Attack Surface Management (ASM) is the continuous monitoring and remediation and reduction of all security risks within an organization's attack surface. The ultimate objective of ASM to to keep the attack surface minimal to reduce the number of options hackers have to breach a network perimeter.
In short, ASM aims to compress everything outside of the firewall that attackers can and will discover as they research the threat landscape for vulnerable organizations.
In 2018, Gartner urged security leaders to start reducing, monitoring, and managing their attack surface as part of a holistic cybersecurity risk management program. Today, attack surface management is a top priority for CIOs, CTOs, CISOs, and security teams.
What is an Attack Surface?
Your attack surface is all the hardware, software, SaaS, and cloud assets that are accessible from the Internet that process or store your data. Think of it as the total number of attack vectors cybercriminals could use to manipulate a network or system to extract data. Your attack surface includes:
- Known assets: Inventoried and managed assets such as your corporate website, servers, and the dependencies running on them
- Unknown assets: Such as Shadow IT or orphaned IT infrastructure that was stood up outside of the purview of your security team such as forgotten development websites or marketing sites
- Rogue assets: Malicious infrastructure spun up by threat actors or hackers such as malware, typosquatted domains, or a website or mobile app that impersonates your domain.
- Vendors: Your attack surface doesn't stop with your organization — third-party and fourth-party vendors introduce significant third-party risk and fourth-party risk. Even small vendors can lead to large data breaches, just like the HVAC vendor that eventually led to Target's exposure of credit card and personal data on more than 110 million consumers.
Millions of these assets appear on the Internet each day and are entirely outside the scope of firewall and endpoint protection services. Other names include external attack surface and digital attack surface.
Why Reducing Your Attack Surface isn't a Robust Solution
It's common for organizations to approach improving information security by reducing:
- The amount of code running
- Entry points available to untrusted users, e.g., access control, RBAC, and the principle of least privilege
- The number of Internet-facing web applications, mobile apps, and services running
While this reduces your organization's attack surface, it doesn't prevent security control failures.
If an attacker can find an exploit or vulnerability in your remaining Internet-facing assets before you do, they can still inflict damage by installing malware and ransomware or by causing data breaches.
If you need some ideas for reducing your attack surface, refer to this list of attack surface reduction examples.
Why is Attack Surface Management Important?
Attack surface management is important because it helps to prevent and mitigate cyber risks and potential attacks stemming from:
- Legacy, IoT, and shadow IT assets
- Human mistakes and omissions such as phishing and data leaks
- Vulnerable and outdated software
- Unknown open-source software (OSS)
- Large-scale attacks on your industry
- Targeted cyber attacks on your organization
- Intellectual property infringement
- IT inherited from M&A activities
- Vendor managed assets
Timely identification of digital assets is fundamental to robust threat intelligence and can greatly reduce the risk of data breaches and leaks. All it takes for an attacker to launch a successful cyber attack on a vulnerable point or security gap in your organization or IT ecosystem to compromise the entire business or supply chain.
For a concise overview of the attack surface management process, watch the video below:
What Are the Components of a Robust External Attack Surface Management Solution?
A modern external attack surface management solution consists of five parts:
- Asset Discovery
- Inventory and classification
- Risk scoring and security ratings
- Continuous security monitoring
Your organization and third parties such as cloud providers, IaaS and SaaS, business partners, suppliers, or external contractors can own or operate these internal or external assets.
Here is a non-exhaustive list of digital assets that should be identified and mapped by an attack surface management solution:
- Web applications, services, and APIs
- Mobile applications and their backends
- Cloud storage and network devices
- Domain names, SSL certificates, and IP addresses
- IoT and connected devices
- Public code repositories such as GitHub, BitBucket, and GitLab
- Email servers
Depending on the provider, the discovery process can range from manual input of domains and IP addresses to automated scanning based on open-source intelligence and dark web crawling.
At UpGuard, we run this discovery process on a daily basis through trusted commercial, open-source, and proprietary methods. This allows us to discover any Internet-facing assets that have been spun up.
What makes UpGuard different from other providers is our unparalleled ability to detect leaked credentials and exposed data before it falls into the wrong hands.
For example, we detected data exposed in a GitHub repository by an AWS engineer in 30 minutes. We reported it to AWS and the repo was secured the same day. This repo contained personal identity documents and system credentials including passwords, AWS key pairs, and private keys.
Our data leak discovery engine continuously searches for keywords provided by our customers and is continually refined by our team of analysts, using the expertise and techniques gleaned from years of data breach research.
Inventory and Classification
Once your assets are discovered, it's the right time to commence digital asset inventory and classification, also known as IT asset inventory. This part of the exercise involves dispatching and labeling the assets based on their type, technical characteristics, properties, business criticality, compliance requirements, or owner.
It's essential to have a person or team who is accountable for regular asset maintenance, updates, and protection.
With UpGuard BreachSight, we'll automatically discover all your externally facing IT infrastructure.
Within the platform, you can add as many people as necessary and label and organize assets by any property you wish such as ownership, asset, technical characteristics, business-critical, compliance requirements, or owner.
You'll also be able to run reports on specific parts of your infrastructure to see where security risks are and who is responsible for fixing them. This data can be easily accessed by our API and integrated with other systems.
To manage third-party risks, you can use UpGuard Vendor Risk to automatically discover the externally-facing Internet assets of your vendors and third parties and label them accordingly.
Risk Scoring and Security Ratings
Attack surface management would be impossible without actionable risk scoring and security ratings. Many organizations have thousands, if not millions, of fluctuating digital assets.
Without security ratings software it can be hard to understand what security issues each asset has and whether they expose information that could result in data breaches, data leaks, or other cyber attacks.
This is why it's crucial for digital assets to be continuously detected, scanned, and scored so you can understand what risks need to be mitigated and prioritized.
Security ratings are a data-driven, objective, and dynamic measurement of an organization's security posture.
UpGuard is one of the most popular and trusted security ratings platforms. We generate our ratings through proprietary algorithms that take in and analyze trusted commercial and open-source data sets to collect data that can quantitatively evaluate cybersecurity risk non-intrusively.
With UpGuard, an organization's security rating can range from 0 to 950 and is comprised of a weighted average of the risk rating of all externally facing assets, such as web applications, IP addresses, and marketing sites.
The lower the rating, the more severe the risks they are exposed to. Conversely, the higher the rating, the better their security practices and the less successful cyber attacks will be.
To keep our security ratings up-to-date, we recalculate scores whenever a website is scanned, or a security questionnaire is submitted. This means an organization's security rating will be updated multiple times a day, as most websites are scanned daily.
Continuous Security Monitoring
Continuous security monitoring is one of the most important parts of an attack management solution. The increasing adoption of open-source software, SaaS, IaaS, and outsourcing means misconfiguration and vulnerability management are more complicated than ever.
Any good attack surface management software will monitor your assets 24/7 for newly discovered security vulnerabilities, weaknesses, misconfiguration, and compliance issues.
UpGuard BreachSight will automate the discovery of known vulnerabilities and provide assessments in your externally facing software. This information could be exposed by HTTP headers or website content.
We use the Common Vulnerability Scoring System (CVSS), a published standard developed to capture the principal characteristics of a vulnerability to produce a numerical score between 0 and 10 to reflect its severity.
This numerical score is also translated into a qualitative representation (low, medium, high, and critical) to help you properly assess and prioritize the vulnerability.
In addition to vulnerabilities, we run hundreds of individual misconfiguration checks to determine:
- Susceptibility to man-in-the-middle attacks
- Insecure SSL/TLS certificates
- SPF, DKIM, and DMARC settings
- HTTP Strict Transport Security (HSTS)
- Email spoofing and phishing risk
- Malware susceptibility
- Network security
- Unnecessary open administration, database, app, email, and file-sharing ports
- Exposure to known data breaches and data leaks
- Vulnerable software
- HTTP accessibility
- Secure cookie configuration
Unlike other providers, these checks are run on a daily basis and can be updated on-demand through our platform or via our API.
Remediation & Mitigation
Organizations can begin remediation and mitigation processes from the previous steps based on the order or priority and risk level determined during risk scoring. Internal IT teams can utilize an ASM tool to determine a workflow to remediate risks, such as providing remediation controls, installing patches for software, implementing data encryption, debugging system codes, and updating system configurations.
The remediation effort can also involve automated solutions to ensure certain risks are updated regularly, and unknown assets are continually discovered, retiring orphaned domains, and even scanning third-party assets for risks and weaknesses. Additionally, the ASM process ensures organizations regularly review their internal IT processes and policies and determine if they need additional safeguards for their data and assets.
If complete remediation is not possible, the business must attempt to mitigate the threat by limiting its impact, scope, and effectiveness. Businesses can accomplish that by enforcing best security practices, security operations and program reviews, and a complete digital transformation of their current cybersecurity priorities.
It's important to understand that the modern threat landscape goes further than legitimate corporate IT assets and can involve malicious or rogue assets deployed by cybercriminals, competitors, or merely forgotten assets. This could include spear phishing websites, email spoofing, OPSEC failures on social media like LinkedIn, ransomware, cyber squatted or typosquatted domain names, on-premises systems, or many other cyber threats.
Increasingly this includes sensitive data, personally identifiable information, protected health information, biometrics, psychographics, cloud security, passwords, IoT devices, and trade secrets leaked to the dark web in previous data breaches or current data leaks.
Watch this video for an overview of UpGuard's remediation request feature.
How UpGuard Helps Manage Your Attack Surface
UpGuard helps organizations improve the efficiency of their attack surface management program by detecting existing and potential attack vectors increasing your risk of suffering a data breach.
With advanced features such as cyber risk prioritization and security questionnaires mapping to popular frameworks, UpGuard helps security teams establish an.ASM program remains effective despite changes in the modern attack surface landscape.