The Ultimate Guide to External Attack Surface Management (EASM)

Executive Summary

Security leaders today are facing an uphill battle as unknown, external assets are launched by shadow IT and exponentially increasing cyber risks.

As unknown agents and assets connect to the organization’s network, the exposed external attack surface continues to expand outside of the SOC’s visibility as cyber criminals scan the internet for easy prey.

Security leaders seeking to proactively manage cyber risks are looking to their external attack surface as a key focal point. To do that, they need complete visibility of what assets they have online that may be posing a security risk to the organization’s security perimeter. When security leaders have accurate visibility, they can secure the asset and manage it through asset inventory and vulnerability management programs.

One solution today giving security leaders the visibility to gain the advantage over their adversaries is external attack surface management (EASM). An EASM solution can discover vulnerabilities and security issues in the external attack surface. As attack surface security becomes more prevalent, using an EASM solution can provide significant benefits that apply to traditional industries and digital-based DevOps environments. In this guide, we’ll cover why EASM is the next frontier for security risk management, and how to choose from the current solutions in the marketplace today.

What is an Attack Surface?

An attack surface refers to the sum of vulnerabilities and potential vectors in a system, network, or application that could be exploited by attackers. Understanding the attack surface is crucial to securing IT systems and identifying and mitigating critical vulnerabilities.

The attack surface can encompass various aspects of a system, including devices, clouds, networks, endpoints, and personnel. Security gaps such as open ports, outdated operating systems, misconfigurations, compromised passwords, and weak protective controls can contribute to the attack surface, as they add potential attack vectors that adversaries can target

Assessing the organization’s attack surface is a preventative security activity that can identify the most critical vulnerabilities that security teams should focus their efforts toward mitigating. Offensive security testing, such as red teaming and penetration testing, combined with vulnerability scanning, are effective at proactively managing security risks on the attack surface.

An Attack Surface is not Static and Evolves Over Time

 

Because attack surfaces change, the risks posed must be managed continuously. Patch management, routine security updates, access control management, and security awareness training can support proactive attack surface risk management. There are dedicated attack surface management tools, services, and hybrid service offerings that can support ASM risk management and improve security outcomes.

What is Attack Surface Management (ASM)?

Attack surface management (ASM) is the continuous discovery, analysis, remediation and monitoring of the cybersecurity vulnerabilities and potential attack vectors that make up an organization’s attack surface.

Unlike other cybersecurity disciplines, ASM is conducted entirely from a hacker’s perspective, rather than from the perspective of the defender. ASM identifies targets and assesses risks based on the opportunities they present to a malicious attacker. The function of ASM is focused on leveraging the methods hackers use to remediate the most critical vulnerabilities on the attack surface.

Some of the ASM-related tasks and technologies are performed by certified ethical hackers to replicate adversarial tactics, techniques, and procedures (TTPs) in a simulated attack.

Attack surface management capabilities include continuous discovery, identification, and classification of external assets, along with capabilities to assess the security of the system.

There are two core activities that fulfill the ASM program:

 

1. One set of activities manages the assessment of internal assets.
2. The other set of activities manages externally facing, internet-exposed assets.

These activities form the foundation of the external attack surface management function within the ASM program.

Attack Surfaces are Expanding

Global changes in recent years have caused the external attack surface of nearly every organization online to expand. The rate of digital transformation has accelerated dramatically, causing external attack surfaces to expand in terms of size, scope, and composition.

The size of the attack surface is always changing

Digital assets do not have the same physical requirements as traditional network devices, servers, data centers, and on-premises networks. This leads to external attack surfaces changing rapidly based on the organization’s needs and the availability of digital services to accomplish it.

The size of an attack surface may also fluctuate over time, adding and subtracting assets and digital systems (e.g. websites, hosts, cloud, and mobile apps, etc.).

The scope for third-party risk management has increased.

From the digital supply chain to private-public connections to globalization, every organization now has a broader scope to manage the security risks associated with cyber-attacks caused by third and fourth parties.

The composition of each attack surface is unique.

Each attack surface is comprised of smaller entities digitally linked together via the internet and intranet. To manage these unique external risks where third-party providers, digital and physical suppliers, and infrastructure systems transfer, store, and handle sensitive data, an organization must evaluate their unique external risks through proactive vulnerability discovery and remediate accordingly.

While the expanding attack surface is dynamically changing, the composition of each attack surface can offer security teams insights into the critical data they need to protect and defend that asset. Using asset discovery technology, a security analyst can categorize an organization’s digitally owned assets by using a standard set of elements for data collection. These data points, when combined with data from vulnerability scanning, provide clarity to secure the organization’s asset inventory and provide teams with the intelligence they need. Using this data, teams can proactively address external vulnerabilities, weaknesses, and misconfigurations within an ASM program to enhance application security, reduce technical debt, and automate remediation using the DevSecOps approach.

Data Collected for Attack Surface Management Includes:

1. Autonomous System Numbers (ASNs)
2. Clouds and Virtual Machines
3. IP Addresses and IP Blocks
4. Domains and Sub-Domains
5. Internet Ports and Services
6. NetFlow
7. SSL
8. WHOIS Data
9. Host and Host Pair Services
10. Web Server Services (Web Applications, Data, Email)
11. Web Frameworks
    (Python, Java, etc.)

What is External Attack Surface Management (EASM)?

External attack surface management (EASM) refers to the processes, technology, and managed services deployed to discover internet-facing assets and systems and associated vulnerabilities, which include exposed servers, credentials, public cloud misconfigurations, breached credentials on the dark web, and third-party vulnerabilities that could be exploited by adversaries. EASM categorizes risks, provides context, and provides remediation guidance and recommendations to take action.

EASM is a top priority for security teams and security risk managers – as the rise in cyberattacks and breaches has brought attention to the importance of attack surface management. Coupled with the rapid pace of digital transformation, the external attack surface has significantly expanded and must be identified to protect and defend.

To effectively navigate the expanding threat landscape, security leaders need to know what needs protection in order to protect it. An EASM tool can monitor continuously for exposed assets and discover external-facing assets and systems, giving security leaders critical visibility into external risks and critical vulnerabilities. In addition to analyzing data to assess and prioritize the risks of the vulnerabilities discovered, an efficient EASM tool provides actionable insights by inventorying, classifying, prioritizing, and continuously detecting external-facing assets. This enables security leaders to enable security teams to remediate vulnerabilities quickly before cybercriminals can exploit them.

What’s the Difference between ASM and EASM?

Attack surface management (ASM) is crucial for organizations due to the expanding attack surface resulting from digital transformation and the increasing number of cyberattacks. It provides comprehensive visibility of assets, enabling security teams to identify areas that require protection. ASM plays a critical role in a holistic security strategy and successful implementation of DevSecOps. ASM solutions continuously manage the process of discovering, classifying, and assessing the security of all an organization’s assets.

External Attack Surface Management (EASM) is a type of ASM focused on asset discovery of external assets. While ASM encompasses a broader scope, EASM specifically focuses on identifying vulnerabilities and risks associated with an organization’s internet-facing IT assets, also known as its digital attack surface. ASM, on the other hand, addresses vulnerabilities across internal, physical, and social engineering attack surfaces, such as insider threats, intranets, and insufficient end-user training against phishing scams.

EASM is a relatively new technology in the field of ASM. The leading solutions offer comprehensive visibility of an organization’s external assets, allowing security teams to precisely identify and monitor assets for on-going vulnerability management. These characteristics make it an essential component of a holistic security strategy and effective implementation that enables the DevSecOps approach.

How to Choose an EASM Solution

Choosing the right EASM solution is crucial, as there is no one-size-fits-all tool. It should align with an organization’s specific needs and have essential features.

Your EASM selection criteria should cover the following:

• Automated External Asset Discovery
• Asset Reporting with Remediation Guidance
• Risk Scoring of Assets for Prioritized Remediation
• Categorization and Tagging Features
• Visibility of Critical Vectors, Attack Paths, & TTPs
• Capabilities to Add New Assets
• DevOps and SecOps Technology Integration
• User-Friendly Dashboards
• Low to Zero False Positives
• Scalable Cloud Platform
• Continuous External Vulnerability Scanning
• DevSecOps Workflow Management

Continuous Discovery and Integrated Remediation

Today’s modern security teams need continuous coverage and visibility into external attack surfaces. The ideal EASM tool will be platform-based, offering the comprehensive ability to conduct asset discovery on-demand or continuously. Combined with asset inventory, classifications, risk prioritization, and around-the-clock discovery of the organization’s online assets. This allows for vulnerabilities to be patched and remediated proactively before cyber criminals exploit the weaknesses to infiltrate the infrastructure.

Furthering the advantages, an EASM platform can provide early remediation guidance to address findings, along with risk scoring, historical context, security validation, and automated data analysis. The most effective EASM platforms enable the DevSecOps approach by integrating early remediation guidance to support in-house team workflows and ticketing systems via API integrations. Instead of manually creating and investigating tickets that may be false positives, in-house SOC and DevOps teams can instead triage tickets for rapid remediation in their preferred workflow management systems, like Jira, Slack, and Trello.

Enabling DevSecOps with EASM Platform Integrations

EASM supports DevSecOps by tracking abandoned assets from CI/CD pipelines and alerting development teams about associated risks in their native workflow systems. This allows for early integration of security measures in the software engineering workflow. It helps prevent technical debt, ensures that security is prioritized throughout the development process, and supports on-time delivery.

A modern EASM platform can scan for unknown assets in code repositories and public clouds. If an asset is discovered, the technology can trigger an alert for development teams to manage the associated risks:

• Shift security left in the software development lifecycle (SDLC) by scanning externally and proactively for asset discovery.
• Discover data that could be exploited by threat actors in popular code repositories like GitHub, GitLab, and BitBucket.
• Search for breached credentials on the internet and exposed data due to misconfigurations on publicly available clouds, such as Amazon S3 buckets.
• Identify unknown IP addresses, servers, and public code repositories that have been ignored since project completion.

In addition to identifying unmanaged assets and discovering sensitive data exposures on the dark web, an EASM platform can identify documented vulnerabilities and code misconfigurations that could make web applications easy targets. This approach helps prevent the accumulation of technical debt, which holds significant benefits furthering the efficiencies that DevSecOps can achieve.

The Five Essential Features of a Modern EASM Platform

A modern EASM platform should offer five essential features: asset discovery, asset inventory and classification, risk scoring, continuous security monitoring, and asset detection.

1. Asset Discovery to discover all internet-facing digital assets that handle sensitive data.

This initial stage involves discovering all internet-facing digital assets that handle sensitive data, including PII, PHI, and trade secrets. These assets can belong to the organization or third parties like cloud providers, IaaS and SaaS vendors, business partners, suppliers, or external contractors.

2. Inventory and Classification to categorize assets based on type, technical characteristics, criticality, compliance requirements, and ownership.

After asset discovery, a process of inventorying and classifying the digital assets takes place. Assets are labeled and categorized based on their type, technical characteristics, business criticality, compliance requirements, and ownership.

3. Security Ratings and Risk Scoring to identify security issues and evaluate the level of risk associated with each asset.

Scoring: Security ratings and risk scoring help identify security issues affecting each asset and determine if they expose information that could lead to data breaches or cyberattacks.

4. Continuous Security Monitoring to watch for assets 24/7 for security vulnerabilities, weaknesses, misconfigurations, and compliance issues.

Continuous security monitoring is a critical feature of attack surface management software. It ensures that assets are monitored 24/7 for newly discovered security vulnerabilities, weaknesses, misconfigurations, and compliance issues.

5. On-Going Asset Detection by scanning the web for known and unknown data breaches and leaked credentials to prevent unauthorized access.

The modern threat landscape includes malicious or rogue assets deployed by cybercriminals. A comprehensive EASM platform will scan the surface, deep, and dark web for known and unknown third-party data breaches to identify exposed assets, data, and user credentials before they are used for unauthorized access to an organization’s systems.

About BreachLock

BreachLock is a global leader in Continuous Attack Surface Discovery and Penetration Testing. Continuously discover, prioritize, and mitigate exposures with evidence-backed Attack Surface Management, Penetration Testing Services, and Red Teaming.

Elevate your defense strategy with an attacker’s view that goes beyond common vulnerabilities and exposures. Each risk we uncover is backed by validated evidence. We test your entire attack surface and help you mitigate your next cyber breach before it occurs.

Know your risk. Contact BreachLock today!