What is Attack Surface Management? 

Attack surface management (ASM) is the process of maintaining visibility into an ever-changing network environment so that security teams can patch vulnerabilities and defend against emerging threats. So, what is an attack surface? It’s your whole network, on-prem and off, and the potential vulnerable points where attackers could gain entry.

Forrester defines attack surface management as the process of continuously discovering, identifying, inventorying, and assessing the exposure of an entity’s IT asset estate. Based on everything above, we can safely assume this is something security teams have regular difficulty staying on top of and addressing. Limited visibility in an environment means you don’t know about everything that could possibly hurt the organization and the business.

And if there is limited visibility, keep in mind that any sort of process in application development could be compromised due to a lack of observability of aspects such as how code is behaving in production. Put simply, limited visibility into the attack surface renders unreliable many aspects of business operations and security.

Security organizations can monitor and manage attack surfaces by managing vulnerability, regularly testing web applications, automating threat-detection response, and gaining visibility into the most up-to-date indicators-of-compromise (IOCs). There is no one correct way to manage an entire attack surface, especially in larger enterprise organizations. But, by gaining increased visibility, a security team can begin to tailor actions and search for solutions specific to its environment.

Why is Attack Surface Management Important? 

Attack surface management is important because it provides the visibility, context, and prioritization needed to address vulnerabilities before they can be exploited by attackers; it’s critical for teams who want a deeper understanding of their key risk areas. Attack surface management also aids in making IT, security personnel, and leadership aware of what areas are vulnerable to attack, so the organization can find ways of minimizing the risk.

Aspects of the process – like vulnerability assessments and penetration testing – are best practices teams can leverage to gain visibility and context into where breaches might occur along the attack surface. This overall attack surface analysis strategy can increase awareness of both technical and process-related risks.

  • Vulnerability assessments: A vulnerability assessment establishes a baseline of your systems and their vulnerabilities, maintaining continuous visibility of your environment and making stakeholders aware of the potential risks present. The focus is solely on identification, not exploitation. That comes next…
  • Penetration testing: NIST defines penetration testing as the issuance of real attacks on real systems and data, using the same tools and techniques used by actual attackers. Penetration testing – or pentesting – has the added benefits of helping an organization stay compliant and coming up with hard data detailing how attackers might gain entry.

What are the Challenges Around External Attack Surface Mapping? 

The challenges around external attack surface mapping are many, but that doesn’t mean there aren’t solutions for a capable SOC. Whether that team exists all in one location or they’re scattered the world over, it’s imperative for a globally distributed workforce to secure its modern attack surface. Let’s take a look at a few highlights among those challenges:

Distributed IT Ecosystems

The ephemeral nature of maintaining the bulk of operations in the cloud means that there is no defined perimeter like in the “old days” of on-prem-only. That perimeter is ever-changing and expanding, so the challenge of distributed IT ecosystems that host and house an organization’s clouds is that it can be difficult to monitor and secure a national or global perimeter that lies beyond firewalls and other protocols that protect local networks.

Siloed Teams

Collaboration between traditionally siloed teams can be a challenge when attempting to monitor and map your attack surface for budding threats, especially when those teams can be distributed geographically, whether that means a network of remote workers, regional offices, or multinational headquarters. These days, there is a greater focus on solutions that can provide the shared view and common language that can bring together those traditionally siloed teams to work toward a common goal of threat prevention.

Your External Attack Surface is Constantly Changing 

Between known and unknown assets constantly joining the network, your attack surface grows and changes daily. Automating operations within an effective external attack surface management (EASM) strategy can cut down on the time it takes to secure post-perimeter assets, such as those that are exposed to the public internet and could be at the mercy of public-cloud misconfigurations.

EASM solutions can further optimize cloud security posture and are increasingly focused on identifying rogue external assets. They should be able to leverage external threat intelligence to conduct targeted threat hunts and prioritize remediation, from the nearest network endpoints to around the deep and dark web. In this way, practitioners can understand what threat actors are doing in the wild and how it could bleed into the internal environment.

What are the Core Functions of Attack Surface Management? 

Discovery

This includes extensive scanning to discover systems and/or assets that may be particularly open to threats. These sorts of assets could be anything from application builds, to personal assets accessing a company’s network, to the hardware/software of a supply chain partner. That last point is of particular concern, as most every company in existence leverages the services of multiple vendors, who each leverage the services of multiple vendors of their own – and so on and so on.

This complexity and reliance on so many partner networks underscores the need to go beyond discovery, to accelerate scanning and visibility into real-time territory. As threat actors gain speed with their breach methodologies, security organizations must keep pace as the time to exploitation continues to shrink.

Testing 

Regular testing – of varying types – is a reliable way to ensure applications and systems are properly secured. From there, you can determine what action needs to be taken to fortify perimeters.

  • Dynamic application security testing (DAST): A DAST approach involves looking for vulnerabilities in a web app that an attacker could try to exploit.
  • Static application security testing (SAST): SAST has a more inside-out approach, meaning that unlike DAST, it looks for vulnerabilities in the web application's source code.
  • Application penetration testing: Application penetration testing involves the human element. A security professional will try to imitate how an attacker might break into a web app using both their personal security know-how and a variety of penetration testing tools to find exploitable flaws.

Context

It’s crucial to have context around potential risks or threats. Data sprawl and complexity can lead to an unwieldy attack surface that poses major challenges to security operations (SecOps) teams looking to fully understand threats and manage vulnerabilities at an ever-increasing pace.

Contextualized threat intelligence can help provide insights into every layer of your tech stack so you can effectively prioritize and respond to risks and threats. This means more than just intelligence feeds: it also means understanding public accessibility, presence of vulnerabilities, whether or not a resource is associated with a business critical application, and more. Vulnerabilities have a certain level of risk, as does every asset on your network. Therefore, it’s crucial to have strategies in place that prioritize remediation of the most sensitive risks before they become real threats.

Prioritization 

The sheer number of security issues that can arise in one security organization, whether it’s in the SOC or elsewhere, is not necessarily an indicator of the team’s ability to thwart threats and patch vulnerabilities. A modern attack surface includes both on-premises and cloud environments. That kind of sprawl includes scenarios like an identity and access management (IAM) team dealing with millions of distinct identities as each resource and service is assigned a role. Each of those roles has its own exploitable permissions and privileges.

Last year, 88% of organizations reported they planned to increase spending on, among other things, improving alert context and prioritization. Automating processes like risk analysis and workflow frameworks can vastly decrease the complexity and enormity of evaluating which incidents are in the most need of timely remediation.

Establishing and Enforcing Compliance

It’s critical to implement and continuously enforce internal compliance – and regulatory, if applicable – standards that shrink your attack surface as much as possible.

Rigorously adhering to compliance policies can have the benefit of accelerating response time in that smaller attack surface. By also incorporating as much automation as possible, you can reduce the blast radius when an attack or breach does occur. Shifting security left is an example of how those standards can also create a culture of faster response. This means integrating security earlier into the application development/deployment process via continuous template scans while builds are taking place and also post-deployment.

Remediation

As your network grows, your attack surface expands. That’s a lot of space for attackers to find a way in and exploit it to the max. With, as mentioned above, contextual threat intelligence and prioritization, over time it can become possible to behave like an attacker, staying one step ahead and remediating issues before they can be exploited. Automated remediation plays a critical part in the ability to rapidly address one potential threat after another.

Read More About Attack Surface Security 

Attack Surface Management: Latest Rapid7 Blog Posts

Rapid7 Blog: Cyber Asset Attack Surface Management 101