tips tools enterprise security

SecurityTrails Blog · Dec 29 2020 · by Sara Jelen

Attack Surface Management: You Can’t Secure What You Can’t See

Reading time: 11 minutes

A report from 2016 predicted that 30% of all data breaches by 2020 will be the result of shadow IT resources: systems, devices, software, apps and services that aren’t approved, and in use without the organization’s security team’s knowledge. But shadow IT isn’t the only area where security and IT teams face issues with tracking and visibility.

Servers, IoT devices, old VPSs, forgotten environments, misconfigured services and unknown exposed assets can all be entry points which attackers can easily exploit to carry out cyber attacks. Furthermore, there are other internet-facing assets that security teams struggle with, visibility-wise: domains, subdomains, open ports, SSL certificates, open databases, etc. And you can’t secure what you can’t see.

All of the assets mentioned are what we consider an organization’s digital attack surface. You can think of each as a possible attack vector cyber criminals can use to penetrate your network or system to gain a hold of your sensitive data. With that in mind we can see how not having visibility into those assets can be detrimental to organizations’ security posture, raising their susceptibility to cyber attacks and data breaches.

To stay protected and be proactive with their cybersecurity, organizations are adopting attack surface management procedures and tools that provide them with an accurate inventory of all of their assets while continuously assessing their attack surface for potential risks.

What is attack surface management?

At SecurityTrails we see and define the attack surface as the entire network and software environment that is exposed to attacks, as well as all the ways your assets can be exploited.

An organization’s attack surface will include the unknown assets we mentioned above—shadow IT, forgotten dev and staging environments, forgotten IT infrastructure—along with known assets such as the operating system, network services, servers, domains and subdomains, SSL certificates and rogue assets like typosquatted domains. It doesn’t stop there, however, as an organization’s attack surface will also include third-party vendors and any risks they carry; small vendors can lead to large data breaches if lacking proper security posture.

Attack surface management, or ASM, is a highly effective cybersecurity methodology that refers to continuous identification, inventory, classification, monitoring and prioritization of digital assets that contain or transmit sensitive data. While often called “attack surface monitoring” or “attack surface discovery” it in fact covers aspects of both, and more. Attack surface management allows organizations to identify their attack surface components, locate their attack vectors and exposures, and learn how to use that knowledge to protect against future attacks.

With the ability to provide real-time visibility into the full attack surface, evaluate risks, and comply with data protection regulations, and with continuous monitoring allowing for efficient remediation in case of threat, attack surface management can be seen as the meeting point of risk management, asset management and discovery, vulnerability management and compliance.

Attack surface management

Why is attack surface management important?

Reducing an organization’s attack surface is important, we can all agree to that. But with all the practical tips attributed to attack surface reduction—such as reducing the code you’re running, removing unnecessary software and services, performing regular network scans and the like—attack surface management still stands as one of the best ways of not only managing attack surface reduction but also providing many other valuable benefits to an organization’s security posture.

Let’s go over some of the key benefits of attack surface management:

Why is attack surface management important

Risk reduction

One of the most important, if not the most important, benefits of attack surface management is its ability to reduce cybersecurity risks that can stem from shadow IT, human error such as phishing and data leaks, vulnerable and outdated software, opportunistic and targeted cyber attacks, risks associated with M&A activities and intellectual property infringement.

Attack surface management can reduce overall cybersecurity risks by monitoring your digital footprint and it achieves this through identifying, assessing and ultimately addressing risks based on their criticality. Timely identification of all digital assets, especially those that might be vulnerable, is crucial in reducing the chances of suffering a data breach. And as we mentioned, you can’t protect what you can’t see, and when you actually have the needed visibility into your digital assets, you have the perfect foundation to reduce the risks associated with them.

Cutting down on unneeded resources

Some large organizations will have full-time resources allocated to managing and tracking their attack surface. But once you add in a full team, availability of resources, human error, scope of the surface itself and even the lack of security automation and orchestration, all these factors can slow down the process, lengthening the time needed to quickly identify all digital assets and react to potential risks.

Attack surface management works to close this gap by automating asset discovery, asset management, risk detection and reduction, following the assets as they change and evolve with constant monitoring.

Proactive approach to cybersecurity

When it comes to cybersecurity and keeping an organization’s security posture solid in the current threat landscape, it is crucial to take a proactive approach, rather than a reactive one. The continuous identification, monitoring and prioritization that comes with attack surface management provides organizations with insight into their entire infrastructure and the ability to secure it before any attacks occur, rather than just simply responding to them as they happen.

Speeding up remediation

Along with the benefit of risk reduction is easier, quicker and more efficient risk remediation. Attack surface management, once it provides you with full visibility into your digital assets and their potential vulnerabilities, will allow you to prioritize remediation as the monitoring and alerting of risks is continuous, meaning that you will be notified of a risk as soon as it appears in your infrastructure. This way any risks can be resolved and remediated in order to efficiently hone an organization’s defenses.

Key elements of attack surface management software

Knowing the importance of attack surface management, you should find a solution that fits your needs. And while the characteristics and security needs of different organizations are unique to each, there are key components shared by all effective attack surface management software.

We at SecurityTrails are dedicated to preventing cyber attacks by bringing greater awareness to your attack surface. With our Attack Surface Reduction tool, or ASR, you’ll have the ability to discover and manage your critical assets and shadow infrastructure, giving you a full picture of where your weaknesses are.

Let’s learn about the intricacies of our tool and what you can expect when using ASR for attack surface management:

Key elements of attack surface management software

Gain visibility

Are you aware of all the services you have running within your infrastructure? Do you know what each of them is doing? What understanding do you have about your digital footprint and all the digital assets you have scattered across the internet? Before you answer these questions, know that it all starts with asset discovery.

The attack surface management solution begins with gaining visibility into all internet-facing assets that contain or transmit sensitive data, whether these assets are owned by an organization or by their third parties. These digital assets can be domains, subdomains, IP addresses, SSL certificates, web applications and services, APIs, connected devices, cloud storages, open databases, and servers, among others.

Make sure that the solution you choose provides accurate and real-time visibility into all of these digital assets and features a way to visualize them easily, also in real time.

Attack Surface Reduction spotlights all internet-connected assets of an organization with great accuracy, giving you a real-time look into any forgotten infrastructure. You’ll be able to see everything instantly and gather all information related to the organization’s domain, subdomains and associated domains.

Inventory management

Once you’ve gained visibility into all of an organization’s internet-facing assets, it’s time to build an inventory with a list of all associated and discovered infrastructure data. This is where assets are labeled as per their type, properties, and most importantly, their weakness or criticality. And here’s where you’ll be able to make more sense of the big picture: by streamlining how you visualize digital assets, you can gain complete awareness of your attack surface and internet-facing infrastructure.

ASR will provide you with a dashboard that includes a list of all the associated data discovered, such as detecting IP ranges and their ASNs, reveal any open services with open ports as well as SSL/TLS certificates.

Taking inventory management to the next level, ASR provides you with knowledge and understanding of any possible security risks and issues with the potential to become a security event, including:

  • IPs that point to private networks
  • Remote access points
  • SSL/TLS certificates that will expire soon or are already expired
  • Related apex domains due to expire soon

Risk detection

In order to mitigate cybersecurity risks you need to start with monitoring, asset discovery and inventory, and risk detection. With automated asset analysis, any security risks your organization might face are detected and mitigated before any damage occurs. And attack surface management isn’t actionable without risk detection and prioritization, to understand which asset has which security issues and with what severity. It won’t be a weakness if you discover it in time.

Risks provide a security-wise perspective of an organization’s connected infrastructure in order to take action. Fortunately, our Attack Surface Reduction tool provides a separate “Risks” section that’s all about critical risk detection. It’s here where you’ll find data related to:

  • Database open ports - When databases are unwittingly open to the internet, they may not have ACLs in place, which can lead to data exfiltration. This dataset will provide you with visibility into all hostnames, their IP addresses, and open ports known to be used for databases that may be left open.

  • Self-signed certs - Self-signed certificates can make a connection secure, but if left exposed can provide an attacker knowledge into the organization’s internal servers, development servers or servers not yet set up (and not intended to be left exposed). This dataset will show you the hostnames and the IPs those hostnames are pointed to along with SSL subject information, SHA256 and issuer information as well as self-signed certificate validity period.

  • Staging and dev subdomains - Staging or development environments contain websites that are works in progress, clearly not ready, and shouldn’t be open to the public. Left open, these environments can indicate servers that are not protected and could be compromised, as they present an easy target and entry point for attackers. With this dataset, ASR shows you all the subdomains that contain keywords associated with staging and dev subdomains.

Constant monitoring and alerts

Constant and continuous monitoring is indispensable and possibly one of the most important features of good attack surface management software.

Misconfigurations in cloud services such as the always-dreaded AWS misconfigurations, vulnerabilities that haven’t been patched in time, data leaks that could lead to compliance issues, potentially malicious new configurations in your infrastructure and the like can all be that much harder to track if you aren’t equipped with 24-7 monitoring of your entire infrastructure. This is why a proper attack surface management solution with continuous monitoring is such an imperative, as well as—in the case of ASR—alerts to go with it.

Our proactive monitoring and alerts feature allows you to set a weekly, or even daily, alert for any infrastructure changes, newly found hostnames or silent errors or misconfigurations discovered. Alerts are set up easily and can be delivered using one of the available communication channels, allowing you to be proactive for any necessary changes and informed decision-making.

Why you should care about attack surface management

With numerous breaches occurring almost daily and with increasing severity, careful monitoring of your online infrastructure is crucial in staying strong and secure in the current threat landscape. The truth is that your attack surface is often much larger than you might suspect—and the bigger your attack surface, the bigger the vulnerabilities that go along with it. Attack surface management should be a priority and a basic security measure for organizations of all sizes. It’s imperative to gain visibility into all digital assets, detect any risks, and maintain continuous monitoring of the entire surface, for an organization to nip any risks in the bud.

ASR is there to help you throughout every step of ASM, and will provide you with full asset discovery, asset and inventory management, risk detection and mitigation, continuous monitoring and even proactive alerts. We’re preparing a new launch at the start of 2021 and are truly excited to share more information about revolutionizing attack surface management.

Curious?
Be the first to know once we launch the newest version of ASR - just sign up here!

SARA JELEN

Sara believes the human element is often at the core of all cybersecurity issues. It’s this perspective that brings a refreshing voice to the SecurityTrails team. Her ability to bridge cognitive/social motivators and how they impact the cybersecurity industry is always enlightening.