The Australian government has yet to release guidance or policy addressing the capability of attack surface management. (Image – Shutterstock)
Fortifying Australian cyber-resilience through attack surface management
• Attack surface management has become a foundational tool in cybersecurity.
• Australia is looking at adding attack surface management to its Essential Eight.
• Australia would be following in the footsteps of both the EU and the US.
Australia has recently witnessed a record number of cyber-incidents. The Australian government has since taken the initiative to strengthen the country’s cyber-resilience. This includes strengthening Australia’s cybersecurity laws by adding attack surface management to its existing security posture.
Australia’s Minister for Home Affairs and Cyber Security, the Hon. Clare O’Neil MP, introduced six key shields that underpin Australia’s upcoming cybersecurity strategy. These shields span diverse domains from advancing automated threat detection, to sharing and blocking, to fostering coordinated global cybersecurity efforts through international collaboration.
Underscoring the crucial need for the government to enhance its cyberdefenses, especially after the recent cyber-incidents in the country, attack surface management has emerged as a cornerstone of effective cybersecurity practice, and is pivotal to creating cyber-resilience across national critical infrastructure.
Palo Alto Networks describes this as the process of continuously identifying, monitoring and managing all internal and external internet-connected assets for potential attack vectors and exposures. Put simply, attack surface management helps organizations gain visibility into, and reduce risks on, their attack surface. Both internal and external attack surface management are necessary, due to the dynamic nature of organizations pursuing a move to the cloud.
Australia’s focus on attack surface management echoes what the United States Cybersecurity and Infrastructure Security Agency (CISA) outlined in its 2024-26 strategic plan for critical infrastructure uplift. CISA states that it will leverage commercial attack surface management to help its critical infrastructure and other partners ‘identify exploited or exploitable conditions and gain a better picture into security trends across the country.’
The European Union also recognized attack surface management’s value in a landmark law in 2022, that encourages national cybersecurity incident response teams to deploy its capabilities to ensure they can ‘identify, understand and manage the entity’s overall organizational risks.’
While the US and EU governments have developed various policies emphasizing the role of attack surface management in national cyber-resilience, the Australian government has yet to release guidance or policy addressing this capability.
Attack surface management is the process of continuously identifying, monitoring and managing all internal and external internet-connected assets for potential attack vectors and exposures. (Image – Shutterstock)
Cyber defence through the eyes of the adversary
According to Sarah Sloan, head of government affairs and public affairs, New Zealand ANZ at Palo Alto Networks, the surge in cloud adoption, continuous digital transformation, and the ubiquitous embrace of remote work – all further accelerated by the disruptive impact of the Covid-19 pandemic – have expanded the digital footprint and attack surface of an average organization. Collectively, Sloan believes, this has rendered corporate and government networks larger, more dispersed and dynamic, and with a constant influx of new assets interfacing with the network.
As Palo Alto Networks 2023 Attack Surface Threat Report highlights, cloud-based IT infrastructure remains in a constant state of flux; in a given month, an average of 20% of an organization’s cloud attack surface will be taken offline and replaced with new or updated services.
“As a consequence, organizations struggle with gaining clear visibility across all their internet-facing assets that may or may not be vulnerable to attacks. This challenge is often compounded by (manually managed) traditional asset discovery and vulnerability management processes, which were developed when corporate networks were more stagnant and centralized. This complex digital environment unfolds against a backdrop of an increasingly hostile cyber-terrain, financial constraints, and a global shortage of cybersecurity expertise,” said Sloan.
In response, Sloan explained that attack surface management has become a foundational element in contemporary cybersecurity practice. It gives organizations a view of their network from an adversary’s perspective – identifying targets and assessing risks based on the opportunities they present to a malicious attacker.
“The ultimate goal of attack surface management is to increase attack surface visibility and reduce risk across both known and unknown assets of which an organization’s security team is unaware and has not authorized or sanctioned,” added Sloan.
Attack surface management brings your vulnerabilities to light.
Setting the direction: attack surface management as a focal point in global government policies
In the US, Sloan pointed out that the government has made a number of references to the strategic importance of attack surface management across various government strategies and reports from the US Congress. CISA not only included attack surface management in its strategic plan for the years 2024-2026 but also released Binding Operational Directive 23-01, which compelled Federal Civilian Executive Branch agencies in the US to perform a range of automated asset discovery and vulnerability enumeration activity.
Sloan also highlighted that the US National Security Agency (NSA) has contributed to this narrative by providing no-cost attack surface management services through its Cybersecurity Collaboration Center to protect defense industrial base (DIB) entities. According to the NSA, its attack surface management service ‘has detected thousands of vulnerabilities on DIB networks and worked with network defenders to implement mitigations before they became compromises.’
There are also various legislative provisions, such as the National Defense Authorization Act, that have called for the US Department of Defense to achieve real-time visibility of all internet-connected assets and attack surfaces across the DoD enterprise using commercial-off-the-shelf (COTS) solutions.
Sloan added that the EU has adopted the revised Network and Information Security Directive (NIS2) that also encourages cybersecurity incident response teams to be able to provide, upon request of a covered entity, ‘a proactive scanning of the network and information systems used for the provision of the entity’s services and assistance in monitoring ‘an entity’s internet-facing assets… to identify, understand and manage the entity’s overall organizational risks.’
“It’s clear in the global context that attack surface management is increasingly seen as playing a critical role in safeguarding national interests,” said Sloan.
“It’s clear in the global context that attack surface management is increasingly seen as playing a critical role in safeguarding national interests,” said Sloan. (Image – Shutterstock)
Enhancing Australian policies to proactively confront cyber-risk
For Sloan, as Australia strives to become the world’s most secure nation by 2030, the government must emphasize the vital role of attack surface management through the forthcoming cybersecurity strategy, which should emphasize the need to integrate it across key government policies such as the ‘Essential Eight’ and the Critical Infrastructure Risk Management Program (CRIMP).
Sloan explains attack surface management (ASM) in both policies below:
1) From the Essential Eight to the Necessary Nine
The Australian Cyber Security Centre’s (ACSC) Essential 8 (E8) has long been positioned as a beacon for organizations to shield themselves against a multitude of cyber-threats. In recent years, the government has promoted these prioritized mitigation strategies as the cybersecurity standard for all organizations and has dedicated substantial resources to the promotion and adoption of the E8 across the federal government. Nonetheless, the E8 does carry certain limitations and while their implementation can be instrumental in preventing threats, for many organizations, effectively implementing these mitigations often presents formidable challenges and substantial costs.
In light of these considerations, the government may wish to expand the E8 to become the ‘Necessary 9,’ incorporating ASM as its foundational cornerstone. Consider this scenario: an organization leveraging an ASM platform gains awareness of potential common vulnerabilities and exposures (CVE), such as a zero-day exploit, within an unpatched internet-facing application – enabling them to prioritize this in the organization’s E8 remediation over an application that may be internal-facing only. By integrating ASM into the E8, government agencies can pivot towards a risk-based approach to cybersecurity, an increasingly indispensable stance, especially within financially constrained circumstances.
Of course, such a paradigm shift should be accompanied by a corresponding revision of the ACSC’s guidance and materials such as the Information Security Manual (ISM) Cybersecurity Principles and Cybersecurity Guidelines. These revisions are vital to engendering a comprehensive understanding among government entities and other stakeholders regarding ASM capabilities, articulating the critical functions essential for an organization’s business operations.
Level up your organization’s cybersecurity measures with the Essential Eight – a set of the most effective mitigation strategies to help organisations protect themselves against cyber-threats. Learn about each strategy & how to start implementing them 👉 https://t.co/KYL1JzAIg8 pic.twitter.com/xrMiU3RajU
— Australian Cyber Security Centre (@CyberGovAU) September 6, 2023
2) Proactive Risk Management for Critical Infrastructure
In 2022, a significant milestone was achieved as the Australian government concluded the final phase of amendments to the Security of Critical Infrastructure Act 2018 to elevate the resilience of Australia’s critical infrastructure across 11 vital sectors. The amended legislation now mandates that critical infrastructure sectors establish a comprehensive CIRMP encompassing an ‘all-hazards’ approach to risk – including cyber and supply chain risks.
To further fortify this framework, the Australian government might consider incorporating ASM capabilities into the CIRMP. The integration of ASM can serve as a catalyst for organizations, empowering them to proactively grapple with cyber-risks, rather than responding reactively to breaches or incidents. Importantly, this proactive engagement enables these entities to strategically allocate resources, effectively prioritizing remediation endeavors – offering a cost-effective approach to cyber-risks.
“In an era where cyber-threats are a constant reality, nations must be proactive in their approach to cybersecurity. Attack surface management has emerged as an effective strategy to enhance cyber-resilience by identifying vulnerabilities and mitigating risks.
“The Australian government should look to provide clear guidance and incentivize the adoption of attack surface management capabilities across government departments and critical infrastructure sectors, thus fortifying its cyber-shields. In doing so, Australia can confront the ever-evolving cyber-threats, reinforce its cyberdefenses and secure its national interests,” concluded Sloan.
READ MORE
- Strategies for Democratizing GenAI
- The criticality of endpoint management in cybersecurity and operations
- Ethical AI: The renewed importance of safeguarding data and customer privacy in Generative AI applications
- How Japan balances AI-driven opportunities with cybersecurity needs
- Deploying SASE: Benchmarking your approach