What is the Business Attack Surface?

What is the Business Attack Surface?  Before we can talk about this subject, we need first to understand Digital Presence and Attack Surface.

Digital presence is how we appear online as individuals, organizations, products, and services. Creating a digital presence is motivated by personal/business requirements like self-promotion, regulatory, referential, or relationship management. The landscape of digital presence spans across the open web, deep web, dark web, information repositories, archives, directories, and social networks.

This landscape presents an attack surface with many "attack vectors" from which an adversary can exploit to disrupt/compromise operations or acquire assets.

The technical aspects of the Attack Surface (aka Technical Attack Surface) are commonly cited and addressed by security professionals throughout the digital realm, but only provide a partial view of an organization’s actual “attack surface”.  A complete organizational threat and risk attack surface assessment must consider a company's marketing communications, ongoing business operations, and current financial standing. 

"People are the weakest link into the security chain," is what our engineers commonly say at our DarcSight Labs.  People are responsible for executing daily and ongoing business procedures and practices. Operations and business practices are open to risks, vulnerabilities, and exposures. It is through people, operations, and business practices that attack vectors open up providing opportunities for further exploits into an organization’s IT infrastructure and beyond.  We want to highlight these "other" attack vectors, what we call the Business Attack Surface.

Managing the Business Attack Surface sometimes gets confused with Brand and Reputation Monitoring. Though they may seem similar, the intent and goals are different.  In Brand and Reputation Monitoring, the objective is to facilitate and shape public perception of an organization or individual.

“85 percent of breaches involved a human element.” [1]

With the Technical Attack Surface being connected to vulnerabilities and misconfigurations of applications and IT infrastructure, the Business Attack Surface encompasses everything that is revelatory about the inner workings of an organization. The attack vectors from the Business Attack Surface directly relate to Social Engineering.  Social Engineering in IT security is the use of deception to manipulate individuals into divulging confidential or personal information that bad actors may use for fraudulent purposes.  An organization's adversaries can use data from the Business Attack Surface to target organizations, employees, partners, and all related organizations within its ecosystem.

A bad actor looking to breach an organization through the Business Attack Surface will search for indicators via government-required documentation, sanctioned/un-sanctioned documentation, rumor sites, and online chatter.  For example, as people leave an organization, threaten to leave, or rumors of a reduction in force, bad actors see these individuals as easy targets. Hackers find these individuals as the path of least resistance into an organization and the organization's assets associated with said personnel. These indicators are usually overlooked by security teams and maybe internally considered out-of-scope.

Business risk as defined by investopedia.com is "... the exposure a company or organization has to factor(s) that will lower its profits or lead it to fail. Anything that threatens a company's ability to achieve its financial goals is considered a business risk. There are many factors that can converge to create business risk. Sometimes it is a company's top leadership or management that creates situations where a business may be exposed to a greater degree of risk." [2]

With this definition in mind, we would like to think that business leaders should find it necessary to empower their IT security teams to monitor the Business Attack Surface.  What do you think?  Let us know in the comments below.

[1] https://www.verizon.com/business/resources/reports/dbir/

[2] https://www.investopedia.com/terms/b/businessrisk.asp