Attack surface management (ASM) software is a set of automated tools that monitor and manage external digital assets that contain, transmit, or process sensitive data. ASM software identifies misconfigurations and vulnerabilities that cybercriminals could exploit for malicious purposes that result in data breaches or other serious security incidents.
The following scenario demonstrates the progression of a cyberattack facilitated by an unidentified vulnerability:
- Stage 1: A cloud solution is unknowingly storing sensitive employee information in a misconfigured storage bucket, publicly exposing its data.
- Stage 2: A hacker exploits this vulnerability and finds credentials granting access to the company’s internal network.
- Stage 3: The cybercriminal logs into the network, exfiltrates sensitive data, and deploys ransomware.
Stage 4: The cybercriminal begins posting segments of the stolen data in a dark web forum, threatening to continue until the victim organization pays the specified ransom price.
If the business in this scenario was aware of the critical vulnerability exposing sensitive internal information, it could have easily avoided the the data breach and ransomware attack.
Attack surface automation software fills this security knowledge gap by proactively identifying vulnerabilities that could cause data breaches. Organizations can then prioritize their remediation workflows based on the severity of these threats.
What is Attack Surface Management?
To understand attack surface management tools, it’s firstly important to define the attack surface. The attack surface is all the hardware, software, SaaS services, and cloud assets that are accessible from the Internet that process or store your organization’s data. The attack surface is calculated as the total number of attack vectors cybercriminals could use to manipulate a network or system to extract data.
Your attack surface includes:
- Known Assets: Inventoried and managed assets, such as your corporate website, servers, and any running dependencies.
- Unknown Assets: Shadow IT or orphaned IT infrastructure falling outside of the security team’s knowledge, such as forgotten development websites or marketing sites.
- Rogue assets: Malicious infrastructure developed by threat actors, such as malware, typosquatted domains, or a website or mobile app impersonating your domain.
- Vendors: Your attack surface extends to third-party and fourth-party vendors, who introduce significant third-party risk and fourth-party risk.
Your attack surface continuously expands with the increasing adoption of digital transformation. Its dynamic nature mean these attack vectors are potentially increasing by millions each day.
Attack surface management involves the continuous discovery, inventory, classification, prioritization, and security monitoring of these assets. Organizations use this visibility to identify cyber threats that could facilitate data breaches and data leaks.
How Attack Surface Management Software Works
Modern attack surface management software should follow five steps:
- Step 1: Asset Discovery
- Step 2: Inventory and classification
- Step 3: Risk scoring and security ratings
- Step 4: Continuous security monitoring
- Step 5: Malicious asset and incident monitoring
Step 1. Asset Discovery
These assets can be owned or operated by your organization, as well as third parties such as cloud providers, IaaS and SaaS, business partners, suppliers, or external contractors.
Below is a non-exhaustive list of digital assets that should be identified and mapped by an attack surface management solution:
- Web applications, services, and APIs
- Mobile applications and their backends
- Cloud storage and network devices
- Domain names, SSL certificates, and IP addresses
- IoT and connected devices
- Public code repositories such as GitHub, BitBucket, and Gitlab
- Email servers
Depending on the provider, the discovery process can range from manual input of domains and IP addresses to automated scanning based on open source intelligence and dark web crawling.
For an overview of asset discovery within the process of attack surface managment, watch the video below.
Step 2. Inventory and Classification
Following asset discovery, the digital asset inventory and classification (IT asset inventory) process begins.
During this step, assets are labeled and dispatched based on:
- Technical characteristics and properties;
- Business criticality;
- Compliance requirements;
Step 3. Risk Scoring and Security Ratings
Risk scoring and security ratings quickly identify the security issues affecting each asset and whether they are exposing information that could result in data breaches, data leaks, or other cyber attacks. Security ratings are a data-driven, objective, and dynamic measurement of an organization's security posture.
Unlike traditional risk assessment techniques like penetration testing, security questionnaires, or on-site visits, security ratings are derived from objective, externally verifiable information. Real-time asset discovery is crucial to ensuring these scores are accurate and reflect all existing risks.
4. Continuous Security Monitoring
Continuous security monitoring is one of the most important features of an attack management solution. Sophisticated cyber attack techniques emerge daily and zero-day vulnerabilities pose a bigger threat the longer they go undiscovered and unpatched. Effective attack surface management software will monitor your assets 24/7 for newly discovered security vulnerabilities, weaknesses, misconfiguration, and compliance issues.
5. Malicious Asset and Incident Monitoring
The above steps uncover known and unknown assets operated by your organization and its third-party vendors. Beyond these discoveries, the modern threat landscape is infamous for malicious or rogue assets deployed by cybercriminals, such as:
- Spear phishing websites
- Email spoofing
- OPSEC failures
- Cybersquatted or typosquatted domain names
These cyber attacks expose sensitive data, which remains visible on the Internet long after its initial compromise. Left exposed, this data could be further exploited in a future attack.
A complete attack surface management solution scans the surface, deep, and dark web for known third-party data breaches to identify any leaked employee credentials before they are used to gain unauthorized access to your organization.
Who Uses Attack Surface Management Software?
Any organization that deals with sensitive data should monitor and manage its attack surface vigilantly. Data security standards are mandated by privacy and protection laws, such as the GDPR, CCPA, and SHIELD Act. Organizations that suffer data breaches face non-compliance with these legal requirements. Harsh financial penalties and reputational damage follow shortly after.
Small businesses and large multinational organizations from all industries can benefit from attack surface management software. Fast remediation is essential in industries with large amounts of confidential data. These types of data could include personally identifiable information (PII), trade secrets, intellectual property, or other confidential information.
- The healthcare sector manages protected health information (PHI). This data is highly valued on the dark web, with cybercriminals purchasing it to commit identity theft and insurance fraud.
Read about recent data breaches in the healthcare industry >
- Financial institutions must protect sensitive information, such as credit card numbers and bank account details. Financial data is also very profitable in cybercrime. Cybercriminals can exploit it instantly for theft.
Read about recent data breaches in the financial industry >
- Government bodies hold in-depth PII on citizens, protected records, and other highly classified information. Threat actors with political motivations, such as ransomware gangs, are likely to target government organizations in cyber attacks.
Read about the largest government data breach in US history >
The ultimate objective of attack surface management software is to aid in the reduction of your attack surface. If you need some ideas for reducing your digital footprint, refer to this list of attack surface reduction examples.
Why Should I Use Attack Surface Management Software?
The evergrowing scope of modern organizations’ attacks surfaces is of particular concern in today’s dynamic threat landscape. Increasing adoption of open-source software, SaaS, IaaS, and outsourcing are introducing greater levels of third and fourth-party risk.
Organizations must also manage their vendors’ attack surfaces or remain wholly responsible responsibility if a security incident occurs. Gaining visibility across the supply chain, staying up to date on emerging cyber threats, and prioritizing their remediation are all equally necessary, but near impossible without the help of an automated attack management solution.
Attack Surface Trends
Cloud computing is the future of data storage. Gartner predicts up to 60% of business entities will be leveraging cloud-managed offerings by 2022. Cloud services are vulnerable to cloud leaks, which are usually caused by misconfigured settings. These are easy to fix but often overlooked, often facilitating large-scale data breaches.
Organizations’ attack surfaces are expanding as they continue to outsource core operations to third-party vendors. A 2021 survey by SecureLink Ponemon Institute found that 51% of respondents had experienced a third-party data breach. Protecting just your immediate attack surface is no longer enough on its own. Organizations must conduct due diligence on vendors by assessing their risk exposure accurately, to avoid data breaches.
5 Benefits of Having Attack Surface Management Software in 2023
1. Instant View of Security Posture
Security ratings provide organizations with an instant assessment of their security posture at any given time. Security teams can leverage the simplicity of their security score to communicate clearly in executive reporting.
2. Continuous Security Monitoring
Attack surface management software can continuously monitor your organization's entire IP address footprint and alert you when changes occur. This real-time visibility allows you to remediate misconfigurations and vulnerabilities immediately and prevent costly data breaches.
3. Data-Driven Remediation
Attack surface management software uses real-time data about identified risks, simplifying and accelerating the remediation process. Streamlined workflows allow users to track the progress and determine exactly when remediation is complete.
4. Vendor Security Posture Monitoring
A complete attack surface management solution can visualize the supply chain attack surface and provide real-time threat detection and alerting. These insights allow organizations to track vendors’ performance over tie and track them against industry benchmarks.
5. Data Breach Prevention
Attack surface management software monitors your entire attack surface and leverages IP address monitoring to identify cyber threats that lead to data breaches, such as leaked employee credentials, typosquatted domains, software vulnerabilities, and misconfigurations.