Attack surface management (ASM) is the continuous discovery, inventory, classification, prioritization, and security monitoring of external digital assets that contain, transmit, or process sensitive data.
In short, it is everything outside of the firewall that attackers can and will discover as they research the threat landscape for vulnerable organizations.
In 2018, Gartner urged security leaders to start reducing, monitoring, and managing their attack surface as part of a holistic cybersecurity risk management program.
Today, attack surface management is a top priority for CIOs, CTOs, CISOs, and security teams.
What is an Attack Surface?
Your attack surface is all the hardware, software, SaaS, and cloud assets that are accessible from the Internet that process or store your data. Think of it as the total number of attack vectors cybercriminals could use to manipulate a network or system to extract data. Your attack surface includes:
- Known assets: Inventoried and managed assets such as your corporate website, servers, and the dependencies running on them
- Unknown assets: Such as Shadow IT or orphaned IT infrastructure that was stood up outside of the purview of your security team such as forgotten development websites or marketing sites
- Rogue assets: Malicious infrastructure spun up by threat actors such as malware, typosquatted domains, or a website or mobile app that impersonates your domain.
- Vendors: Your attack surface doesn't stop with your organization, third-party and fourth-party vendors introduce significant third-party risk and fourth-party risk. Even small vendors can lead to large data breaches, look at the HVAC vendor that eventually led to Target's exposure of credit card and personal data on more than 110 million consumers.
Millions of these assets appear on the Internet each day and are entirely outside the scope of firewall and endpoint protection services. Other names include external attack surface and digital attack surface.
Why Reducing Your Attack Surface isn't a Robust Solution
It's common for organizations to approach improving information security by reducing:
- The amount of code running
- Entry points available to untrusted users, e.g. access control, RBAC, and the principle of least privilege
- The number of Internet-facing web applications, mobile apps, and services running
While this does reduce the attack surface of your organization, it doesn't prevent security controls failures.
If an attacker is able to find an exploit or vulnerability in your remaining Internet-facing assets before you do, they can still inflict damage by installing malware and ransomware or by causing data breaches.
Why is Attack Surface Management Important?
Attack surface management is important because it helps to prevent and mitigate risks stemming from:
- Legacy, IoT, and shadow IT assets
- Human mistakes and omissions such as phishing and data leaks
- Vulnerable and outdated software
- Unknown open-source software (OSS)
- Large-scale attacks on your industry
- Targeted cyber attacks on your organization
- Intellectual property infringement
- IT inherited from M&A activities
- Vendor managed assets
Timely identification of digital assets is a fundamental part of robust threat intelligence and can greatly reduce the risk of data breaches and data leaks. All it takes for an attacker to launch a cyber attack is one vulnerable point in your organization.
What are the Components of a Robust Attack Surface Management Solution?
A modern attack surface management solution consists of five parts:
- Inventory and classification
- Risk scoring and security ratings
- Continuous security monitoring
- Malicious asset and incident monitoring
These assets can be owned or operated by your organization, as well as third-parties such as cloud providers, IaaS and SaaS, business partners, suppliers, or external contractors.
Here is a non-exhaustive list of digital assets that should be identified and mapped by an attack surface management solution:
- Web applications, services, and APIs
- Mobile applications and their backends
- Cloud storage and network devices
- Domain names, SSL certificates, and IP addresses
- IoT and connected devices
- Public code repositories such as GitHub, BitBucket, and Gitlab
- Email servers
Depending on the provider, the discovery process can range from manual input of domains and IP addresses to automated scanning based on open source intelligence and dark web crawling.
At UpGuard, we run this discovery process on a daily basis through trusted commercial, open-source, and proprietary methods. This allows us to discover any Internet-facing assets that have been spun up.
What makes UpGuard different from other providers is our unparalleled ability to detect leaked credentials and exposed data before it falls into the wrong hands.
For example, we were able to detect data exposed in a GitHub repository by an AWS engineer in 30 minutes. We reported it to AWS and the repo was secured the same day. This repo contained personal identity documents and system credentials including passwords, AWS key pairs, and private keys.
Our data leak discovery engine continuously searches for keywords provided by our customers and is continually refined by our team of analysts, using the expertise and techniques gleaned from years of data breach research.
Inventory and Classification
Once your assets are discovered, it's the right time to commence digital asset inventory and classification, also known as IT asset inventory. This part of the exercise involves dispatching and labeling the assets based on their type, technical characteristics and properties, business criticality, compliance requirements, or owner.
It's essential to have a person or team who is accountable for regular asset maintenance, updates, and protection.
With UpGuard BreachSight, we'll automatically discover all your externally facing IT infrastructure.
Within the platform, you can add as many people as necessary, label, and organize assets by any property you wish such as ownership, asset, technical characteristics, business-critical, compliance requirements, or owner.
You'll also be able to run reports on specific parts of your infrastructure to see where security risks are and who is responsible for fixing them. This data can be easily accessed by our API and integrated with other systems.
For the management of third-party risks, you can use UpGuard Vendor Risk to automatically discover the externally facing Internet-assets of your vendors and third-parties and label them accordingly.
Risk Scoring and Security Ratings
Attack surface management would be an impossible task without actionable risk scoring and security ratings. Many organizations have thousands, if not millions, of fluctuating digital assets.
Without security ratings software it can be hard to understand what security issues each asset has and whether they are exposing information that could result in data breaches, data leaks, or other cyber attacks.
This is why it's crucial for digital assets to be continuously detected, scanned and scored so you can understand what risks need to be mitigated and prioritized.
For reference, security ratings are a data-driven, objective, and dynamic measurement of an organization's security posture.
UpGuard is one of the most popular and trusted security ratings platforms. We generate our ratings through proprietary algorithms that take in and analyze trusted commercial and open-source data sets to non-intrusively collect data that can quantitatively evaluate cybersecurity risk.
With UpGuard, an organization's security rating can range from 0 to 950 and is comprised of a weighted average of the risk rating of all externally facing assets, such as web applications, IP addresses, and marketing sites.
The lower the rating, the more severe the risks they are exposed to. Inversely, the higher the rating, the better their security practices, and the less successful cyber attacks will be.
To keep our security ratings up-to-date, we recalculate scores whenever a website is scanned or a security questionnaire is submitted. In general, this means an organization's security rating will be updated multiple times a day, as most websites are scanned daily.
Continuous Security Monitoring
Continuous security monitoring is one of the most important parts of an attack management solution. The increasing adoption of open-source software, SaaS, IaaS, and outsourcing means that misconfiguration and vulnerability management are more complicated than ever before.
Any good attack surface management software will monitor your assets 24/7 for newly discovered security vulnerabilities, weaknesses, misconfiguration, and compliance issues.
UpGuard BreachSight will automatically discover and assess known vulnerabilities in your externally facing software. This information could be exposed by HTTP headers or website content.
We use the Common Vulnerability Scoring System (CVSS), a published standard developed to capture the principle characteristics of a vulnerability to produce a numerical score between 0 and 10 to reflect its severity.
This numerical score is also translated into a qualitative representation (low, medium, high, and critical) to help you properly assess and prioritize the vulnerability.
In addition to vulnerabilities, we run hundreds of individual misconfiguration checks to determine:
- Susceptibility to man-in-the-middle attacks
- Insecure SSL/TLS certificates
- SPF, DKIM and DMARC settings
- HTTP Strict Transport Security (HSTS)
- Email spoofing and phishing risk
- Malware susceptibility
- Network security
- Unnecessary open administration, database, app, email and file sharing ports
- Exposure to known data breaches and data leaks
- Vulnerable software
- HTTP accessibility
- Secure cookie configuration
Unlike other providers, these checks are run on a daily basis and can be updated on-demand through our platform or via our API.
Malicious Asset and Incident Monitoring
The above steps should highlight known and unknown assets operated by your organization and its third-party vendors. With that said, it's important to understand that the modern threat landscape goes further than legitimate corporate IT assets and can involve malicious or rogue assets deployed by cybercriminals, competitors, or merely forgotten assets.
Increasingly this includes sensitive data, personally identifiable information, protected health information, biometrics, psychographics, passwords, and trade secrets that have been leaked to the dark web in previous data breaches or current data leaks.
UpGuard BreachSight automatically scours the web for known third-party data breaches. The data is then fed into the platform to check whether any of your employees were exposed. This allows you to get on top of leaked credentials before they are used to gain unauthorized access to your organization. You can even send out notification emails inside our platform.
Given the accelerating number of third-party data breaches, continuous identity breach detection is crucial. And this simply isn't something a human can do effectively anymore, there are too many breaches each day for it to be feasible.
In addition to third-party breaches, UpGuard BreachSight can scan the web for exposed datasets on the open and deep web, as well as S3 buckets, GitHub repos, Rsync and FTP servers.
There is a huge wealth of data that is being generated by every company with a digital footprint, which is now everyone.
Even if you have great cybersecurity awareness training, all it takes is one mistake to expose API keys, customer lists, or worse.
We excel at identifying a variety of data points including exposed credentials, data sets, third-party apps, as well as customer, employee, and financial data. Like our third-party data breach data, we feed this into the platform to give you a severity, description, status, and detection date so you can stay on top of and secure discovered data leaks.
How UpGuard Can Help You With Attack Surface Management
UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand cyber security rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos, and more.
For the assessment of your vendors' information security controls, UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates.