Any exposed attack surface can be used by an adversary to gain or maintain access to your environment. Security controls are a uniquely high-risk part of your attack surface, because compromising a security control often provides an adversary with privileged and/or uniquely positioned access to the environment. And evidence shows that adversaries are capitalizing on exposed, vulnerable attack surface.
Compromising a security control gives the adversary the ability to perform one or more of the following:
- Manage devices
- Manage identities, including access control and management
- Alter external network access control policies, including: granting remote access to networks, allowing lateral movement between networks, or allowing network egress
- Modify, suppress, or remote logs, alerts, and other evidence of their activities
- Monitor investigative or response activities
- Access sensitive data (particularly problematic if the compromised control issues key material, or performs TLS interception a.k.a. man-in-the-middle)
By contrast, a compromised end user device or endpoint, e.g., a workstation or server, may provide some of the same abilities, but often in a much more limited capacity.