In “The Biggest Security Risk Isn’t Malware — It’s What You Already Trust,” I made the simple argument that the most dangerous activity within most organizations no longer looks like an attack. It’s administrative-like. PowerShell, WMIC, netsh, Certutil, MSBuild — the same trusted utilities that IT teams use every day are also the toolkits of choice for modern threat actors. Bitdefender analyzed 700,000 high-severity incidents and found that legitimate tools were being abused in 84% of them.
The most common response we heard was a fair one: “I know.” So what can we actually do about it?
Bitdefender’s free internal attack surface assessment is built to answer this. It’s a 45-day, low-effort initiative available to organizations with 250+ employees that transforms the abstract problem of “living off the land” into a concrete, prioritized list of users, endpoints, and tools that can be safely taken away from attackers without business interruption.
Why this, why now?
A clean install of Windows 11 ships with 133 unique floating binaries across 987 instances. Bitdefender Labs telemetry showed that PowerShell was active on 73% of endpoints, many of which were silently invoked by third-party applications. This is not a malware issue. It’s an over-entitlement issue and cannot be fixed by applying a patch.
Gartner currently predicts that preemptive cybersecurity will account for 50% of IT security spending by 2030, up from less than 5% in 2024, and that 60% of large enterprises will deploy dynamic attack surface reduction (DASR) technology by 2030, up from less than 10% in 2025. The reason is mechanical. When most intrusions do not contain malware and the adversary moves within minutes, it is too difficult to “detect and respond.” slow down the loop. First we need to remove any moves that an attacker might make.
Evaluation mechanism
This engagement leverages Bitdefender’s proactive hardening and attack surface reduction technology, GravityZone PHASR, in four steps over approximately 45 days and runs in parallel with the endpoint stack that is already running.
Kickoff and action learning. PHASR typically takes 30 days to build behavioral profiles for every machine and user pair. Attack Surface Dashboard Review. You’ll see an exposure score (0-100) and a prioritized list of findings across five categories: non-resident binaries, remote administration tools, tampering tools, cryptominers, and piracy tools. Each category is mapped to specific users and devices affected. Optional reduction sprint. Apply the controls manually or let PHASR’s autopilot apply the controls. Users can request access through a built-in one-click approval workflow. Reduction review. In the final session, we will quantify how much the surface has shrunk and what shadow IT and rogue binaries have surfaced in the process.
Early Access customers reported reducing their attack surface by more than 30% in the first 30 days, with some customers reporting nearly a 70% reduction in their attack surface by locking down LOLBin and remote tools without any investigation overhead or end-user disruption.
What it means for different stakeholders
For CISOs: Defendable and committee-available exposure numbers mapped to actual actions used by attackers. It varies from week to week. For SOC and IT administrators: Entire classes of suspicious but legitimate behavior don’t occur on endpoints that don’t need them, reducing investigation and response workload by up to 50%. For business decision makers: Documented, continuous surface reductions – what regulators, auditors and cyber insurers increasingly desire.
Start where the attacker is already
The last article ended with the principle that the most significant risks are no longer external or unknown, but are already internal to the environment. This ends with practice. You can create an accurate, prioritized map of these risks within 45 days for free, without changing your existing stack.
If you run a Windows-heavy environment with 250 or more users, request an internal attack surface assessment here. Compromises will continue to occur. Whether it’s a breach depends almost entirely on how far an attacker can reach after compromise. The easiest way to shorten your list is to review it.
Source link
