Cyber Resilience and Attack Surface Management
Before digital transformation — or what we like to call “business transformation” — the attack surface was relatively static and well understood. But with the advent of remote work, digitized business services, and the mass adoption of IoT devices, the attack surface has become fluid. Any change in the way you operate your business changes the attack surface, including every new remote user, business service, device, and business location.
IBM defines the attack surface as, “The sum of vulnerabilities, pathways, or methods (attack vectors) hackers can use to gain unauthorized access to the network or sensitive data, or to carry out a cyberattack.”
While the attack surface includes both internal and external resources, there’s usually an emphasis on your publicly-facing presence such as a website or applications. Until now, it’s been difficult to get an accurate picture of the attack surface as it changes.
Attack Surface Management: A New Approach to Identifying Vulnerabilities
Attack surface management (ASM) is a relatively new concept that ties together existing tools and functions to give security teams a view of the environment from the attacker’s perspective — from the outside in — to determine if a threat actor has a path into your environment and the ability to penetrate deeper.
ASM supports a modern approach to asset management by giving you the ability to continuously identify known and unknown assets as well as analyzing, prioritizing, and remediating vulnerabilities and other potential attack vectors. This approach imitates the techniques used by threat actors as they target an organization.
Organizations already know where their crown jewels are and typically implement firewalls, endpoint detection and response (EDR), or other defenses to protect them. But your public-facing presence is a key target for attackers while conducting reconnaissance to map out your public points of presence. Failure to manage the attack surface can expose your organization to fraud, ransomware, insider threats, data exfiltration, and other threats.
Continuous Monitoring of the Attack Surface
Prior to the emergence of ASM, activities around managing the attack surface have been point-in-time snapshots. ASM brings continuous monitoring into the equation, tying together vulnerability management, asset management, and open source intelligence (OSINT) to continuously monitor changes in the attack surface.
OSINT is a library of publicly available information, which may include your public IP addresses, leaked passwords, and other valuable information that hackers can access and use to plan attacks. ASM leverages OSINT so you can know what hackers know. OSINT information is sourced from the web, including uncrawled information (deep web) and the dark web. The industry consensus is that deep web and dark web information comprises about 96% of all information on the internet, so you won’t find it on search engines.
ASM lets you monitor the attack surface as it changes. Historically, organizations inventory and scan their IP addresses for vulnerabilities. ASM can manage this for you.
Processes are More Important than the Tool
Like any security tool, it’s only as good as the processes that support it. ASM doesn’t remediate, so you’ll need processes to act on ASM feedback. ASM generally automates asset discovery, classification, and prioritization of asset vulnerabilities. But it also may generate new processes, which may or may not be automated, depending on your situation. You may need to trigger a playbook within your patch management system or SOAR platform to act on findings from your ASM tool.
What You Can Expect from ASM
Discovery of More Vulnerabilities than You Imagined
One thing that ASM can draw attention to is the amount of OSINT information that exists about your organization. This is vitally important because for the first time, you’ll know the basics about what hackers know about your environment. The results can be startling. For example, ASM can surface a remote server exposed to the internet along with previously unknown admin credentials, which together form an attack chain where they use the credentials to log into the server to get into your environment.
Discovery of Unknown Assets
You may be surprised at the number of unknown assets exposed to the public. If your company was involved in a merger or acquisition, you may have dormant accounts that can be compromised. Or you may find a shadow IT cloud presence that’s storing sensitive information. It’s also possible to find malicious assets that an attacker has placed in your environment such as software or devices. An attack like this recently made headlines when a cloud hypervisor tool was used to create virtual network interfaces and a socket-type network device to connect to a remote server, bypassing firewalls and intrusion detection.
A More Proactive Stance Against Attackers
In terms of overall resilience, ASM can give organizations a more proactive stance against threat actors by identifying gaps and weaknesses before they’re used as a gateway to an attack. As a result, organizations can close more vulnerabilities faster as ASM surfaces issues. Overall, your organization should be less vulnerable to an attack, or in the event of an attack, get actionable information sooner rather than later.
What ASM Doesn’t Do
ASM doesn’t replace the need for traditional penetration testing and red team tests. It fills the gaps between your routine point-in-time tests.
The Evolving Solutions Approach to ASM
There are several ASM tools available, and they vary in how they handle things like external attack surface management, endpoint surface management, and how they use OSINT with different vendors excelling in different categories.
To select the right vendor and tool, you’ll need to know what you want out of ASM and which vendor does the best job handling your requirements. It’s also possible that you have access to ASM through an existing solution that your organization has adopted.
Evolving Solutions can help you determine whether ASM can address your vulnerability issues. If ASM is a good fit, we can help you select the best tool for your needs. If you already have an entitlement for ASM through an existing vendor relationship, we’ll help you investigate that solution rather than introduce a new technology.
Most organizations prefer to get started by evaluating their external attack surface. We can help you get up to speed with that, and from there, work to understand your on-premises and cloud footprints, along with your remote workforce, to guide you in next steps for getting the most value from an ASM solution.