“The blast radius of a security incident is defined as the amount of damage that the incident could potentially cause. It’s every account, file, application, server or other corporate asset that could be compromised once an attacker gets ‘inside’ the system.”
“An Exploit Chain is an attack that involves multiple exploits or attacks that are chained together to fully compromise a device. In these attacks, Hackers cannot use a single exploit to compromise their target but instead can combine a series of exploits that ultimately lead to malware getting installed.”
The blast radius and exploit chain concepts remind me of the Target hack, that was a chain starting with the HVAC system. After they got in, nobody found them and they were able to spend time gaining a foothold. If Target had a better model of their attack surface, they might have realized that their internal security controls were too lax. This allowed the attackers, once inside the network, to gain access to the payment systems. Hopefully they’ve learned from the experience!