceeding several million pounds.

Building a Modern Defence Strategy

Regulatory Drivers and Cultural Foundations

The Digital Operational Resilience Act (DORA) exemplifies the trend toward stronger regulation, particularly for financial services, establishing clear requirements for securing technology assets. DORA and similar regulations increasingly hold C-suite executives personally accountable for security failures, potentially facing criminal charges for neglecting fiduciary duties around security.

However, compliance should never be the sole driver for security investments. Organisations must develop a culture that recognises the fundamental importance of protecting customer data and business operations. This cultural approach must permeate throughout the organisation, from C-suite to frontline staff.

Building awareness requires investment in training and appropriate compensation structures that reflect the critical nature of security responsibilities. When employees understand the importance of security and their role in maintaining it, they become a critical line of defence rather than the “weakest link” often cited in security discussions.

Real-Time Discovery and Integration

Real-time discovery capabilities must replace traditional periodic scanning. The most effective solutions continuously monitor the internet for assets attributable to your organisation, identifying new exposures as they appear. This allows security teams to match the velocity of both business changes and attacker reconnaissance.

When scanning the internet daily, organisations can identify exposed assets, certificates, domains and vulnerabilities that might otherwise remain hidden for months. Advanced platforms can provide details about newly announced CVEs within 24 hours, giving security teams a critical time advantage in remediation efforts.

The relationship between attack surface management and vulnerability management requires particular attention. While vulnerability management traditionally focuses on internal systems, attack surface management extends this visibility to internet-facing assets. Together, they provide comprehensive coverage across the entire technology estate.

Threat intelligence integration enriches attack surface data with contextual information about active exploitation. When new vulnerabilities emerge organisations need the ability to rapidly determine if they’re affected and prioritise remediation based on the likelihood of exploitation.

Security teams must establish strong partnerships with business units and development teams to embed security considerations into the deployment process rather than applying them retrospectively. When developers understand attack surface risks, they design more resilient systems from the outset.

Conclusion

Security as Competitive Advantage

The evolution of attack surface management reflects fundamental changes in how organisations build and manage technology. As infrastructure becomes more distributed, dynamic and interconnected, the challenge of maintaining visibility has grown exponentially. Traditional approaches focused on periodic assessments no longer suffice.

Effective attack surface management requires continuous monitoring across the entire digital footprint. The ability to identify vulnerabilities in real-time has become a critical differentiator between organisations that suffer repeated breaches and those that maintain resilient security postures. This continuous visibility must be matched with responsive remediation capabilities to minimise exposure windows.

Beyond technology, building a culture that values security remains essential. Every employee must understand their role in protecting the organisation, supported by leadership that prioritises security investments. Compliance requirements can drive initial action, but lasting improvements require deeper organisational commitment.

The Future of Attack Surface Management

Supply chain security deserves particular attention in modern security strategies. Organisations can no longer outsource risk – they remain responsible for breaches that occur through third parties. The most mature organisations evaluate suppliers based on observable security practices rather than simply reviewing compliance documentation.

As we look to the future, attack surface management will become increasingly automated, with artificial intelligence helping to identify patterns and predict vulnerabilities before they’re exploited. The most successful organisations will integrate these capabilities into a seamless security fabric that adapts dynamically to emerging threats.

In this environment, security becomes a genuine competitive advantage. Organisations that demonstrate robust attack surface management capabilities will earn greater trust from customers, partners and regulators, while those that neglect this discipline will face escalating breach costs and difficulty maintaining business relationships.

The fundamental insight remains as true today as in Sun Tzu’s time: understanding your attack surface is the essential foundation for effective defence in an environment where attackers continuously probe for the slightest weakness.

Join us for more cybersecurity insights on the Razorwire podcast.

Get in touch to discuss how Razorthorn can help with your cybersecurity requirements.