Stay informed about the acquisition of Public Interest Registry

by Ethos Capital

Home / Industry

What's in Your Attack Surface?

The concept of "attack surface" has been batted around in the security community for a long time. At a high-level, we all get the gist of it: the more exposed a system is to attackers (attack surface) the more risk it is probably exposing to those who depend on it, but what does that mean? Recently, my colleagues Danny McPherson, Lixia Zhang and I decided that it would be useful to have a definition and a technique that would let people illustrate and quantify systems' attack surfaces. Specifically, we asked the questions: how do we measure attack surfaces, how do we clearly understand the exposure of our systems' attack surfaces, and to understand these things where should we start?

Initially, we sought to understand the attack surfaces of systems that we are already interested in. Our operational responsibilities have motivated us to study topics like secure network protocols and systems, and helped us understand just how pronounced and complicated the systemic dependencies can be in them. One area of study that Verisign Labs and the Verisign CSO office have been investigating for a number of years is secure cryptographic key learning in the Internet. So, we decided to start there, with a topic on which we already have some knowledge.

"Knowing is half the battle!"

Recently, we created a new methodology called Functional Process Digraphs (FPDs) to address these shortcomings: systematically mapping the inherited dependencies of networked systems and quantifying their attack surfaces. Using this technique, we set about measuring and comparing the attack surfaces of deployments of two specific Internet protocols that do cryptographic key learning: the WebPKI and a new protocol called DNS-based Authentication of Named Entities (DANE). Our objective with this research has been to evolve a methodology that lets anyone gain more clarity into the complex protocols running in today's Internet.

We detailed our approach, a round of measurements, and some of our findings in a recent publication titled "The Shape and Size of Threats: Defining a Networked System's Attack Surface." At this year's IEEE Workshop on Secure Network Protocols (NPSec '14) we were presented with the Best Paper Award for this paper.

We were flattered for this recognition as NPSec is well known for publishing top quality works that address protocol-level security research. Among our contributions in this paper, we described:

  • The definition of a networked system's attack surface
  • Repeatable ways in which to quantify networked systems' attack surfaces
  • Observations to help design protocols in a way that can augment their availability without increasing their attack surfaces
  • How much some popular websites would be able to reduce their attack surfaces by deploying DNSSEC, and how much more by deploying DANE
  • A novel visualization technique, called resource tiers, to relate different types of resources in an attack surface in a visual manner

Our hope for this work is that it will serve as a starting point for researchers, engineers, and anyone who is invested in a secure Internet to begin quantifying systemic dependencies and attack surfaces. Additional details can be found in our Verisign Labs Technical Report #1120004. We have plans for follow-on work to apply this methodology to more networked systems and to build on it with techniques like Kill-Chain Analysis.


About Verisign – Verisign, a global provider of domain name registry services and internet infrastructure, enables internet navigation for many of the world's most recognized domain names. Verisign enables the security, stability, and resiliency of key internet infrastructure and services, including providing root zone maintainer services, operating two of the 13 global internet root servers, and providing registration services and authoritative resolution for the .com and .net top-level domains, which support the majority of global e-commerce. To learn more about what it means to be Powered by Verisign, please visit Verisign.comVisit Page

Follow CircleID on

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byWhoisXML API

Brand Protection

Sponsored byAppdetex

IP Addressing

Sponsored byAvenue4 LLC

DNS Security

Sponsored byAfilias


Sponsored byThreat Intelligence Platform

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byAfilias


Sponsored byVerisign