Attack Surface Management
Attack Surface Management (ASM) is composed of continuous discovery, inventory,
classification, prioritization and security monitoring of external digital assets
that contain, transmit or process your corporate data.
Nearly all contemporary compliances, regulatory standards and data protection laws, including various NIST frameworks, PCI DSS, GDPR and HIPAA, requisite continuous Attack Surface Management in one form or another. Proper implementation of the latter can likewise significantly simplify adoption of ISO 27001 and related international standards from the ISO 2700x family.
Want to have an in-depth understanding of all modern aspects of Attack Surface Management? Read carefully this article and bookmark it to get back later, we regularly update this page.
Starting from 2018, urges organizations to reduce and monitor their “Attack Surface” exposure. Put it simple, your Attack Surface is an aggregate of hardware, software and cloud assets accessible from the Internet that process or store your data. Also known as External Attack Surface or Digital Attack Surface, this emerging trend starts populating the key priorities of CIO, CTO and CISO in 2019 and will certainly pursue its rapid expansion in 2020.
Stealth security threats grow even more rapidly than booming M&A market, delivering concealed time-bombs to new business owners. Timely identification of shadow and legacy digital assets, as well as adequate security maintenance and protection of your known digital assets, considerably reduce data breaches and undermine attackers’ chances to silently compromise your organization. Moreover, Attack Surface Management is a key to successful Vulnerability Assessment and Penetration Testing (VAPT) program and the concomitant efforts, from vulnerability remediation to threat intelligence.
Attack Surface Management helps prevent and mitigate the following risks stemming from:
- Shadow and legacy assets
- Human mistake and omissions
- Vulnerable and outdated software
- Unknown Open Source Software (OSS)
- Large-scale attacks on your industry
- Targeted attacks on your business
- Intellectual property infringement
- IT heritage from M&A activities
A modern-day Attack Surface Management usually consists of the following consecutive and interconnected stages run in a continuous 24/7 mode:
1. Digital Asset Discovery
This initial stage is essential for proper and holistic implementation of Attack Surface Management in your organization. Its eventual purpose is to discover all external, or in other words Internet-facing, digital assets that contain or process your corporate data. The assets can be owned or operated by your organization, as well as by trusted third-parties such as cloud providers, IaaS and SaaS vendors, business partners, suppliers or external consultants. Below is a non-exhaustive list of digital assets that you should consider identifying and mapping within your asset discovery process:
- Mobile applications and their backends
- Web applications, Web Services and APIs
- Cloud and NAS storages, network devices
- Domain names and SSL certificates
- IoT and connected objects
- Public Code Repositories
- Email servers
The discovery process ranges from simple scanning of the provided IP addresses and subnetworks to more comprehensive OSINT (Open Source Intelligence) and Dark Web crawling. Some cybersecurity vendors offer to enhance the process by installation of client-side agents on your devices, however, it is quite time-consuming and often impractical. It is likewise imperative to consider digital assets of third parties that process, transmit or store your data.
At ImmuniWeb, to attain the best possible outcomes and effectiveness of Attack Surface Management, we consolidate advanced OSINT discovery with proactive Dark Web monitoring augmented with our award-winning AI and Machine Learning technology to locate actionable information amid petabytes of raw data.
2. Digital Asset Inventory and Classification
Once your assets are known and visible, it’s the right timing to commence digital asset inventory and classification, also known as IT asset inventory. This part of the exercise involves dispatching and labeling of the assets based on their type, technical characteristics and properties, business criticality, compliance requirements or responsible team.
It is essential to nominate a person, or a team, accountable for regular asset maintenance, updates and protection. Unclear or dual responsibility inevitably leads to a wide spectrum of omissions and failures, eventually causing costly data breaches. Therefore, coherent and transparent responsibility for each asset, or group of assets, underpin the very substance of appropriate Attack Surface Management.
At ImmuniWeb, our multirole dashboard with 2FA allows you adding as many people as necessary, label and organize assets by all available properties from asset type to security risk or ownership. The data can be easily accessed by an API and integrated into other systems in line with your DevSecOps processes or threat intelligence taskforce.
3. Digital Asset Risk Scoring and Security Ratings
Attack Surface Management would be a burdensome and arduous task without an actionable risk scoring component. Many organizations have thousands, wit millions, of fluctuating digital assets. Common CI/CD (Continuous Integration / Continuous Development) approach to software development relentlessly adds new applications, servers and other systems into your external Attack Surface perimeter, oftentimes riddled with dangerous security vulnerabilities or even exposing confidential data without password protection, nor any other security mechanism.
Hence, the dynamic multiplicity of new digital assets shall be rapidly detected, scanned and scored for a subsequent risk mitigation in a threat-aware and priority-based manner. It is crucial to accurately assign security ratings to ensure prudent allocation of scarce IT resources and human time to tackle the most important cyber perils in right priority and without delay.
At ImmuniWeb, we leverage our award-winning Security Ratings technology to assign a Hackability and Attractiveness scores to all of the discovered applications and APIs, providing data-driven and easily-consumable insights.
4. Digital Asset Security Monitoring
Continuous security monitoring stands atop of Attack Surface Management stages related to corporate or trusted third-parties’ digital assets. According to Gartner, over 90% of the successfully exploited vulnerabilities have been publicly disclosed and known since over a year. Swift proliferation of Open Source Software (OSS) complicates vulnerability management, bringing dozens of easily exploitable vulnerabilities to Bugtraq every day.
Therefore, it is indispensable to effectuate a 24/7 monitoring of your digital assets for newly discovered security vulnerabilities, weaknesses, misconfigurations and derivative compliance issues. This component of Attack Surface Management is particularly tricky to run in a smooth and production-safe mode. Many web vulnerability scanning tools and network security scanners may trigger an exploitation of SQL injection or Remote Command Execution (RCE) vulnerability thereby crushing the remote system or making it unavailable. For obvious reasons, such collateral effect is flatly unacceptable when dealing with third-party or business-critical systems. Therefore, pay attention to reliability and consistency of testing when considering a solution for continuous security monitoring integrated into your Attack Surface Management platform.
At ImmuniWeb, we have put in place our non-intrusive and production-safe technology for continuous Software Composition Analysis (SCA) with embedded Open Source Security module, PCI DSS and GDPR compliance scanning enhanced with over 1,000 of tests from industry best practices and guidelines.
5. Malicious Asset and Incident Monitoring
The foregoing steps encompass known and unknown digital assets operated by your organization or authorized third parties. Importantly, the modern threat landscape transcends the realm of legitimate corporate IT assets and embodies malicious or rogue assets perfidiously deployed by cybercriminals or unscrupulous competitors.
This peculiar type of digital assets involves phishing websites, breached resources hosting exploit packs with ransomware, cybersquatted and typosquatted domain names, mobile apps pretending to be yours, fake accounts in social networks and similar digital creatures purported to infect, defraud or steal your customers abusing your trademarks or exploiting your goodwill. Even more can be detected on the Dark Web, going from leaked or stolen corporate documents to credentials compromised in precedent breaches of your network or third-parties. The data is further exploited for spear-phishing campaigns, password reuse and brute-forcing attacks, often immensely efficient and successful. For these reasons, continuous monitoring for malicious assets and incidents is vital to ensure holistic visibility of attack vectors against your organization.
At ImmuniWeb, we enhance Attack Surface Management with Dark Web monitoring. We provide our clientele with up2date insights about existing and emerging threats to mitigate their impact and minimize the damages.