Attack Surface Reduction Manifesto
Back to Home

Back to Index

“The safest infra is the one with no forgotten parts — and nothing unnecessary still running.”

This section combines principles from both infrastructure and runtime attack surface reduction to form a holistic approach to systems that are not just secure on paper, but hardened in operation.

Modern infrastructure often resembles a sprawling city — full of ports, services, APIs, credentials, and control planes. Every open port, daemon, or misconfigured identity role is an opportunity for an attacker.

Infrastructure and Runtime ASR is the practice of deliberately shrinking, isolating, and simplifying both what you deploy and what continues to run, so there are fewer ways in, fewer lateral paths, and fewer moving pieces.

1. Expose Nothing by Default

  • Deny-all networking, open ports gradually
  • Block unnecessary egress
  • Private subnets, VPNs, isolated environments
  • Audit cron jobs, daemons, socket listeners

2. Reduce Control Plane & Runtime Complexity

  • Avoid multi-cloud unless necessary
  • Disable unused cloud services, APIs, and runtime agents
  • Use simpler architectures over serverless sprawl
  • Use seccomp, AppArmor, non-root containers, and dropped capabilities

3. Minimalism at the Image and Execution Level

  • Prefer:
    • scratch, distroless, minimal base images
  • Strip:
    • Shells, package managers, debug tools
  • Containers:
    • Run minimal, immutable workloads
    • Rotate tokens
    • Mount only what’s needed

4. Prune Zombie Infra & Orphaned Services

  • Kill unused:
    • EC2, containers, VMs, buckets, databases
    • DNS records, old IPs, staging systems
  • Audit for:
    • Sidecars
    • Logging agents
    • Monitoring systems with excessive reach

5. Reduce Lateral Movement Paths

  • Use segmentation
  • Block inter-service communication by default
  • No wildcard IAM permissions
  • Secure build systems and ephemeral CI/CD

6. Runtime Cleanup & Reboot Culture

  • Use auto-restart, self-healing, auto-rebuild
  • Reboot after patching
  • Restart cron/VMs to clean up zombie processes
  • Disable debug flags after use

7. Infrastructure-as-Code & Deployment Discipline

  • IaC must be explicit
  • No insecure defaults or bloated templates
  • Remove unused modules and config blocks
  • Only deploy what you understand

8. Guidelines for Infra + Runtime ASR

Area ASR Practice
Network Deny by default, isolate services
Containers Run minimal images, non-root, limit capabilities
Secrets Don’t mount unused secrets, rotate often
Agents Audit or remove sidecars and runtime daemons
Infra Bloat Delete what’s stale or shadowed
Build Infra Keep CI/CD isolated and short-lived
Runtime State Restart regularly, audit logs and zombie processes
IaC Simplify, document, and trim templates regularly

9. Final Thought

“Every port closed, every daemon killed, every stale node decommissioned — that’s risk erased.”

True infrastructure and runtime ASR isn’t about reactive monitoring. It’s about intentional architecture. Reduce what you expose. Reduce what keeps running. Reduce what attackers can reach — and what they could do if they got in.