Home / Industry

What's in Your Attack Surface?

The concept of "attack surface" has been batted around in the security community for a long time. At a high-level, we all get the gist of it: the more exposed a system is to attackers (attack surface) the more risk it is probably exposing to those who depend on it, but what does that mean? Recently, my colleagues Danny McPherson, Lixia Zhang and I decided that it would be useful to have a definition and a technique that would let people illustrate and quantify systems' attack surfaces. Specifically, we asked the questions: how do we measure attack surfaces, how do we clearly understand the exposure of our systems' attack surfaces, and to understand these things where should we start?

Initially, we sought to understand the attack surfaces of systems that we are already interested in. Our operational responsibilities have motivated us to study topics like secure network protocols and systems, and helped us understand just how pronounced and complicated the systemic dependencies can be in them. One area of study that Verisign Labs and the Verisign CSO office have been investigating for a number of years is secure cryptographic key learning in the Internet. So, we decided to start there, with a topic on which we already have some knowledge.

"Knowing is half the battle!"

Recently, we created a new methodology called Functional Process Digraphs (FPDs) to address these shortcomings: systematically mapping the inherited dependencies of networked systems and quantifying their attack surfaces. Using this technique, we set about measuring and comparing the attack surfaces of deployments of two specific Internet protocols that do cryptographic key learning: the WebPKI and a new protocol called DNS-based Authentication of Named Entities (DANE). Our objective with this research has been to evolve a methodology that lets anyone gain more clarity into the complex protocols running in today's Internet.

We detailed our approach, a round of measurements, and some of our findings in a recent publication titled "The Shape and Size of Threats: Defining a Networked System's Attack Surface." At this year's IEEE Workshop on Secure Network Protocols (NPSec '14) we were presented with the Best Paper Award for this paper.

We were flattered for this recognition as NPSec is well known for publishing top quality works that address protocol-level security research. Among our contributions in this paper, we described:

  • The definition of a networked system's attack surface
  • Repeatable ways in which to quantify networked systems' attack surfaces
  • Observations to help design protocols in a way that can augment their availability without increasing their attack surfaces
  • How much some popular websites would be able to reduce their attack surfaces by deploying DNSSEC, and how much more by deploying DANE
  • A novel visualization technique, called resource tiers, to relate different types of resources in an attack surface in a visual manner

Our hope for this work is that it will serve as a starting point for researchers, engineers, and anyone who is invested in a secure Internet to begin quantifying systemic dependencies and attack surfaces. Additional details can be found in our Verisign Labs Technical Report #1120004. We have plans for follow-on work to apply this methodology to more networked systems and to build on it with techniques like Kill-Chain Analysis.


About Verisign – Verisign, a global leader in domain names and internet security, enables internet navigation for many of the world's most recognized domain names and provides protection for websites and enterprises around the world. Verisign ensures the security, stability and resiliency of key internet infrastructure and services, including the .com and .net domains and two of the internet's root servers, as well as performs the root-zone maintainer functions for the core of the internet's Domain Name System (DNS). Learn More

Related topics: Cyberattack, Cybersecurity, DNS Security


Don't miss a thing – get the Weekly Wrap delivered to your inbox.

Related Blogs

Related News

Explore Topics

Dig Deeper

DNS Security

Sponsored by Afilias


Sponsored by Verisign

IP Addressing

Sponsored by Avenue4 LLC

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum