What is an attack surface?
An attack surface is the total number of all possible entry points for unauthorized access, or attack vectors, into an organization’s systems, networks, and digital assets. The attack surface is also the entire area of an organization that is exposed to attackers, which is the reason for the term “attacker’s point of view”.
But an attacker set on penetrating your organization doesn’t care whether they’re attacking your internet-facing asset directly, or exploiting a vulnerability from a third-party digital service that provides a toehold into your environment (e.g., a takeover of a dangling Azure blob called by an app referenced in a script on your website).
That’s why the real attack surface is bigger, and to be fair, more complex. It comprises several distinct types of assets, each requiring specific attention for effective management. These include:
- Cataloged Assets: These are the known entities within your IT infrastructure, such as your official website, servers, and their running dependencies. They’re typically under the watchful eye of your security team.
- Shadow Elements: A crucial yet often missed category, comprising assets like unauthorized development websites or shadow IT, which exist beyond the regular security checks.
- Impersonating & phishing: These are the dangerous parts of the attack surface that are outside the organization’s own assets. They include malware and counterfeit websites or apps designed to mimic your organization. They’re crafted with the intent to cause harm or deceive.
- Third-Party Interconnections: Your cybersecurity perimeter extends to encompass third-party and fourth-party vendors. These external collaborations can unwittingly introduce risks, significantly expanding your attack surface.
The real attack surface of an organization comprises all the exposed digital assets and connections and extends to their digital supply chain connections, which are propagated via HTML links, scripts, and chains of DNS records.
The Attack Surface is also:
Increasingly vulnerable.
More than three-quarters (76%) of organizations have experienced one or more cyber-attacks due to an unknown, unmanaged, or poorly managed internet-facing asset.
Ever-expanding.
Nearly two-thirds (62%) of organizations claim their attack surface has expanded over the past two years.
Extends beyond the organization’s assets.
The number one attack surface accelerant is increasing connections with third parties as we rely more and more on external vendors.
What is Attack Surface Management?
Attack surface management is the process of identifying, analyzing, and mitigating the potential vulnerabilities and attack vectors in a system or network. It involves understanding the scope and complexity of an organization’s attack surface and implementing controls to reduce the risk of successful attacks.
The Importance of
Attack Surface Management
Diving deeper into the essence of ‘What is ASM’, it is a strategic approach that aids organizations in swiftly discovering assets, assessing risks, and prioritizing their remediation across complex digital environments. As organizations expand their digital footprint across cloud platforms, on-premises infrastructure, SaaS, managed platforms, and 3rd party services — their attack surface becomes increasingly complex. It can take more than 80 hours just to discover the attack surface, according to ESG. And that’s only the first step. Security teams still need to assess the attack surface, prioritize actions, and remediate them. Given today’s complex digital interactions, understanding attack surface management becomes crucial for maintaining robust cybersecurity.
The Evolving Goals of Attack Surface Management
Reflecting on what is attack surface management reveals its evolving goals, including:
- The attacker’s point of view: In the beginning, external attack surface management was all about seeing things from the “attacker’s point of view”. This was a game-changer. For the first time, organizations started to realize just how exposed they were.
- The growing need for attack surface visibility: The COVID-19 pandemic forced companies to take a digital leap to stay in business. Work-from-home policies became the norm, and with that, their crown jewels became increasingly exposed as their attack surface expanded dramatically.
- The challenge of attack surface visibility: Full attack surface visibility can be overwhelming; as the level of alert and noise keeps rising, organizations realize that without “noise reduction” — that is, reducing false positives and non-critical alerts — effective risk reduction is impossible.
- Prioritized risk focus: So, the evolution of attack surface management has been a journey from visibility to context-based prioritization, from seeing the attack surface from the attacker’s point of view to reducing the noise level, focusing on the most critical risks, and accelerating remediation.
Engaging in Attack Surface Management
Engaging in attack surface management requires a dynamic and continuous approach, ensuring both the external and internal assets of your organization are thoroughly monitored and safeguarded:
- Attack Surface Visibility: This component is critical in external attack surface management (EASM). It involves continuously identifying and monitoring all internet-exposed assets, thus ensuring that every digital asset, whether a web application, server, or online service, is accounted for and scrutinized for vulnerabilities.
- Attack Surface Protection: Beyond visibility of the complete external attack surface, the key to attack surface protection is to reduce the size of the attack surface. A smaller attack surface is easier to protect and safer for the organization. This can be as simple as removing unnecessary and redundant parts of the system or a complex as re-architecting the system with an aim to reduce risks.
Attack Surface Management Components
Explaining attack surface management further, we must understand how it involves a continuous cycle of discovery, monitoring, and protection against potential cyber threats. And any modern ASM tool is bound to bring those components to the table:
Asset Discovery
Asset discovery initiates the process of Attack Surface Management. It’s the systematic uncovering of all internet-facing assets within the organization. This includes a range of assets from web and mobile applications to cloud storage and email servers. The objective is to establish a complete inventory of digital assets, ensuring a thorough understanding of the organization’s online presence.
Asset attribution
It is essential to know with a high level of confidence whether or not an asset belongs to your organization. Not only this, it’s important to understand the criteria used for asset attribution. Performing accurate asset attribution at scale requires the power of machine learning. The goal is to reduce false positives and gain greater control and clarity of the attack surface.
Inventory and Classification
Following discovery and attribution comes inventory and classification. In this phase, the discovered assets are systematically categorized and labeled. This process involves sorting assets based on their types, technical features, and importance to the business. This step is crucial as it can vary for each organization according to the type of assets, and the technology stack they use. Armed with the context that classification brings, you can better understand and manage the attack surface.
Risk Assessment
Risk scoring and security ratings are integral to Attack Surface Management. Each asset is evaluated for vulnerabilities in this phase and assigned a security rating. This process helps in quantifying the risk level of each asset, providing a clear perspective on where the security efforts need to be concentrated.
Risk Prioritization
Risks come in all shapes and sizes, and they need to be prioritized accordingly. At any given time, you may have hundreds of risks in a system from minor alerts to urgent emergencies. Nobody wants to chase risks down rabbit holes. That’s why it’s important to quickly identify the top risks that pose the most danger to your organization and customers, and respond to them first. The prior steps listed above, if done right, will greatly aid prioritization as they form the basis to make decisions on which risks are high and which are low priority.
Continuous Security Monitoring
Continuous security monitoring is also among the crucial attack surface management components, which entails vigilance over digital assets. This process entails regular monitoring for new vulnerabilities and changes in the attack surface and asset configurations. It ensures that potential security threats are identified and addressed promptly, keeping the organization’s digital environment secure.
Remediation and Mitigation
In the remediation and mitigation phase, the focus is on addressing the vulnerabilities, misconfigurations, and security posture issues identified in earlier stages. Remediation involves direct actions such as patching identified weaknesses, while mitigation refers to strategies to reduce the impact of vulnerabilities that cannot be immediately resolved. This phase is key to ensuring the ongoing security and resilience of the organization’s digital assets.
Attack Surface Management Challenges
There are several challenges in Attack Surface Management that ASM platforms are struggling to address. These fall under two key categories: breadth of coverage, which is the need to eliminate blind spots, and focus, which is the need to reduce noise, prioritize what’s urgent, and evaluate the potential blast radius.
Limited scope
ASM often overlooks a massive – and growing – source of risk. An organization’s attack surface doesn’t just consist of its assets that are exposed to the internet. It also consists of the digital supply chain assets that it is connected to – via HTML inclusions, chaining of scripts, and, with the advent of CDNs and cloud computing, via chains of DNS records.
False negatives
Many ASM platforms lack the technology depth needed to effectively discover internet facing assets leaving up to 50% of them in the dark.
False positives
ASM processes that rely on global internet indexing and public records struggle with attribution. Their customers pay for assets they don’t own and waste precious resource chasing false alerts.
Too many alerts
ASM providers often use a limited approach that relies only on vulnerability severity to prioritize risks. As a result, teams are dealing with a constant stream of noisy alerts.