Any exposed attack surface can be used by an adversary to gain or maintain access to your environment. Security controls are a uniquely high-risk part of your attack surface, because compromising a security control often provides an adversary with privileged and/or uniquely positioned access to the environment. And evidence shows that adversaries are capitalizing on exposed, vulnerable attack surface.

Compromising a security control gives the adversary the ability to perform one or more of the following:

  • Manage devices
  • Manage identities, including access control and management
  • Alter external network access control policies, including: granting remote access to networks, allowing lateral movement between networks, or allowing network egress
  • Modify, suppress, or remote logs, alerts, and other evidence of their activities
  • Monitor investigative or response activities
  • Access sensitive data (particularly problematic if the compromised control issues key material, or performs TLS interception a.k.a. man-in-the-middle)

By contrast, a compromised end user device or endpoint, e.g., a workstation or server, may provide some of the same abilities, but often in a much more limited capacity.

Categories:

Updated: