Every cybersecurity program can be improved with an ASM component. In this post, we offer a comprehensive explanation of Attack Surface Management and a strategy for its effective implementation.
What is attack surface management?
Attack Surface Management (ASM) is the continuous monitoring and remediation and reduction of all security risks within an organization's attack surface. The ultimate objective of ASM to to keep the attack surface minimal to reduce the number of options hackers have to breach a network perimeter.
In short, ASM aims to compress everything outside of the firewall that attackers can and will discover as they research the threat landscape for vulnerable organizations.
In 2018, Gartner urged security leaders to start reducing, monitoring, and managing their attack surface as part of a holistic cybersecurity risk management program. Today, attack surface management is a top priority for CIOs, CTOs, CISOs, and security teams.
Learn how UpGuard streamlines Attack Surface Management >
What is an attack surface?
Your attack surface is all the hardware, software, SaaS, and cloud assets that are accessible from the Internet that process or store your data. Think of it as the total number of attack vectors cybercriminals could use to manipulate a network or system to extract data. Your attack surface includes:
- Known assets: Inventoried and managed assets such as your corporate website, servers, and the dependencies running on them
- Unknown assets: Such as Shadow IT or orphaned IT infrastructure that was stood up outside of the purview of your security team such as forgotten development websites or marketing sites
- Rogue assets: Malicious infrastructure spun up by threat actors or hackers such as malware, typosquatted domains, or a website or mobile app that impersonates your domain.
- Vendors: Your attack surface doesn't stop with your organization — third-party and fourth-party vendors introduce significant third-party risk and fourth-party risk. Even small vendors can lead to large data breaches, just like the HVAC vendor that eventually led to Target's exposure of credit card and personal data on more than 110 million consumers.
Millions of these assets appear on the Internet each day and are entirely outside the scope of firewall and endpoint protection services. Other names include external attack surface and digital attack surface.
Why is cyber attack surface management important?
Attack surface management is important because it helps to prevent and mitigate cyber risks and potential attacks stemming from:
- Legacy, IoT, and shadow IT assets
- Human mistakes and omissions such as phishing and data leaks
- Vulnerable and outdated software
- Unknown open-source software (OSS)
- Large-scale attacks on your industry
- Targeted cyber attacks on your organization
- Intellectual property infringement
- IT inherited from M&A activities
- Vendor managed assets
Lean how to choose the best attack surface visibility software >
Timely identification of digital assets is fundamental to robust threat intelligence and can greatly reduce the risk of data breaches and leaks. All it takes for an attacker to launch a successful cyber attack on a vulnerable point or security gap in your organization or IT ecosystem to compromise the entire business or supply chain.
For a concise overview of the attack surface management process, watch the video below:
Experience UpGuard’s attack surface management features with this self-guided product tour >
Top attack surface management statistics
- 64% of Chief Information Security Officers (CISOs) have noticed an increased likelyhood of falling victim to a cyberattack due to attack surface expansions created by remote work environments.
- Approximately 38% of successful cyber attacks in recent years have been traced back to shadow IT, configuration errors, and unnoticed internet exposures
- 43% of IT and business leaders report that their digital attack surface is expanding beyond manageable levels,
- 73% of IT leaders are concerned about the size of their attack surface.
- On average, attack surface management tools discover 35% more assets than company leaders were previously aware of.
- In 2023, 83% of cyber attacks were facilitated by weaknesses in a company’s network perimeter, weaknesses that could have potentially been discovered by EASM tools.
- The market for External Attack Surface Management solutions is projected to reach $930.7 million by 2026.
- 43% of organizations spend an average of over 80 hours on manual attack surface discovery,
- 61% of companies have been impacted by cyberattacks in their software supply chain.
- Less than 1% of companies are fully aware of their entire internet-facing assets.
- 69% of organizations have been compromised by an undiscovered or poorly managed internet-facing asset between 2021 and 2022.
- More than half of IT professionals are not confident in their ability to prevent significant security incidents due to the evolving nature of digital work environments and the proliferation of connected devices
- 98% of respondents to an ASM study ranked attack surface monitoring among the top 10 security priorities for enterprises.
What are the components of a robust external attack surface risk management solution?
A modern external attack surface management solution consists of five parts:
- Asset Discovery
- Inventory and classification
- Risk scoring and security ratings
- Continuous security monitoring
- Remediation
Learn the key software features for external attack surface management >
Asset discovery
The initial stage of any attack surface management solution is the discovery of all Internet-facing digital assets that contain or process your sensitive data such as PII, PHI, and trade secrets.
Your organization and third parties such as cloud providers, IaaS and SaaS, business partners, suppliers, or external contractors can own or operate these internal or external assets.
Here is a non-exhaustive list of digital assets that should be identified and mapped by an attack surface management solution:
- Web applications, services, and APIs
- Mobile applications and their backends
- Cloud storage and network devices
- Domain names, SSL certificates, and IP addresses
- IoT and connected devices
- Public code repositories such as GitHub, BitBucket, and GitLab
- Email servers
Depending on the provider, the discovery process can range from manual input of domains and IP addresses to automated scanning based on open-source intelligence and dark web crawling.
At UpGuard, we run this discovery process on a daily basis through trusted commercial, open-source, and proprietary methods. This allows us to discover any Internet-facing assets that have been spun up.
What makes UpGuard different from other providers is our unparalleled ability to detect leaked credentials and exposed data before it falls into the wrong hands.
For example, we detected data exposed in a GitHub repository by an AWS engineer in 30 minutes. We reported it to AWS and the repo was secured the same day. This repo contained personal identity documents and system credentials including passwords, AWS key pairs, and private keys.
We were able to do this because we actively discovered exposed datasets on the open and deep web, scouring open S3 buckets, public Github repos, and unsecured RSync and FTP servers.
Our data leak discovery engine continuously searches for keywords provided by our customers and is continually refined by our team of analysts, using the expertise and techniques gleaned from years of data breach research.
Don't just take our word for it. The New York Times, Bloomberg, Washington Post, Forbes, and TechCrunch have featured our security research.
Inventory and classification
Once your assets are discovered, it's the right time to commence digital asset inventory and classification, also known as IT asset inventory. This part of the exercise involves dispatching and labeling the assets based on their type, technical characteristics, properties, business criticality, compliance requirements, or owner.
It's essential to have a person or team who is accountable for regular asset maintenance, updates, and protection.
With UpGuard Breach Risk, we'll automatically discover all your externally facing IT infrastructure.
Within the platform, you can add as many people as necessary and label and organize assets by any property you wish such as ownership, asset, technical characteristics, business-critical, compliance requirements, or owner.
You'll also be able to run reports on specific parts of your infrastructure to see where security risks are and who is responsible for fixing them. This data can be easily accessed by our API and integrated with other systems.
To manage third-party risks, you can use UpGuard Vendor Risk to automatically discover the externally-facing Internet assets of your vendors and third parties and label them accordingly.
Learn how to communicate ASM to the Board >
Risk scoring and security ratings
Learn how UpGuard calculates security ratings >
Attack surface management would be impossible without actionable risk scoring and security ratings. Many organizations have thousands, if not millions, of fluctuating digital assets.
Without security ratings software it can be hard to understand what security issues each asset has and whether they expose information that could result in data breaches, data leaks, or other cyber attacks.
This is why it's crucial for digital assets to be continuously detected, scanned, and scored so you can understand what risks need to be mitigated and prioritized.
Security ratings are a data-driven, objective, and dynamic measurement of an organization's security posture.
Unlike traditional risk assessment techniques like penetration testing, security questionnaires, or on-site visits, security ratings are derived from objective, externally verifiable information.
UpGuard is one of the most popular and trusted security ratings platforms. We generate our ratings through proprietary algorithms that take in and analyze trusted commercial and open-source data sets to collect data that can quantitatively evaluate cybersecurity risk non-intrusively.
With UpGuard, an organization's security rating can range from 0 to 950 and is comprised of a weighted average of the risk rating of all externally facing assets, such as web applications, IP addresses, and marketing sites.
The lower the rating, the more severe the risks they are exposed to. Conversely, the higher the rating, the better their security practices and the less successful cyber attacks will be.
To keep our security ratings up-to-date, we recalculate scores whenever a website is scanned, or a security questionnaire is submitted. This means an organization's security rating will be updated multiple times a day, as most websites are scanned daily.
Learn how UpGuard calculates security ratings >
Continuous security monitoring
Continuous security monitoring is one of the most important parts of an attack management solution. The increasing adoption of open-source software, SaaS, IaaS, and outsourcing means misconfiguration and vulnerability management are more complicated than ever.
Any good attack surface management software will monitor your assets 24/7 for newly discovered security vulnerabilities, weaknesses, misconfiguration, and compliance issues.
UpGuard Breach Risk will automate the discovery of known vulnerabilities and provide assessments in your externally facing software. This information could be exposed by HTTP headers or website content.
Lean how to choose an external attack surface monitoring tool >
We use the Common Vulnerability Scoring System (CVSS), a published standard developed to capture the principal characteristics of a vulnerability to produce a numerical score between 0 and 10 to reflect its severity.
This numerical score is also translated into a qualitative representation (low, medium, high, and critical) to help you properly assess and prioritize the vulnerability.
In addition to vulnerabilities, we run hundreds of individual misconfiguration checks to determine:
- Susceptibility to man-in-the-middle attacks
- Insecure SSL/TLS certificates
- SPF, DKIM, and DMARC settings
- HTTP Strict Transport Security (HSTS)
- Email spoofing and phishing risk
- Malware susceptibility
- Network security
- Unnecessary open administration, database, app, email, and file-sharing ports
- Exposure to known data breaches and data leaks
- Vulnerable software
- HTTP accessibility
- Secure cookie configuration
Unlike other providers, these checks are run on a daily basis and can be updated on-demand through our platform or via our API.
Why you need continuous attack surface management
Continuous attack surface management (CASM) gives security teams real-time awareness of emerging third-party risks impacting the company's security posture.
Point-in-time assessments alone provide insights into a vendor's security posture only during the assessment period. Outside of risk assessment schedules, emerging third-party risks have no means of detection, which could result in an organization being unknowingly exposed to potentially dangerous data breach risks during these periods.
CASM solves this problem by extending the scope of third-party risk visibility to be ongoing. To live up to its attribute of being "continuous," CASM strategies usually leverage security rating technology due to their ability to track vendor security posture deviations in real time.
Remediation & mitigation
Organizations can begin remediation and mitigation processes from the previous steps based on the order or priority and risk level determined during risk scoring. Internal IT teams can utilize an ASM tool to determine a workflow to remediate risks, such as providing remediation controls, installing patches for software, implementing data encryption, debugging system codes, and updating system configurations.
The remediation effort can also involve automated solutions to ensure certain risks are updated regularly, and unknown assets are continually discovered, retiring orphaned domains, and even scanning third-party assets for risks and weaknesses. Additionally, the ASM process ensures organizations regularly review their internal IT processes and policies and determine if they need additional safeguards for their data and assets.
If complete remediation is not possible, the business must attempt to mitigate the threat by limiting its impact, scope, and effectiveness. Businesses can accomplish that by enforcing best security practices, security operations and program reviews, and a complete digital transformation of their current cybersecurity priorities.
It's important to understand that the modern threat landscape goes further than legitimate corporate IT assets and can involve malicious or rogue assets deployed by cybercriminals, competitors, or merely forgotten assets. This could include spear phishing websites, email spoofing, OPSEC failures on social media like LinkedIn, ransomware, cyber squatted or typosquatted domain names, on-premises systems, or many other cyber threats.
Increasingly this includes sensitive data, personally identifiable information, protected health information, biometrics, psychographics, cloud security, passwords, IoT devices, and trade secrets leaked to the dark web in previous data breaches or current data leaks.
Learn about the best attack surface management solutions on the market >
How to formulate an effective attack surface management strategy
The following four-step framework provides the foundation for an effective attack surface management strategy.
Step 1: Asset and inventory discovery
Leverage automated scanning methods to discover all IT assets in your digital footprint, including cloud environments, on-premises systems, and third-party services. This process should be continuous, with newly discovered assets automatically added to your inventory catalog to keep it up-to-date.
For the highest chances of shadow IT discovery, detection methods should be capable of discovering multiple products in a given IP address, such as network devices, JavaScript plugins, and hosting providers.
Refer to this video for an example of the capabilities of an ideal detection solution for an attack surface management strategy.
Step 2: Attack surface reduction
Decommission all unused or outdated assets in your digital footprint, such as abandoned domains, default server pages, or obsolete network devices that could become entry points for attackers. Necessary assets could still become potential attack vectors if they point to non-existent or unmaintained resources, so be sure to consider this risk in your attack surface audit.
Attack surface reduction efforts must always extend to the external attack surface since this region of the threat landscape is most susceptible to data breach attempts.
Step 3: Vulnerability detection
Conduct regular, automated vulnerability scans across all identified assets, including network devices, applications, and cloud environments, to detect weaknesses, misconfigurations, and potential exploits. Prioritize assets flagged as "critical" in your inventory catalog. For third-party services, a criticality rating will depend on the factors governing your vendor tiering model. At the very least, a critical attribute should be assigned to IT assets processing sensitive information or accessing sensitive internal systems since such assets are vulnerable targets for privileged account exploitation.
Step 4: Risk-based remediation
Prioritize the remediation of vulnerabilities with the highest potential impact on your organization. To simplify the effort of determining which risks to prioritize in the external attack surface, leverage security rating technology to estimate the potential impact of select remediation tasks on a vendor's security posture.
After addressing all detected cyber threats falling outside your internal and third-party risk appetite, continuously monitor your attack surface for emerging threats, especially across recently secured assets, to confirm the efficacy of recent remediation efforts.
How UpGuard helps manage your attack surface
UpGuard helps organizations improve the efficiency of their attack surface management program by detecting existing and potential attack vectors increasing your risk of suffering a data breach.
With advanced features such as cyber risk prioritization and security questionnaires mapping to popular frameworks, UpGuard helps security teams establish an.ASM program remains effective despite changes in the modern attack surface landscape.