Attack Surface Management 101: Everything you need to know about the latest approach to external security

A vast majority of businesses are shifting operations to the cloud. With the promise of greater flexibility, self-service provisioning, and reduced costs, cloud migration seems like a no brainer, but it doesn’t come without its issues.

One commonly overlooked challenge is that when you have more internet-connected assets, you also have more potential entryways for attackers to infiltrate your business. We refer to this collection of entryways as the attack surface. As a way to keep track of the entryways and ensure they are sealed off from attackers, the practice of attack surface management (ASM) was born.

ASM is a relatively new concept in the world of cybersecurity, so let’s break it down.

What is attack surface management (ASM)?

Attack surface management is a way of keeping tabs on every internet-facing asset within a business to identify weaknesses that could leave it susceptible to an attack. Assets are things like web applications, servers, networks, firewalls, third-party tools, and certificates.

This method of breach prevention is comprised of three recursive components:

Discovery

You can’t protect what you don’t know about, so the first step is to find and catalog every asset associated with your business. The discovery process must be continuous because new assets may come online at any time, whether it’s through a developer adding new websites and services, or a merger bringing in newly acquired networks.

Fingerprinting

Next, you need to get a complete understanding of your assets to identify any open doorways that would be attractive to an attacker. This involves fingerprinting the technology in use, the contents, and the connections to third parties. It also involves detecting vulnerabilities on the firewall, server, or application layer. By cataloging this information, you can quickly see the big picture of where your organization’s assets, and their weaknesses, lie in the cloud.

Monitoring

Developers constantly make changes to websites, and new vulnerabilities can be found at any time. Continuous monitoring for these types of changes allows security teams to correct any issues before a data breach occurs.

Learn more about ASM in this video:

Why is attack surface management important?

Attack surface management is important because attackers are always on the lookout for the path of least resistance, hoping to find blindspots that businesses have missed. All it takes is one exploitable weak point for an attacker to get inside your business and steal customer data.

The best way to stay a step ahead and prevent that from happening is to monitor your business the exact way an attacker would—from the outside. By monitoring your assets outside the firewall, you can mitigate the risks of things that leave your business vulnerable, like:

  • Outdated software
  • Application security flaws
  • Third-party scripts
  • Expired TLS certificates
  • Missing security headers
  • Shadow infrastructure
  • Assets inherited through mergers and acquisitions

If you’re not constantly monitoring for these issues, an attacker may find and exploit them months before you’re aware. On average, it takes 280 days to detect and contain a data breach, and remediation can cost upwards of $8 million in the United States. That hefty price tag, combined with reputation damage that causes customers to lose trust, can be detrimental to businesses.

How to approach attack surface management

Modern business moves fast, and many organizations that once had a handful of internet-facing assets are now managing anywhere between 50-100, so not only is the attack surface constantly changing, but it’s also expanding rapidly.

With such massive amounts of data in flux, security professionals have struggled with how to approach ASM in a way that ensures nothing slips through the cracks.

At Halo Security, we’ve worked with many customers who have struggled with this problem over the years. Without a defined system or tool to manage their attack surface, some have resorted to keeping track of their assets manually with a spreadsheet. Too often we’ve heard that customers have so many tools that they don’t know what each of them does, or if any of them are doing their job effectively. Many others have admitted that they are not 100% confident that all of their assets are being managed and secured properly.

We believe that it’s simply not acceptable for businesses to have doubts about their attack surface, but as security professionals ourselves, we understand that there hasn’t been a great way to be confident that all assets are known and managed. So, we developed our own unique approach to attack surface management that can be broken down into 5 stages.

1. Identify your attack surface (everything outside the firewall)

Before you can manage your attack surface, you need to know what’s on it. So the first step is to take inventory of every asset outside the firewall that is associated with your business.

There are a few different ways to go about this that come with different pros and cons. To summarize, one avenue is to use a service that scans and creates a database of the entire internet and can pull out assets associated with a business using one email address. Other services start with a seed domain, usually the main .com domain of a business, and use a crawler to identify associated assets.

Whatever route you decide to take, be sure your results can be compiled in a centralized viewpoint, so that you can see the status of your entire attack surface in one location. This will allow you to monitor, prioritize, and protect your assets with fewer things falling through the cracks. Always remember that attackers don’t just target your most secure and best-monitored assets. They will target anything they can find.

2. Assign automatic testing and continuous monitoring services

Once you have full visibility of every asset on your attack surface, it’s time to apply the appropriate testing and monitoring services to each asset. These services need to do their jobs on a continuous basis because a new vulnerability can arise at any moment, and so can an attack. If you only have data from point-in-time testing, like penetration testing, to work with, that information becomes outdated instantly, and your business is left vulnerable.

Use testing and monitoring services that have a centralized notification system. You need to know the instant something on your attack surface changes, but if you’re wading through notifications that have piled up across several different platforms, some may get lost in the shuffle and cause you to overlook an important issue.

3. Analyze the firewall itself

With testing and monitoring services applied to assets outside the firewall, next you need to look at the firewall itself. Your goal here is to identify and reduce unnecessary services on the firewall so that there are fewer entry points an attacker could exploit. Keep an eye out for:

  • Open ports and misconfigurations
  • Risky services like SQL or email
  • Forgotten and legacy services
  • Obsolete versions of services

If you discover any of these issues, remediate them as soon as possible.

4. Identify issues with the greatest risk, and fix them first

Security professionals have traditionally focused on fixing as many vulnerabilities as possible because the longer the list, the more impressive it seems to leadership. But in reality, a high volume of remediated vulnerabilities doesn’t equate success. If you’re fixing hundreds of low-risk vulnerabilities and neglect one high-risk vulnerability, you’ve left open the kind of entryway to your business that is the most attractive to an attacker.

Focus on finding issues with the greatest risk and fix those before the little things. Some ASM solutions will help you identify and prioritize the highest risk issues by assigning risk scores to your assets. Ensure that you research how the solution or provider calculates the risk scores before you purchase.

We recommend prioritizing remediation of your assets in this order:

  1. Websites–Look for expired certificates, insecure cipher suites, risky third-party scripts, and missing HTTP security headers.
  2. Servers–Look for out-of-date software, known vulnerabilities (CVE), and misconfigured services.
  3. Applications–Look for OWSAP Top 10 issues like SQL injection (SQLi), cross-site scripting (XSS), code injection, and cross-site request forgery (CSRF).

5. Use manual penetration testing to find issues automatic methods can't

Manual penetration testing should be the last step in your process of securing your attack surface. Automated solutions can’t find everything, but they can find a lot. By doing manual pen testing after you’ve exhausted automatic methods, you’ll make more efficient use of expensive human hours since there will be fewer easy targets left to uncover.

Protect your attack surface with Halo Security

Now that you understand the importance of taking a systematic approach to protecting your attack surface, we urge you to consider Halo Security as your partner. Our easy-to-use, all-in-one solution has helped thousands of enterprises get a complete picture of their attack surface, deploy the correct resources to every asset, and get alerted to changes as they happen. With Halo Security, you’ll have access to our seasoned perimeter security practitioners who act as an extension of your security team and guide you step-by-step through our unique approach.

Schedule a free security assessment to get started.


Editor's note (July 2022): This article was originally posted on the TrustedSite blog in May 2021. It has been updated for the Halo Security blog.