A Business Case for External Attack Surface Management Program

Cloud first, digital transformation and post pandemic world of remote & Hybrid working models have led to expansion of organization’s attack surface at large. An attack surface is the sum of all potential vulnerabilities (known and unknown) and controls across all software, hardware, network, and cloud components that an attacker could use as point of entry into the organization, examples such as an open port in a firewall, a misconfigured cloud S3 bucket that open to public access, an unpatched web application running on a webserver etc.

Gartner’s report “top trends in cybersecurity 2023” includes recommendations for security and risk management leaders to adopt an attacker’s mindset to prioritize cyber risk mitigation efforts by taking an end-to-end view of the attack surface. Further, the report state by 2026, organizations prioritizing their security investments via a continuous threat exposure management program?will?suffer two-thirds fewer breaches.

Attack surface management (ASM) is the process of continuously discover, classify, and assess the security of IT ecosystem. The process can be broadly divided into

(a)??Activities in managing assets accessible only from within an organization.

(b)??Activities in managing internet-exposed assets, called external attack surface management (EASM).

?

Attack surface management is conducted from an attacker’s perspective, rather than the perspective of the defender. It identifies targets and assesses risks based on the opportunities they present to an attacker. ASM relies on many of the same methods and resources that attackers use, and many ASM activities and technologies are devised and performed by security teams familiar with cybercriminals’ tactics, techniques, and procedures (TTP) or behaviors and skilled at duplicating their actions.

The external attack surface management refer to continuous discovery, monitoring, evaluation, and remediation of attack surface from outside in. Attackers are looking for the path of least resistance into the organizations, the easiest way in, with the least number of efforts to high value assets. To stay ahead, security leaders need to think like an attacker as well to protect the organization. Attackers have persistent way of working until they find a path to success. The defender needs to do same to perform reconnaissance across entire IT ecosystem using an external attack surface point of view.

Internet facing assets includes domain names, SSL certificates and protocols to operating systems servers, IOT devices and network services. These are scattered resources part of IT ecosystem across on-premises, cloud and third-party vendor and represent the easiest way of accessing internal network and sensitive corporate data.

The Challenge of Managing External Attack Surface? Attack surface of a modern organization is complex and fragmented due to evolving IT ecosystem and transformation journey to cloud. Most organizations have blind spots and limited visibility into their Shadow IT, and assets exposure to the external world. In the past, organization had a well-defined network perimeter to protect and secure the assets but its no long exist, today, the assets are everywhere. Security leads and IT operations team struggle to gain and maintain needed visibility into increasing, complex and distributed IT ecosystem due to rapid cloud migration, remote and hybrid work environment. These factors render potentially large area of organizations’ estate as unknown or undiscovered – unmanaged and unpatched assets.

How External Attack Surface Management Tool Can Help? Attack surface management tool delivers discovery and visibility that can help identify security gapes and accelerate remediation efforts to protect the attack surface. Traditional asset discovery, risk assessment and vulnerability management processes, which were developed when corporate networks were more stable and centralized, can‘t keep up with the speed at which new vulnerabilities and attack vectors arise in today's networks. The external attack surface management tool’s continuous workflow and hacker’s point of view enable security defenders to establish a proactive security posture in the face of a constantly growing and morphing attack surface. These tools provide rea-time visibility into discovered vulnerabilities and attack vectors as they emerge with greater context while analyzing and prioritizing vulnerability remediation approaches. Further, these tools provide easy integration with threat detection and response tool such as SIEM, EDR, ITSM and ticketing or case management tool.

What Value EASM Tools Bring to the Table? As saying goes, you can’t protect what you can’t see. Breaches could be prevented if organizations fix their exposure to a threat before an attacker exploits it. However, fixing every known vulnerability has always been operationally challenging. Organization must evaluate more than just application or Operating systems (OS) vulnerability when trying to reduce the organization’s exposure to threats. Security leads must also factor the risk-exposure of unpatchable elements, such as human error, supply chain dependencies (PaaS, SaaS platforms and third-party applications) and/or misconfigurations of their security controls. In addition, Organizations’ diverse business strategy to move to use third-party systems & service for key business functions is creating a range of visibility issues for organizations that they cannot address with traditional technologies or processes. These factors have goaded the increased adoption of?discovery tools and processes to dynamically and continuously quantify the spread of assets to reduce the risk.

External attack surface management (EASM) is a proactive approach for security strategy to help protect against complex cyberattacks. EASM tools help organizations discover, identify, and assess newly discovered and known exposed assets for risks such as vulnerabilities, misconfiguration, and control gapes. Due to the rapid digital transformation and moving on-premises IT systems to cloud often compound tech debt and asset spawl rather than consolidation. Organization moving fast often turn to cloud-based systems and tools unknown to or unvetted by security teams. According to a report from Forrester, organization found on average of 30 percent more assets after deploying and using EASM tool than they knew they had.

?

Typical EASM Usecases to Consider:

These are use cases that typically security leaders look to address the highlighted risk.

Asset Discovery: Dynamically find unknown, internet facing assets.

Asset Inventory Management: To automate the capturing and refreshing of data representing the IT assets state, identify asset ownership.

Vulnerability Management: Enumerate internet facing assets, inform vulnerability management team and tools of assets exposures for remediation.

Cloud Security Posture Management: Discover incorrect or weak configurations settings, identify cloud policy violations and potential compliance risk.

Breach and Attack Simulation: Provide an attacker’s view of exposures, and weak/failed controls, determine the fastest path to lateral movement within the organization.

Certificate Management: Prevent the use of expired encryption certificates, track the lifecycle of certificates.

?

Key Activities of External Attack Surface Management:

Map Business and IT Relationship: the first step for external attack surface management is to find all the business and IT relationships the organization has including merger & acquisition, joint venture and cloud assets that are related to the organization. From here discover the externally exposed assets of those entities and identify additional connections between assets that are clearly or traditionally related. These are the kind of externally identifiable connections that when discovered by an attacker provides an easy path into the corporate assets.

?Assess the Exposure: Once assets are discovered in the IT ecosystem, it’s now time to assess the exposures. Attackers just need one opportunity, misconfigured assets, network architecture flows, data exposures, authentication and encryption weaknesses or other risk including common vulnerabilities and exposures (CVEs). These must be detected across the external attack surface using multiple security testing techniques and then correlate the results to identify the attack vendors the attacker can use.

Classification and Prioritization where to Put Focus: Once assets are identified, they are classified, and analyzed for identified vulnerabilities by its exploitability, an objective measure of how likely attacker are to target the assets, prioritizing risk makes it possible to know where to focus and put in the efforts. Its nearly impossible to manage the volume of security issues and alerts organizations face today if not properly prioritized and planed. The prioritization should include the business context, assets, and data ownership mapping as well as business processes associated with the assets.

?Operationalize Remediation: Remediation is the crucial to the attack surface management. The remediation can fall either to IT operations team or Security team based on the findings from the exposure and assets. To accelerate remediation process, security teams should provide detailed and actionable artifacts along with remediation guidance for identified risk to enable IT operations teams to perform the remediate.

Continuous Monitoring: As saying goes, change is constant - organizations keep building, changing, and adding new resources, applications, and new vendor/partners to the IT ecosystem and attackers never stops. Therefore, it is critical to continuously discover, evaluate/test, and eliminate the risk from the moving attack surface to manage the external attacks. Because security risks in the organization's attack surface change any time new assets are deployed or existing assets are deployed in new ways, both the inventoried assets of the network and the network itself are continuously monitored and scanned for vulnerabilities.

?

In Summary, as organization’s attack surface continue to expend further, it is critical that security leaders understand what their attack surface is and ways to Implement a continuous program of external threat exposure management. In line with detection and response capabilities, risk understanding, and the ability to mitigate and reduce impact through preventative controls should be parts of the organization’s security strategy. The program needs to expand beyond traditional patching and automated blocking to better prepare against unpredictable threats, unpatchable vulnerabilities and strategically reduce the organization’s attack surface.