The Complete Guide to ASM

What is Attack Surface Management?

Attack surface management (ASM) is a rapidly advancing field in cybersecurity that helps organizations identify, assess, and manage the attack surface.

What is Attack Surface Management?

Attack surface management is the process of identifying, analyzing, and mitigating the potential vulnerabilities and attack vectors in a system or network. It involves understanding the scope and complexity of an organization’s attack surface and implementing controls to reduce the risk of successful attacks.

What is an attack surface?

An attack surface is the total number of all possible entry points for unauthorized access, or attack vectors, into an organization’s systems, networks, and digital assets. The attack surface is also the entire area of an organization that is exposed to attackers, which is the reason for the term “attacker’s point of view”.

But an attacker set on penetrating your organization doesn’t care whether they’re attacking your internet-facing asset directly, or exploiting a vulnerability from a third-party digital service that provides a toehold into your environment (e.g., a takeover of a dangling Azure blob called by an app referenced in a script on your website).

That’s why the real attack surface is bigger, and to be fair, more complex. It comprises several distinct types of assets, each requiring specific attention for effective management. These include:

  • Cataloged Assets: These are the known entities within your IT infrastructure, such as your official website, servers, and their running dependencies. They’re typically under the watchful eye of your security team.
  • Shadow Elements: A crucial yet often missed category, comprising assets like unauthorized development websites or shadow IT, which exist beyond the regular security checks.
  • Impersonating & phishing: These are the dangerous parts of the attack surface that are outside the organization’s own assets. They include malware and counterfeit websites or apps designed to mimic your organization. They’re crafted with the intent to cause harm or deceive.  
  • Third-Party Interconnections: Your cybersecurity perimeter extends to encompass third-party and fourth-party vendors. These external collaborations can unwittingly introduce risks, significantly expanding your attack surface.

The real attack surface of an organization comprises all the exposed digital assets and connections and extends to their digital supply chain connections, which are propagated via HTML links, scripts, and chains of DNS records. It also includes:

  • Secrets and encryption keys
  • Activity logs
  • IAM systems
  • Authorization policies
  • Personally identifiable information (PII).

It is essential to identify all points of entry and exit to your system that makeup the attack surface. This involves taking into account all the various elements and components mentioned above including HTTP headers, APIs, files, form fields, and more. As you’ll find out, the number of possible attack vectors can add up to many thousands in a typical organization. It can be daunting at first glance to think that you need to secure every attack path a threat actor could use. But that’s what it takes to operate securely in an increasingly complex digital ecosystem.

The Attack Surface is also:

Increasingly
 vulnerable.

More than three-quarters (76%) of organizations have experienced one or more cyber-attacks due to an unknown, unmanaged, or poorly managed internet-facing asset.

Ever-expanding.

Nearly two-thirds (62%) of organizations claim their attack surface has expanded over the past two years.

Extends beyond the organization’s assets.

The number one attack surface accelerant is increasing connections with third parties as we rely more and more on external vendors.

Types of threat actors

Attackers can come from anywhere and with various motivations. Here are the key types of threat actors:

Cybercriminals: Attackers who are motivated by money they can earn either by holding a victim organization ransom, or selling an organization’s data on the dark web. They use a combination of methods like phishing, ransomware, DDoS, and cross-site scripting to gain entry into systems and escalate privileges slowly over time. It can take months or even years before they’re found out. They can be individuals, or groups and come at all levels of sophistication. 

Ex-employees, and insiders: Disgruntled ex-employees with deep awareness of your systems can pose a serious threat once they’re out of your organization. They may take with them confidential data and continue accessing the organization’s systems even after they leave. Another related threat comes from current employees who may carelessly leave parts of the system exposed accidentally or intentionally. This too requires close monitoring to be caught before it escalates.

Nation-state groups: They operate at scale, targeting large organizations, especially those with ties to federal agencies. The Solarwinds breach was a watershed moment when the U.S. government realized the threat these types of actors pose as they try to infiltrate federal digital supply chains. If your organization is related to any government entity directly or indirectly, you should pay attention to the risks from this group of threat actors.

Bug bounty hunters: Possibly benign, these threat actors actively look for security loopholes in organizations and inform the organization of the flaw hoping to cash-in on the organization’s bug bounty program. However, operating on their own, they can sometimes sway towards selling their findings on the dark web.

The Importance of
Attack Surface Management

Diving deeper into the essence of ‘What is ASM’, it is a strategic approach that aids organizations in swiftly discovering assets, assessing risks, and prioritizing their remediation across complex digital environments. As organizations expand their digital footprint across cloud platforms, on-premises infrastructure, SaaS, managed platforms, and 3rd party services — their attack surface becomes increasingly complex. It can take more than 80 hours just to discover the attack surface, according to ESG. And that’s only the first step. Security teams still need to assess the attack surface, prioritize actions, and remediate them. Given today’s complex digital interactions, understanding attack surface management becomes crucial for maintaining robust cybersecurity.

84% of organizations that experienced a ransomware attack had not integrated their multicloud assets with their security tooling – MicrosoftThe cost of a data breach has grown from $3.62M in 2017 to $4.45M in 2023. – IBM84% of organizations that experienced a ransomware attack had not integrated their multi-cloud assets with their security tooling – Microsoft

The Evolving Goals of Attack Surface Management

Reflecting on what is attack surface management reveals its evolving goals, including:

  • The attacker’s point of view: In the beginning, external attack surface management was all about seeing things from the “attacker’s point of view”. This was a game-changer. For the first time, organizations started to realize just how exposed they were.
  • The growing need for attack surface visibility: The COVID-19 pandemic forced companies to take a digital leap to stay in business. Work-from-home policies became the norm, and with that, their crown jewels became increasingly exposed as their attack surface expanded dramatically.
  • The challenge of attack surface visibility: Full attack surface visibility can be overwhelming; as the level of alert and noise keeps rising, organizations realize that without “noise reduction” — that is, reducing false positives and non-critical alerts — effective risk reduction is impossible.
  • Prioritized risk focus: So, the evolution of attack surface management has been a journey from visibility to context-based prioritization, from seeing the attack surface from the attacker’s point of view to reducing the noise level, focusing on the most critical risks, and accelerating remediation.

Engaging in Attack Surface Management

Engaging in attack surface management requires a dynamic and continuous approach, ensuring both the external and internal assets of your organization are thoroughly monitored and safeguarded:

  • Attack Surface Visibility: This component is critical in external attack surface management (EASM). It involves continuously identifying and monitoring all internet-exposed assets, thus ensuring that every digital asset, whether a web application, server, or online service, is accounted for and scrutinized for vulnerabilities.
  • Attack Surface Protection: Beyond visibility of the complete external attack surface, the key to attack surface protection is to reduce the size of the attack surface. A smaller attack surface is easier to protect and safer for the organization. This can be as simple as removing unnecessary and redundant parts of the system or a complex as re-architecting the system with an aim to reduce risks.
  • Attack Surface Protection: Bear in mind that simply reducing the attack surface does not guarantee robust protection. Despite the best reduction efforts, there will always be an attack surface that needs protection. Even with a small attack surface, it takes just one entry point for an attacker to gain access and attempt lateral movement across the system. The key, then, is to have real-time protection of the attack surface with end-to-end management of every potential point. 

Attack Surface Management Components

Explaining attack surface management further, we must understand how it involves a continuous cycle of discovery, monitoring, and protection against potential cyber threats. And any modern ASM tool is bound to bring those components to the table:

Asset Discovery

Asset discovery initiates the process of Attack Surface Management. It’s the systematic uncovering of all internet-facing assets within the organization. This includes a range of assets from web and mobile applications to cloud storage and email servers. It shows assets within and outside of the organization’s perimeter such as vendor-managed assets and third-party applications. The objective is to establish a complete inventory of digital assets, ensuring a thorough understanding of the organization’s online presence.

Here are the key types of assets to be discovered:

Known or IT-operated assets: These are assets that are owned and managed by the organization’s IT team such as a public cloud service like AWS S3, a secrets vault, an email server, or a website domain and hosting service. You have greater control and deeper visibility into these types of assets than the other types. Any attack that has reached these types of assets is critical as it could potentially have easy access to your organization’s crown jewels. 

Vendor-managed assets: Also known as third-party assets, these are not directly owned or managed by your organization, but by a partner, vendor, supplier, or customer organization. This could be a SaaS tool like Salesforce or Quickbooks, a partner organization’s ERP system that tracks inventory and supplies your organization’s needs, or a customer’s organization’s edge location such as an offshore oil rig. Though you have less control and visibility into these assets, a breach in any of them can spread to your systems. You need to identify all potential vulnerabilities, remediate them by working together with the vendor, and constantly monitor threats from them.

Unknown assets: Not every asset in your organization is created or provisioned by IT. Sometimes employees, and vendors could create assets without IT approval. That’s especially common as the workplace has become more remote. Employees use unsecured devices to access the organization’s network. Middleware apps and integrations may exist that your IT team is unaware of. Legacy applications may have been retired, but not entirely decommissioned safely. All these assets belong to the ‘unknown’ category. They are ripe nesting grounds for attackers who want to lie in wait undetected, ready to strike once they have enough knowledge about the system. They need to be accounted for and managed, or removed.

Subsidiary assets: Often organizations acquire other organizations, or they may spin-off part of the organization as a subsidiary. In these cases, the applications belonging to the subsidiary are still part of the wider circle of your organization. These are subsidiary assets. It is essential to discover all of them, and map them to their appropriate subsidiary. This way accountability is clear when a security incident occurs. 

Suspicious assets: Every now and then you may notice external attacks that are accompanied by new assets created that don’t belong to your organization, its vendors, or customers. These are suspicious assets that need careful investigation to assess the threat they pose to the organization. Quick remedial action is required in these cases. These actions include isolating part of the system, revoking access and privileges for affected identities, and eliminating the suspicious asset.

To summarize the information above, here’s a handy table you could use as reference:

Type of attack surfaceWhat it includesExamples
Internal attack surface management (IASM)All assets created, owned, and managed by the organization’s IT team that are accessed and used internally, and are not visible externally.All cloud resources, on-premise infrastructure, email servers, databases, networks, intranet, devices, and more.
External attack surface management (EASM)All assets belonging to vendors, or customers, or internet-facing properties that the organization uses but does not own.Social media, websites, CRM apps, third-party plugins, partner integrations.
Cyber asset attack surface management (CAASM)Identifying and dealing with vulnerabilities as they arise.Malicious assets, requests from unknown or suspicious IPs.

Asset attribution 

Asset attribution 

It is essential to know with a high level of confidence whether or not an asset belongs to your organization. Not only this, it’s important to understand the criteria used for asset attribution. This takes into account details such as the Whois details of a domain, security certificates, DNS records, and more. Performing accurate asset attribution at scale requires the power of machine learning. The goal is to reduce false positives and gain greater control and clarity of the attack surface.

Inventory and Classification

Inventory and Classification

Following discovery and attribution comes inventory and classification. In this phase, the discovered assets are systematically categorized and labeled. This process involves sorting assets based on their types, technical features, and importance to the business. This step is crucial as it can vary for each organization according to the type of assets, and the technology stack they use. You need an overview of all types of assets and an exact number for each type, and you should be able to drill down to exact assets within each category. With the large number of attack vectors you’ll discover, it’s essential to categorize them in this way to make them more manageable, and to assign ownership across the organization and within the security team. Armed with the context that classification brings, you can better understand and manage the attack surface.

Risk Assessment

Risk scoring and security ratings are integral to Attack Surface Management. Each asset is evaluated for vulnerabilities in this phase and assigned a security rating. For example, an exposed security certificate may have a high risk score of ‘100’ as it leaves critical cloud infrastructure vulnerable to attack whereas a web application that is experiencing authentication issues may have a lower risk score of ‘60’. This process helps in quantifying the risk level of each asset, providing a clear perspective on where the security efforts need to be concentrated.  

Risk Prioritization 

Risk Prioritization 

Risks come in all shapes and sizes, and they need to be prioritized accordingly. At any given time, you may have hundreds of risks in a system from minor alerts to urgent emergencies. Nobody wants to chase risks down rabbit holes. That’s why it’s important to quickly identify the top risks that pose the most danger to your organization and customers, and respond to them first. The prior steps listed above, if done right, will greatly aid prioritization as they form the basis to make decisions on which risks are high and which are low priority. 

Continuous Security Monitoring

Continuous security monitoring is also among the crucial attack surface management components, which entails vigilance over digital assets. This process entails regular monitoring for new vulnerabilities and changes in the attack surface and asset configurations. Alerts are helpful here, especially when they are rules-based. The alerts need to reach the right people at the right time so remedial action can be taken quickly. Continuous security monitoring ensures that potential security threats are identified and addressed promptly, keeping the organization’s digital environment secure.

Remediation and Mitigation

In the remediation and mitigation phase, the focus is on addressing the vulnerabilities, misconfigurations, and security posture issues identified in earlier stages. Remediation involves direct actions such as patching identified weaknesses, while mitigation refers to strategies to reduce the impact of vulnerabilities that cannot be immediately resolved. This phase is key to ensuring the ongoing security and resilience of the organization’s digital assets.

Attack Surface Management Challenges

There are several challenges in Attack Surface Management that ASM platforms are struggling to address. These fall under two key categories: breadth of coverage, which is the need to eliminate blind spots, and focus, which is the need to reduce noise, prioritize what’s urgent, and evaluate the potential blast radius.

Limited scope

ASM often overlooks a massive – and growing – source of risk. An organization’s attack surface doesn’t just consist of its assets that are exposed to the internet. It also consists of the digital supply chain assets that it is connected to – via HTML inclusions, chaining of scripts, and, with the advent of CDNs and cloud computing, via chains of DNS records.

False negatives

Many ASM platforms lack the technology depth needed to effectively discover internet facing assets leaving up to 50% of them in the dark.

False positives

ASM processes that rely on global internet indexing and public records struggle with attribution. Their customers pay for assets they don’t own and waste precious resource chasing false alerts.

Too many alerts

ASM providers often use a limited approach that relies only on vulnerability severity to prioritize risks. As a result, teams are dealing with a constant stream of noisy alerts.