Introduction
In today’s hyper-connected digital landscape, the concept of an organization’s attack surface has expanded dramatically. The shift to cloud-based infrastructure, remote work, and the proliferation of IoT devices have introduced countless new entry points for potential cyberattacks. Attack Surface Management (ASM) has emerged as a critical practice, helping organizations identify, monitor, and secure vulnerabilities across all digital, physical, and human assets. This article dives into the essential components of attack surface management, examining how a proactive approach can mitigate risks, reduce vulnerabilities, and strengthen an organization’s security posture in an era of increasing cyber threats.
Attack Surface
What is an attack surface?
1st definition:
The attack surface is the sum of all the points where an attacker could attempt to gain access to a company’s systems and data. This includes the following:
- Applications: Any software application accessible from outside the company, such as web applications, mobile apps, and APIs.
- Websites: All websites hosted by the company, including public, internal, and e-commerce websites.
- Networks: Any network used by the company to connect its devices and systems, including the Internet, private networks, and cloud networks.
- Devices: Any device connected to the company’s networks, including laptops, smartphones, servers, and IoT devices.
- Cloud infrastructure: Any cloud infrastructure used by the company, such as public clouds, private clouds, and hybrid clouds.
The attack surface of an organization is constantly expanding due to factors such as cloud adoption, and the increasing number of connected devices. This makes it increasingly difficult for organizations to keep track of all of their vulnerabilities and take steps to mitigate them.
2nd definition:
An organization’s attack surface is the sum of vulnerabilities, pathways, or methods—sometimes called attack vectors—that hackers can use to gain unauthorized access to the network or sensitive data, or to carry out a cyberattack.
As organizations increasingly adopt cloud services and hybrid (on-premises/work-from-home) work models, their networks and associated attack surfaces are becoming larger and more complex by the day. According to Randori’s The State of Attack Surface Management 2022, 67% of organizations have seen their attack surfaces grow in size over the past two years. Industry analyst Gartner named attack surface expansion the No. 1 security and risk management trend for 2022 (link resides outside ibm.com).
Security experts divide the attack surface into three sub-surfaces: The digital attack surface, the physical attack surface, and the social engineering attack surface.
b. Digital attack surface
1st definition:
The digital attack surface, considered the broadest, comprises all cyber assets, such as software, hardware, and cloud-based resources, that are internet-facing. Subcategories of the digital attack surface are:
- Cloud attack surface—vulnerabilities in cloud configurations, APIs, storage, services (e.g., IaaS, PaaS, and SaaS), containers, and microservices
- External attack surface—an internet-facing asset that is externally visible and accessible, such as public websites and web services
- Internal attack surface—vulnerabilities within an organization’s internal network, including applications, user privileges, and data storage
- Network attack surface—all points of interaction with an organization’s network, such as routers, firewalls, and network protocols
- Software attack surface—vulnerabilities within software applications, such as software bugs, insufficient input validation, and insecure APIs
2nd definition:
The digital attack surface potentially exposes the organization’s cloud and on-premises infrastructure to any hacker with an internet connection. Common attack vectors in an organization’s digital attack surface include:
- Weak passwords
- Misconfiguration
- Software, operating system (OS), and firmware vulnerabilities
- Internet-facing assets
- Shared databases and directories
- Outdated or obsolete devices, data, or applications
- Shadow IT
Weak passwords: Passwords that are easy to guess—or easy to crack via brute-force attacks—increase the risk that cybercriminals can compromise user accounts to access the network, steal sensitive information, spread malware and otherwise damage infrastructure. According to IBM’s Cost of a Data Breach Report 2021, compromised credentials were the most commonly used initial attack vector in 2021.
Misconfiguration: Improperly configured network ports, channels, wireless access points, firewalls, or protocols serve as entry points for hackers. Man-in-the-middle attacks, for example, take advantage of weak encryption protocols on message-passing channels to intercept communications between systems.
Software, OS, and firmware vulnerabilities: Hackers and cybercriminals can take advantage of coding or implementation errors in third-party apps, OSs, and other software or firmware to infiltrate networks, gain access to user directories, or plant malware. For example, In 2021, cybercriminals took advantage of a flaw in Kaseya’s VSA (virtual storage appliance) platform (link resides outside ibm.com) to distribute ransomware, disguised as a software update, to Kaseya’s customers.
Internet-facing assets: Web applications, web servers and other resources that face the public internet are inherently vulnerable to attack. For example, hackers can inject malicious code into unsecured application programming interfaces (APIs), causing them to improperly divulge or even destroy sensitive information in associated databases.
Shared databases and directories: Hackers can exploit databases and directories that are shared between systems and devices to gain unauthorized access to sensitive resources or launch ransomware attacks. In 2016, the Virlock ransomware spread (link resides outside ibm.com) by infecting collaborative file folders that are accessed by multiple devices.
Outdated or obsolete devices, data, or applications: Failure to consistently apply updates and patches creates security risks. One notable example is the WannaCry ransomware, which spread by exploiting a Microsoft Windows operating system vulnerability (link resides outside ibm.com) for which a patch was available. Similarly, when obsolete endpoints, data sets, user accounts, and apps are not uninstalled, deleted, or discarded, they create unmonitored vulnerabilities cybercriminals can easily exploit.
Shadow IT: “Shadow IT” is software, hardware, or devices—free or popular apps, portable storage devices, an unsecured personal mobile device—that employees use without the IT department’s knowledge or approval. Because it’s not monitored by IT or security teams, shadow IT may introduce serious vulnerabilities that hackers can exploit.
c. Physical attack surface
The physical attack surface includes any physical access points into an organization’s IT infrastructure. Examples of physical attack surfaces include:
- Discarded hardware—devices that contain user data or login credentials
- Endpoint devices—desktop systems, laptops, mobile devices, and USB ports
- Environmental controls—temperature and humidity controls; systems for air filtration systems, fire suppression, and water detection systems; redundant power supplies; and physical security measures, such as surveillance cameras, controlled access, and security personnel
- Network infrastructure—servers, ports, wiring, network cables, and data centers
- Physical security breaches—unauthorized personnel gaining access to secure locations or passwords being physically stolen or copied when passwords are written on physical materials (e.g., notepad, whiteboard, or sticky note)
d. Human Attack Surface
The behaviors and interactions of any person with access to an organization’s systems, applications, or data can be considered a vulnerability or risk. Managing the human attack surface involves educating and training employees, implementing strong security policies, and fostering a culture of cybersecurity awareness to minimize the risk of human-related vulnerabilities.
The human attack surface includes these members whom cyber attackers can exploit in the following ways:
- Social Engineering: Techniques like phishing, pretexting, and baiting that manipulate individuals into divulging sensitive information or performing actions that compromise security. Social engineering manipulates people into making mistakes that compromise their personal or organizational assets or security through various ways, such as:
- Sharing information that they shouldn’t share
- Downloading software that they shouldn’t download
- Visiting websites that they shouldn’t visit
- Sending money to criminals
Because it exploits human weaknesses rather than technical or digital system vulnerabilities, social engineering is sometimes called ‘human hacking’.
An organization‘s social engineering attack surface essentially amounts to the number of authorized users who are unprepared for or otherwise vulnerable to social engineering attacks.
Phising is the best-known and most-prevalent social engineering attack vector. In a phishing attack, scammers send emails, text messages, or voice messages that try to manipulate recipients into sharing sensitive information, downloading malicious software, transferring money or assets to the wrong people, or taking some other damaging action. Scammers craft phishing messages to look or sound like they come from a trusted or credible organization or individual—a popular retailer, a government organization, or sometimes even an individual the recipient knows personally.
- Insider Threats: Risks posed by employees, contractors, or other insiders who intentionally or unintentionally cause harm to the organization’s security, such as leaking information or mishandling sensitive data.
- Human Errors: Mistakes made by employees, such as misconfiguring systems, using weak passwords, or falling for phishing scams, that can lead to security breaches.
- Training and Awareness Gaps: Lack of proper cybersecurity training and awareness among staff, making them more susceptible to cyber threats and less likely to follow security protocols effectively.
How to Mitigate Attack Surface Risks
Organizations, and specifically CISOs, should utilize internal and external attack surface management solutions to mitigate risks. This includes taking steps to:
- Reduce the number of entry points into their systems and networks.
- Identify and patch vulnerabilities in their systems and applications.
- Implement strong authentication and access controls to limit sensitive data and systems access.
- Monitor their systems and networks for unusual activity or suspicious behavior.
- Regularly review and update their security policies and procedures to ensure they are up to date with the latest threats and best practices.
The Impact of Digital Transformation on the Attack Surface
As organizations have embraced digital transformations and remote work over the past decade, they have experienced significant changes in their attack surface. This has led to an expansion and evolution of potential points of vulnerability that malicious actors can exploit. Several IT trends have contributed to this expansion of vulnerabilities:
Increased Connectivity
Digital transformations often involve the integration of new technologies, devices, and systems. This increase in overall connectivity can expand the attack surface, as each new connection point introduces potential vulnerabilities that attackers may exploit.
Cloud Adoption
Moving services and data to the cloud is a common aspect of digital transformations. While cloud providers implement robust security measures, the configuration of cloud resources, access controls, and data transfers between on-premises and cloud environments can introduce new attack vectors if not properly managed.
Internet of Things (IoT)
The adoption of IoT devices is a key component of digital transformation. These devices, such as smart sensors and industrial IoT, can introduce new entry points for cyber threats. Insecurely configured or poorly maintained IoT devices, particularly those deployed with non-updated default passwords, can become targets for exploitation.
Mobile Workforce
Remote work and mobile computing are often facilitated by digital transformations. While work-from-home policies provide flexibility, they also increase the attack surface by exposing corporate networks to potentially insecure devices and public networks. Antiquated home routers with unpatched security flaws are widely recognized vulnerabilities. Additionally, mobile devices may become vectors for attacks if not adequately protected.
Third-Party Integrations
Organizations often integrate with third-party services and platforms to enhance their digital capabilities. However, each integration introduces a potential risk if not properly vetted and secured. Attackers may target vulnerabilities in third-party systems to gain access to the organization’s network.
Cybersecurity Skill Gaps
Digital transformations often require new cybersecurity skill sets. Organizations may face challenges in maintaining a skilled workforce capable of addressing the evolving threat landscape associated with the transformed environment.
The most recent ISC2 Cybersecurity Workforce Study found that more than nine in 10 (92%) of professionals surveyed revealed they had skills gaps in their organization, with 67% reporting a shortage of cybersecurity staff needed to prevent and troubleshoot security issues.
Attack surface management
What is Attack Surface Assessment?
An attack surface assessment involves identifying and evaluating cloud-based and on-premises internet-facing assets as well as prioritizing how to fix potential vulnerabilities and threats before they can be exploited. Organizations should use attack surface assessments to jump-start or improve an attack surface management program and reduce the risk of successful cyberattacks
What is Attack surface management
1st definition:
Attack surface management (ASM) refers to processes and technologies that take a hacker‘s view and approach to an organization’s attack surface—discovering and continuously monitoring the assets and vulnerabilities that hackers see and attempt to exploit when targeting the organization. ASM typically involves:
Continuous discovery, inventory, and monitoring of potentially vulnerable assets. Any ASM initiative begins with a complete and continuously updated inventory of an organization‘s internet-facing IT assets, including on-premises and cloud assets. Taking a hacker’s approach ensures discovery not only of known assets, but also shadow IT applications or devices. These applications or devices might have been abandoned but not deleted or deactivated (orphaned IT). Or assets that are planted by hackers or malware (rogue IT), and more—essentially any asset that can be exploited by a hacker or cyberthreat.
Once discovered, assets are monitored continuously, in real time, for changes that raise their risk as a potential attack vector.
Attack surface analysis, risk assessment and prioritization. ASM technologies score assets according to their vulnerabilities and security risks that they pose, and prioritize them for threat response or remediation.
Attack surface reduction and remediation. Security teams can apply their findings from attack surface analysis and red teaming to take various short-term actions to reduce the attack surface. These might include enforcing stronger passwords, deactivating applications and endpoint devices no longer in use, applying application and OS patches, training users to recognize phishing scams, instituting biometric access controls for office entry, or revising security controls and policies around software downloads and removable media.
Organizations might also take more structural or longer-term security measures to reduce their attack surface, either as part of or independent of an attack surface management initiative. For example, implementing two-factor authentication (2fa) or multifactor authentication can reduce or eliminate potential vulnerabilities that are associated with weak passwords or poor password hygiene.
On a broader scale, a zero trust security approach can significantly reduce an organization’s attack surface. A zero trust approach requires that all users, whether outside or already inside the network, be authenticated, authorized, and continuously validated to gain and maintain access to applications and data. Zero trusts principles and technologies—continuous validation, least-privileged access, continuous monitoring, network microsegmentation—can reduce or eliminate many attack vectors and provide valuable data for ongoing attack surface analysis.
2nd definition:
Attack Surface Management is the continuous process of discovering, inventorying, assessing, and securing an organization’s security perimeter and all of the Internet-facing assets within their digital estate. It’s worth emphasizing that attack surface management is not a short-lived task or project, but an ongoing and recursive process that is fundamental to every organization’s cybersecurity program.
As the name suggests, the attack surface is any aspect of an organization’s digital presence that is accessible from the Internet and can therefore be probed for weaknesses by threat actors. It may be helpful to think of your attack surface as the sum of all potential attack vectors that cybercriminals could use to breach your corporate network. Managing the attack surface is an effective way to reduce risk and improve security posture.
Attack Surface Management is also an emerging product class that simplifies and streamlines the ASM process for customers. It automates several steps, including IT asset discovery, risk assessment, and the prioritization of issues based on the risk they present to the organization. By deploying the Group-IB ASM solution, you can save time that would otherwise be dedicated to these steps, which makes the attack surface management process more efficient and frees up resources to focus on other high priority projects.
Short: Discover the attack surface and prioritize risk with our continuous Attack Surface Management platform.
Long:
- ASM is conducted entirely from a hacker’s perspective, rather than the perspective of the defender. It identifies targets and assesses risks based on the opportunities they present to a malicious attacker.
- ASM relies on many of the same methods and resources that hackers use. Many ASM tasks and technologies are devised and performed by ‘ethical hackers’ who are familiar with cybercriminals’ behaviors and skilled at duplicating their actions.
- External attack surface management (EASM), a relatively new ASM technology, is sometimes used interchangeably with ASM. However, EASM focuses specifically on the vulnerabilities and risks presented by an organization’s external or internet-facing IT assets—sometimes referred to as an organization’s digital attack surface.
- ASM also addresses vulnerabilities in an organization’s physical and social engineering attack surfaces, such as malicious insiders or inadequate end-user training against phishing scams.
Why organizations are turning to attack surface management
- Increased cloud adoption, digital transformation and remote work expansion in recent years made the average company’s digital footprint and attack surface larger, more distributed and more dynamic, with new assets that connect to the company network daily.
- Traditional asset discovery, risk assessment and vulnerability management processes, which were developed when corporate networks were more stable and centralized, can‘t keep up with the speed at which new vulnerabilities and attack vectors arise in today’s networks. Penetration testing, for example, can test for suspected vulnerabilities in known assets, but it can’t help security teams identify new cyber risks and vulnerabilities that arise daily.
- But ASM‘s continuous workflow and hacker’s perspective enable security teams and security operations centers (SOCs) to establish a proactive security posture in the face of a constantly growing and morphing attack surface. ASM solutions provide real-time visibility into vulnerabilities and attack vectors as they emerge.
- They can draw on information from traditional risk assessment and vulnerability management tools and processes for greater context when analyzing and prioritizing vulnerabilities. And they can integrate with threat detection and response technologies—including security information and event management (SIEM), endpoint detection and response (EDR) or extended detection and response (XDR)—to improve threat mitigation and accelerate threat response enterprise-wide.
Why Is ASM Important?
You can’t secure what you don’t know exists. Attack surface management helps organizations gain visibility into and reduce risks on their attack surface. Internal and external attack surface management are both necessary due to the dynamic nature of organizations pursuing a move to the cloud.
Organizations can reduce the risk of cyberattacks and data breaches by minimizing the number of entry points and vulnerabilities in their systems and networks. Minimization ensures your organization has a comprehensive and continuously updated inventory of all internet-facing assets and associated risks.
Creating a complete system of record like this requires a new approach because network perimeters are a thing of the past, so the traditional view of an organization’s attack surface no longer applies. A modern attack surface comprises any internet-facing asset in the cloud, on-premises, or colocated in multiple places.
Between multi, private, and public clouds, inheriting assets via mergers and acquisitions (M&A), and access from supply chain partners and remote workers, it’s impossible for IT experts to keep track of all assets and the people responsible for them via manual methods.
Traditionally, asset inventories have been generated with slow, manual, and infrequent processes, including red team exercises or penetration tests. Unfortunately, modern infrastructure, especially in the cloud, can change instantly. All it takes for a new cloud instance to be created outside of security processes is an employee with a credit card. This is one of the most common ways an attack surface grows.
Additionally, the quality of data in an asset inventory directly impacts the efficacy of all security processes. Vulnerability scanners that only check known assets mean unknown assets cannot be secured. These unknown assets are a direct threat and let security teams lose control.
An MIT Technology Review Insights survey found that 50% of organizations had experienced a cyberattack on an unknown or unmanaged asset, and another 19% expected an imminent incident.
The Speed and Scale of the Internet
Malicious actors will find and target unknown assets because they are simply looking for easy targets. Attackers have undergone their own digital transformation and can scan the entire internet for vulnerable systems in less than an hour. This means a defender’s mean time to inventory (MTTI) of all assets on their attack surface needs to be faster than an attacker can stumble on them.
According to Cortex Xpanse, threat actors scan to inventory vulnerable internet-facing internal assets once per hour and even more frequently—in 15 minutes or less—following CVE disclosures. Meanwhile, global enterprises, on average, need 12 hours to find vulnerable systems, assuming the enterprise knows about all assets on its network.
Attack surface management involves considering all aspects to provide a continuously updated and comprehensive inventory of all assets connected to an organization’s network. This includes IP addresses, domains, certificates, cloud infrastructure, and physical systems. It also maps out which part of the organization is responsible for each asset.
ASM must work at the speed and scale of the ever-growing IoT to continuously discover, identify, and mitigate risks across all public-facing assets, whether on-premises, in the cloud, or operated by subsidiaries and critical suppliers.
It must also scan from outside in and not rely on asset inventories or logs from other security products because those may need to be completed. External scanning ensures all known and unknown assets are accounted for, and this data can inform security processes.
In its 2021 Hype Cycle for Security Operations, Gartner discussed how looking at exposure through the lens of external attack surface management can provide “better enrichment for organizations to decide what matters to them—without having to look at the threat landscape in a more general way and wonder if they are affected.”
Type of Attack Surface Management
Base on the categorization of assets in groups:
Known Assets: Known digital assets are devices, systems and applications that an organization’s security teams are aware of and have authorized to connect to its network. These assets are included in an organization’s inventory and are subject to regular security assessments and monitoring.
Unknown Assets: Unknown digital assets are the opposite: devices, systems, and applications that an organization and its security teams are unaware of and have not authorized in the network. These can include shadow IT, unauthorized devices, ransomware, or unmanaged applications. Unknown assets pose a significant risk to an organization’s security as they can provide potential weaknesses in cybersecurity.
Rogue Assets:
- Like unknown digital assets, rogue digital assets are connected to a network without authorization. However, rogue assets refer to known assets that are unauthorized or pose a security risk.
- In contrast, unknown assets are unidentified or undiscovered assets within a network or system that may have been authorized but forgotten. They are typically used to gain unauthorized access to an organization’s network or data. Rogue assets can be challenging to detect and manage as they are not included in an organization’s inventory or security controls.
Vendors:
- Vendors can pose a significant risk to an organization’s security as they may introduce vulnerabilities or weaknesses into an organization’s network or data. Organizations must carefully manage and monitor their relationships with vendors to minimize the risk of cyberattacks.
- Management can include regular security assessments, contractual requirements for security, and ongoing monitoring and risk management. In the case of attack surface management, vendors can consist of software vendors, cloud service providers and other third-party service providers.
Several specialized categories fall under the purview of attack surface management, with each focusing on specific types of assets and their corresponding attack surfaces. A comprehensive understanding of the diverse types of attack surfaces is imperative for ensuring the robust security of our organization’s assets.
These types include:
Type | Definition | Key Characteristics |
External ASM (EASM) | Focuses on managing external-facing assets. | Includes websites, public cloud infrastructure, and social media accounts. |
Internal ASM (IASM) | Focuses on managing internal assets. | Includes internal networks, devices, and applications. |
Cyber Asset ASM (CAASM) | Focuses on managing cyber assets. | Includes software, data, and intellectual property. |
Open Source ASM (OSASM) | Focuses on managing open-source software. | Includes libraries, frameworks, and tools. |
External Attack Surface Management (External ASM)
What is External Attack Surface Management?
External Attack Surface Management is the process of continuously discovering, inventorying, assessing, and securing all of the external IT assets that an organization owns. An IT asset is considered external if it can be accessed from the public Internet without the use of a VPN.
External Attack Surface Management is generally considered a specific subset of the broader concept of attack surface management. Other adjacent categories include “cyber asset attack surface management,” which covers IT asset discovery and management for both internal and external assets, and “cloud security posture management,” which is a flavor of attack surface management focused exclusively on cloud assets.
The precise definitions of these terms are still up for discussion. As technology and markets evolve, some of these terms will coalesce and others will simply fall out of fashion. The important thing to understand is that external attack surface management is an essential security process that discovers, catalogs, assesses, and secures all external IT assets.
The 5 Primary Roles of ASM
Attack surface management proactively plays five primary roles in supporting an organization’s overall security posture. Attack surface management solutions continuously poke and probe, just like an attacker would. The result is real-time insights that help security teams proactively remediate attack vectors that could be used for a cyber attack, such as data breaches or ransomware attacks.
Continuous Asset Discovery
An attack surface management solution adopts the perspective of an attacker. This approach focuses on identifying all digital assets and their associated cyber risk. Continuous asset discovery ensures that security teams know an organization’s attack surface.
The asset discovery process involves systematically scanning and cataloging every asset connected to the organization’s network. This includes discovering on-premise systems like servers and workstations and cloud-based assets such as instances and storage buckets, web applications, IoT devices, and any third-party services integrated into the organization’s ecosystem.
Asset discovery maintains a comprehensive, up-to-date inventory that includes not only known and managed assets but also unknown assets and potentially unauthorized (i.e., shadow IT) assets, whether on-premise, cloud-based, or hosted by a third party.
Risk Assessment
With attack surface management, the asset inventory (i.e., on-site or off-site) is analyzed. Context is provided for each asset’s vulnerability and potential severity impact. This contextual data includes risk scoring and security ratings for identified vulnerabilities based on usage, ownership, location, and network connections.
Prioritization
Based on the risk assessment, security teams can prioritize responses. Attack surface management evaluates and ranks vulnerabilities based on their potential impact and likelihood of exploitation.
This process starts with analyzing the vulnerabilities identified during the asset testing phase. Each vulnerability is assessed for its severity, the criticality of the affected asset, and the potential consequences of exploitation, such as data breaches or system downtime.
Factors like the complexity of the remediation and compliance requirements are also considered. This prioritization enables a fine-grained, data-driven remediation approach that sees the optimal balance between severity, incident likelihood, difficulty, and available resources.
Remediation
When a potential threat is detected, an attack management solution can be set to automate immediate remediation steps for high-risk threats. Prioritization analysis dictates the timing of responses to other threats to the asset inventory.
These can include anything from steps to prevent unpatched by keeping systems and software up to date, eliminating unused entry points for attack surface reduction, and preparing incident response plans to expedite future remediation.
Continuous Monitoring
An organization’s attack surface requires continuous monitoring and testing due to the dynamic nature of IT environments where new tools and users are constantly added, and threat actors change and evolve attack vectors.
Continuous monitoring makes proactive security possible by regularly scanning and analyzing the entire network. It includes every endpoint, cloud service, web application, and other internet-facing asset to detect new devices, software updates, and configuration changes, identifying potential vulnerabilities as they arise.
This real time surveillance provides security teams with valuable threat intelligence that helps them promptly identify potential vulnerabilities caused by new assets being added, unauthorized changes, or signs of compromise.
How ASM works
ASM scans the entire Internet to identify and index corporate infrastructure. Relationships between these assets are then mapped out through digital connections like subdomains, SSL certificates, DNS records, and other discovery techniques. When you enter your organization’s domain, the system can immediately identify your infrastructure. This is then enriched with real-time discovery techniques and security validation to identify issues and raise alerts for remediation.
ASM consists of four core processes: Asset discovery, classification and prioritization, remediation and monitoring. Again, because the size and shape of the digital attack surface changes constantly, the processes are carried out continuously, and ASM solutions automate these processes whenever possible. The goal is to arm security teams with complete and current inventory of exposed assets and to accelerate response to the vulnerabilities and threats that present the greatest risk to the organization.
Asset discovery
- Asset discovery automatically and continuously scans for and identifies internet-facing hardware, software and cloud assets that could act as entry points for a hacker or cybercriminal trying to attack an organization. These assets can include:
- Known assets – all IT infrastructure and resources that the organization is aware of and actively managing—routers, servers, company-issued or privately-owned devices (PCs, laptops, mobile devices), IoT devices, user directories, applications deployed on premises and in the cloud, web sites and proprietary databases.
- Unknown assets – ‘uninventoried’ assets that use network resources without the IT or security team’s knowledge. Shadow IT—hardware or software that is deployed on the network without official administrative approval and/or oversight—is the most common type of unknown asset. Examples of shadow IT include personal web sites, cloud applications and unmanaged mobile devices that use the organization’s network. Orphaned IT—old software, web sites and devices no longer in use that have not been properly retired—are another common type of unknown asset.
- Third-part or vendor assets – assets that the organization doesn’t own, but are part of the organization’s IT infrastructure or digital supply chain. These include software-as-a-service (SaaS) applications, APIs, public cloud assets, or third-party services used within the organization’s web site.
- Subsidiary assets – any known, unknown or third-party assets that belong to networks of an organization’s subsidiary companies. Following a merger or acquisition, these assets may not immediately come to the attention of the IT and security teams of the parent organization.
- Malicious or rogue assets – assets that threat actors create or steal to target the company. This can include a phishing web site impersonating a company’s brand, or sensitive data stolen as part of a data breach being shared on the dark web.
Classification, analysis and prioritization
Once assets are identified, they are classified, analyzed for vulnerabilities and prioritized by ‘attackability‘—essentially an objective measure of how likely hackers are to target them.
Assets are inventoried by identity, IP address, ownership and connections to the other assets in the IT infrastructure. They’re analyzed for the exposures they might have, the causes of those exposures (e.g., misconfigurations, coding errors, missing patches) and the kinds of attacks that hackers may carry out through these exposures (e.g., stealing sensitive data, spreading ransomware or other malware).
Next, the vulnerabilities are prioritized for remediation. Prioritization is a risk assessment exercise: Typically, each vulnerability is given security rating or risk score based on
- Information gathered during classification and analysis.
- Data from threat intelligence feeds (proprietary and open source), security rating services, the dark web and other sources regarding how visible vulnerabilities are to hackers, how easy they are to exploit, how they’ve been exploited, etc.
- Results of the organization’s own vulnerability management and security risk assessment activities. One such activity, called red teaming, is essentially penetration testing from the hacker’s point of view (and often conducted by in-house or third-party ethical hackers). Instead of testing known or suspected vulnerabilities, red teamers test all assets a hacker might try to exploit.
Remediation
Typically, vulnerabilities are remediated in order of priority. This can involve:
- Applying appropriate security controls to the asset in question—e.g., applying software or operating system patches, debugging application code, implementing stronger data encryption.
- Bringing previously unknown assets under control—setting security standards for previously unmanaged IT, securely retiring orphaned IT, eliminating rogue assets, integrating subsidiary assets into the organization’s cybersecurity strategy, policies and workflows.
- Remediation can also involve broader, cross-asset measures for addressing vulnerabilities, such as implementing least-privileged access or multi-factor authentication (MFA).
Monitoring
Because security risks in the organization’s attack surface change any time new assets are deployed or existing assets are deployed in new ways, both the inventoried assets of the network and the network itself are continuously monitored and scanned for vulnerabilities. Continuous monitoring enables ASM to detect and assess new vulnerabilities and attack vectors in real time, and alert security teams to any new vulnerabilities that need immediate attention.
Core Functions of ASM
An attack surface management solution should utilize five core functions to protect against vulnerabilities. By performing these core functions, organizations can gain a comprehensive view of their attack surface, identify vulnerabilities and weaknesses, prioritize their efforts, and reduce the risk of cyberattacks and data breaches.
Discovery: During discovery, the organization and its security teams conduct scans, review logs, and use other tools to discover both known and unknown assets. The goal is to identify all the assets, systems, applications and entry points within an organization’s network.
Mapping: Once all of the assets have been identified, the next step is to ensure that assets are automatically mapped to individual business units and subsidiaries and integrated with existing SOC tools for faster owner identification and enrichment to resolve incidents.
Context: Contextualizing helps organizations prioritize and focus their resources on the greatest risk and impact areas. The discovered assets and vulnerabilities must have context for effective attack surface management. This involves analyzing the assets and vulnerabilities in the context of an organization’s specific risk profile, compliance requirements and business objectives.
Prioritization: The vulnerabilities and assets must be prioritized in order of importance based on their risk and potential impact, including factors such as the likelihood of exploitation, the potential impact of an attack, and the difficulty of remediation. This helps organizations and security teams focus their resources on addressing the most critical vulnerabilities first.
Remediation: Once vulnerabilities or weaknesses in an organization’s network, systems or applications have been identified, they must be fixed. The goal of remediation is to reduce or eliminate the risk of potential cyberattacks or data breaches that may exploit these vulnerabilities.
Depending on the nature and severity of the vulnerability, remediation can happen in a few different ways. It may involve patching or updating software, configuring firewalls or other security controls, restricting access to certain assets, or decommissioning obsolete systems or applications. Remediation must be ongoing to ensure the vulnerability doesn’t reoccur or is reintroduced.
Important Functions of Attack Surface Management
In addition to the primary roles of attack surface management, ASM encompasses a number of other core functions. These work in concert to provide a comprehensive view of cyber risk and enable a proactive approach to managing and securing an organization’s asset inventory against attack vectors exploitable by threat actors.
Addressing Misconfigurations
Attack surface management systematically scans and analyzes an organization’s asset inventory to identify misconfigured networks, servers, applications, and cloud services. Scans and analysis include checking for improper security settings, default credentials, unnecessary open ports, and incorrectly set permissions.
Once identified, these misconfigurations are reported for remediation. Attack surface management also supports implementing best practices and guidelines for configurations to prevent such issues from arising in the future.
Testing Assets
In attack surface management, identified assets are rigorously tested for vulnerabilities on an ongoing basis. This process involves various tools and techniques, such as vulnerability scanners, penetration testing, and security audits. The objective is to assess assets’ resilience against potential cyber threats by uncovering attack vectors like software bugs, misconfigurations, outdated systems, and insecure APIs.
The test results provide insights into each asset’s security posture to facilitate remediation prioritization. Regularly testing assets ensures an organization can proactively address security gaps and adapt to emerging threats.
Providing Asset Inventory Context
Contextualization takes ASM’s asset identification a step further, providing details about how, where, and by whom these assets are used, along with their connectivity to other systems. This insight allows security teams to deploy targeted security measures based on the role and importance of assets within the organization. Examples of ASM contextualization are identifying a server as a publicly facing web server or a database that stores sensitive data, such as protected health information (PHI), that requires heightened security to meet HIPAA compliance requirements.
Vulnerability Management
The vulnerability management component of attack surface management covers systematic processes that continuously identify, classify, remediate, and mitigate vulnerabilities within an organization’s digital assets. This involves continuously scanning and assessing the network, applications, and systems to identify security weaknesses.
Each vulnerability is evaluated for its severity, potential impact, and susceptibility to exploit. This assessment helps prioritize which vulnerabilities require immediate attention and which can be scheduled for later remediation.
How to Mitigate Attack Surface Risks
Organizations, and specifically CISOs, should utilize internal and external attack surface management solutions to mitigate risks. This includes taking steps to:
- Reduce the number of entry points into their systems and networks.
- Identify and patch vulnerabilities in their systems and applications.
- Implement strong authentication and access controls to limit sensitive data and systems access.
- Monitor their systems and networks for unusual activity or suspicious behavior.
- Regularly review and update their security policies and procedures to ensure they are up to date with the latest threats and best practices.
Conclusion
Attack Surface Management is not just a tool but a crucial strategy in the ongoing fight against cyber threats. By continuously discovering, prioritizing, and securing potential vulnerabilities, organizations can achieve a more resilient security framework. In an age where digital transformation drives both innovation and risk, adopting ASM practices allows businesses to safeguard their assets, maintain customer trust, and stay ahead of evolving cyber threats. Embracing a proactive, comprehensive ASM approach is more than just defense; it’s a powerful way to fortify an organization’s future in the digital world.