Understanding Attack Surface In Network Security

Understanding Attack Surface In Network Security


Recall that a vulnerability is a weakness in a system or its design that could be exploited by a threat. An attack surface is the total sum of the vulnerabilities in a given system that is accessible to an attacker. The attack surface can consist of open ports on servers or hosts, software that runs on internet-facing servers, wireless network protocols, and even users. This article talks about attack surface in network security. 

The attack surface is continuing to expand, as shown in the figure. More devices are connecting to networks through the Internet of Things (IoT) and Bring Your Own Device (BYOD).
Much of network traffic now flows between devices and some locations in the cloud. Mobile device use continues to increase. All of these trends contribute to a prediction that global IP traffic will increase threefold in the next five years.
The SANS Institute describes three components of the attack surface:

  • Network Attack Surface – The attack exploits vulnerabilities in networks. This can include conventional wired and wireless network protocols, as well as other wireless protocols used by smartphones or IoT devices. Network attacks also exploit vulnerabilities at the network and transport layers.
  • Software Attack Surface – The attack is delivered through the exploitation of vulnerabilities in web, cloud, or host-based software applications.
  • Human Attack Surface – The attack exploits weaknesses in user behaviour. Such attacks include social engineering, malicious behaviour by trusted insiders, and user error.


The figure shows a circled building with textboxes around it. Each textbox has an arrow pointing toward the building. Textbox I o T connected devices projected to double to 30 billion by 2020. Cloud – by 2020 92% of data centre workloads will be processed by cloud data centres.
Mobility 20% of total IP traffic will be from mobile devices by 2021. Global operations global IP traffic will increase nearly threefold over the next five years. B Y O D Gartner predicts that 70% of professionals will conduct work on their own smart devices by 2018.

An Expanding Attack Surface

Application Blacklisting and Whitelisting

One way of decreasing the attack surface is to limit access to potential threats by creating lists of prohibited applications. This is known as blacklisting.
Application blacklists can dictate which user applications are not permitted to run on a computer. Similarly, whitelists can specify which programs are allowed to run, as shown in the figure. In this way, known vulnerable applications can be prevented from creating vulnerabilities on network hosts.


Whitelists are created in accordance with a security baseline that has been established by an organization.
The baseline establishes an accepted amount of risk and the environmental components that contribute to that level of risk. Non-whitelisted software can violate the established security baseline by increasing risk.
The figure shows a PC with two clouds below it labelled as white list apps and blacklist apps. There is an arrow going from the white list apps cloud pointing toward the p c and a textbox that states allow only. The blacklist apps has an arrow pointing to the p c and a textbox that reads prevent only beside the arrow.

Application Blacklisting and Whitelisting

The figure shows the Windows Local Group Policy Editor blacklisting and whitelisting settings.
Websites can also be whitelisted and blacklisted. These blacklists can be manually created, or they can be obtained from various security services.
Blacklists can be continuously updated by security services and distributed to firewalls and other security systems that use them. Cisco’s Firepower security management system is an example of a system that can access the Cisco Talos security intelligence service to obtain blacklists.
These blacklists can then be distributed to security devices within an enterprise network.
Search the internet for The Spamhaus Project, which is an example of a free blacklist service.
The figure shows the windows local group policy editor window with the following settings with a box around it: don't run specified windows applications and run only specified windows applications.

System-Based Sandboxing

Sandboxing is a technique that allows suspicious files to be executed and analyzed in a safe environment. Automated malware analysis sandboxes offer tools that analyze malware behaviour. These tools observe the effects of running unknown malware so that features of malware behaviour can be determined and then used to create defences against it.
As mentioned previously, polymorphic malware changes frequently and new malware appears regularly. Malware will enter the network despite the most robust perimeter and host-based security systems. HIDS and other detection systems can create alerts on suspected malware that may have entered the network and executed on a host.
Systems such as Cisco AMP can track the trajectory of a file through the network, and can “roll back” network events to obtain a copy of the downloaded file. This file can then be executed in a sandbox, such as Cisco Threat Grid Glovebox, and the activities of the file are documented by the system.
This information can then be used to create signatures to prevent the file from entering the network again. The information can also be used to create detection rules and automated plays that will identify other systems that have been infected.


Cuckoo Sandbox is a popular free malware analysis system sandbox. It can be run locally and have malware samples submitted to it for analysis. A number of other online public sandboxes exist. These services allow malware samples to be uploaded for analysis. Some of these services are VirusTotal, Joe Sandbox, and CrowdStrike Falcon Sandbox.


An interesting online tool is ANY.RUN, which is shown in the figure. It offers the ability to upload a malware sample for analysis like any online sandbox. However, it offers a very rich interactive reporting functionality that is full of details regarding the malware sample.
ANY.RUN runs the malware and captures a series of screenshots of the malware if it has interactive elements that display on the sandbox computer screen. You can view public samples that have been submitted by ANY.RUN users to investigate information about newly discovered malware or malware that is currently circulating on the internet.
Reports include network and internet activity of the malware, including HTTP requests and DNS queries. Files that are executed as part of the malware process are shown and rated for threat.
Details are available for the files including multiple hash values, hexadecimal and ASCII views of the file contents, and the system changes made by the files.
In addition, identifying indicators of compromise, such as the malware file hashes, DNS requests, and the IP connections that are made by the malware are also shown. Finally, the tactics taken by the malware are mapped to the MITRE ATT&CK Matrix with each tactic linked to details on the MITRE website.
Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained includes staffs of Dangote Refinery, FCMB, Zenith Bank, New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training. 

I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.


Fact Check Policy

CRMNIGERIA is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.



Fact Check Policy

Adeniyi Salau

Adeniyi Salau is a highly dedicated and committed Blogger of repute. He likes sharing his IT knowledge with others. My desire is to impact as many lives as possible with my IT skills. You can download my mobile APP. Download the ICTLOAD APP on Google Playstore. Thanks.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button