What security lessons can you learn from your attack surface score?

Increasing digitalization and connectivity mean the attack surfaces of most organizations are growing. This means more IT assets to track and manage, plus more potential attack routes for threat actors to target. The threat situation is constantly increasing, especially in the area of vulnerabilities – last year over 30,000 new vulnerabilities were published. So how can you get an accurate view of your attack surface and where it might be open to exploitation?

An effective way to assess and improve your overall cybersecurity posture is to map and analyze your attack surface and get an ‘attack surface score.’ We’ll explain why your attack surface score is worth knowing and even show you how to get a free attack surface analysis.

What is an attack surface score? 

How well is your organization’s online infrastructure maintained on the internet? Is your cybersecurity hygiene okay? Do you have many vulnerabilities causing possible entry ways for cyber-attackers into your organization? How well does your organization do compared to other companies in the same industry?With attack surface scoring, you can answer those questions. 

The best way to calculate an attack surface score is through an External Attack Surface Management solution. The attack surface score is an assessment of an organization’s total external attack surface. This assessment is based on various cybersecurity elements, including technical, human, procedural, regulatory, organizational, and physical aspects. All of these elements are designed to protect the integrity, confidentiality, and availability of information and systems. In this way, vulnerabilities can in turn be identified, and priorities set to increase the cyber resilience of the company. 

How is the attack surface score calculated? 

The attack surface score is a complex assessment that considers and weighs multiple areas of an organization’s attack surface. A score is set and maintained on three levels:

  1. Asset: each asset – an asset is defined as a website, (sub)domain, IP host or certificate – in the Sweepatic Platform receives a score across the six dimensions explained below. You can consult asset scores in the asset inventory throughout the platform. In the asset card details, you can see the asset score breakdown per dimension.
  2. Scope: in an EASM dashboard, you can see the aggregated score for the entire attack surface scope. Here you get an overview of the prioritized observations or issues per dimension and you can quickly see which issues need to be fixed to improve the score.
  3. Observation: Each observation is linked with a certain security dimension and is scored within this dimension.
Attack Surface Score

Outpost24’s EASM solution calculates a score for six key cybersecurity dimensions and a total score for the attack surface. A cybersecurity dimension is scored overall by aggregating scores of all assets for that cybersecurity dimension. An attack surface is scored overall by aggregating scores of all assets and of all cybersecurity dimensions. This aggregation is done via a weighted average where worse scores receive a higher weight. Here are the six dimensions we measure:

1. Identification of the attack surface 

First, all internet-connected assets and resources are identified. This includes web servers, cloud services, network devices, and other digital components that can be potential points of attack. EASM solutions are able to discover both known and unknown internet-facing assets.

Vulnerability assessment 

This is followed by a thorough analysis of the vulnerabilities, including known vulnerabilities in software versions, missing patches, and configuration issues. Each vulnerability is weighted according to its risk. 

Vulnerabilities are reported when Sweepatic finds software versions that have known vulnerabilities. As we take a strong discovery approach, the Sweepatic asset discovery accuracy and completeness is best-in-class, increasing the yield in finding many exposed CVEs, including but not limited, related to infrastructure and (3rd party) web application technologies. The average score for this dimension is C and can be improved by updating software versions.

2. Analysis of the configuration 

The EASM solution verifies that IT resources are configured according to established security policies. This includes evaluating security headers, access controls, and implementing authentication methods. Also missing or weak SPF and DMARC records fall in this category. On average, an organization scores a D for this dimension. Score improvement is achieved by actions such as configuring all records correctly, only set cookies after user consent is received, etc.

3. Assessment of exposed services 

Applications or services that are accidentally or intentionally accessible directly via the internet are evaluated. These include protocols for authentication and authorization, and the need to take certain services offline or implement access restrictions. Better and more secure architectures and setups exist to securely make use of these services. This dimension also scores a D. This score can be improved by taking the service offline or whitelisting the access.

4. Encryption check 

The validity and strength of the encryption, especially of SSL certificates, is checked. It ensures that all connections are secure and protected from man-in-the-middle attacks. A man-in-the-middle attack is a cyberattack in which an attacker secretly intercepts or alters communications between two parties in order to steal or manipulate sensitive information.

An example of a man-in-the-middle attack is when an attacker on a public Wi-Fi network intercepts traffic between a user and a banking website and steals the user’s login credentials. Also, visiting websites with red error messages in the browser is not great for the reputation and trustworthiness of your brand. This is the worst scoring dimension with an average of E. Improving this score can be realized by securing all connections with up-to-date protocols and making sure every website has a valid and unexpired SSL certificate.

5. Reputation monitoring 

The winner of best scoring cybersecurity dimension is reputation. In these Sweepatic checks, the reputation of discovered IP addresses is verified in external spam and blocklist security services. Reputation issues can lead to service degradation and performance issues. Although the average score is A for this dimension, there is still some room to improve. You can check why your asset is blocklisted, solve the problem and notify the entity blocking you. Alternatively you can set up a new host – that is not blocklisted – after solving the problem.

6. Cyber hygiene evaluation 

The overall cyber hygiene of the digital environment is assessed, including the management of outdated websites, unused or expired domains, and unnecessary digital footprints. 

Hygiene based risks usually have a low priority, and are not a direct cybersecurity risk. They can be sources for information gathering, or point to online assets that are not setup according to standards, or possible candidates for taking offline. Although not high in priority in terms of risk, the first line of defense against bad actors remains keeping your external attack surface clean and tidy. Therefore, this dimension cannot be underestimated and points out quick wins and forgotten, outdated assets. The score of C indicates there is some work to be done in this category, by fixing unexpected status codes, updating copyright signs to the current year, and avoiding default webserver installations, like Azure, IIS and Plesk.

Search for compromised credentials 

In addition, Outpost24’s EASM solution integrates Threat Intelligence to check whether there are leaked credentials from users linked to your domains online. 

Why is it valuable to know your attack surface score?

  1. More insights and easy to consume information: The six dimensions each give more insights in the entire attack surface, they explain where to look for problems in your attack surface and how to address them in the remediation phase. A bad score means you have an opportunity to take actions and improve the score. The dimensions represent Sweepatic’s suggestions to clean up the attack surface.
  2. Easier prioritization and workflow: The score tells you where to start. When you know what issues to focus on, you can prioritize the ones to fix first. Instead of having a long flat list to sift through, you can now start with the dimensions that score worst. The Sweepatic Platform guides you where to focus on first.
  3. Reporting: The score of your attack surface indicates how well you are doing and how you are improving the organization’s online presence towards management.
  4. Save time: All of the above boils down to saving time. You get better insights more quickly. The MTTD (or Mean Time To Detect) improves significantly. As the Sweepatic Platform is a purpose-build attack surface management platform, you can focus on the remediation process, address issues to fix and make your organization more cyber resilient.
  5. Historical trend: The trendline in the scoring feature, provides a historic overview of the evolution of your attack surface score over time.
  6. Industry comparison: Soon we will release a benchmark feature, allowing a score comparison between your organization on one hand and your sector and other industries on the other hand.

Early detection of cybersecurity risks and increased cyber resilience 

By continuously monitoring and assessing all internet-connected assets and their security status, organizations can identify vulnerabilities before they are exploited by attackers. Continuous monitoring and improvement of the attack surface increases an organization’s cyber resilience. A reduced and well-managed attack surface means that it becomes more difficult for attackers to penetrate the system. It also makes the company more resilient to cyberattacks by minimizing potential entry points and strengthening security protocols. 

Attack surface score benchmarking

Outpost24’s Sweepatic EASM has a ‘Score Benchmark’ feature that offers an additional scoring analysis of all assets of the external attack surface. It delivers real-time data on customers’ observed risks and associated priorities compared to the average score of other scopes in the Sweepatic EASM Platform combined with industry benchmarks. Score benchmark answers the ‘how does my scope compare to others‘ question asked by many. It is incredibly user-friendly, intuitive to navigate, and easy to understand score data.

The score benchmark acts as a crystal-clear window into your security posture, enabling you to gauge your resilience against potential threats. 

  • It provides a tangible metric to demonstrate due diligence to clients, auditors, and partners. 
  • You can measure the effectiveness of your security initiatives and adapt and allocate resources based on real-time data.
  • It delivers a clear assessment of an organization’s security posture compared to industry standards.
  • It helps you to set realistic goals to continuously improve the security posture of your company.

How does your external attack surface perform? 

The attack surface score is an indispensable tool for modern companies that take their cybersecurity seriously. It provides a clear and measurable assessment of the security posture, enables effective prioritization of actions, and helps increase cyber resilience. By continuously monitoring the attack surface score and adjusting accordingly, the organization remains secure and better prepared for future threats. 

Book your free attack surface analysis here.

About the Author

Marcus White Cybersecurity Specialist, Outpost24

Marcus is an Outpost24 cybersecurity specialist based in the UK. He’s been in the B2B technology sector for 8+ years and has worked closely with products in email security, data loss prevention, endpoint security, and identity and access management.