What Is Attack Surface Management (ASM)?

As your organization expands, so too does the complexity of your IT infrastructure. You might open a new office cross-country with remote access users, deploy new public-facing services, add new endpoints or IoT devices, or your third-party supplier might alter their business operations, and so on. 

Given its dynamic nature, it's challenging for organizations to keep up with potential access points to their digital assets, which constitute their attack surface. This is where attack surface management comes into play. In this blog, we will discuss attack surface management, why it's important to engage in it, its components, and how to reduce your attack surface.

What Is Attack Surface Management (ASM)?

Attack surface management is a process of continuously discovering, analyzing, and mitigating potential attack vectors that sums up an organization’s digital and physical attack surface. It involves a systematic approach to examine various aspects of an organization's infrastructure, including endpoints, servers, software and hardware, authentication mechanisms, and human factors. 

By continuously monitoring and managing the attack surface, organizations can proactively address potential threats, strengthen their security posture, and reduce the risk of cyberattacks and data breaches.

Why Do We Need Attack Surface Management?

Attack surface management is crucial in today's evolving digital landscape due to the complexity and vast expanse of potential entry points for cyber threats. Cyber attackers adopt an outside-in strategy, seeking improperly managed and overlooked IT infrastructure components rather than approaching businesses from the inside out. In contrast, organizations often adopt a misleading approach of in-outside strategy regarding security assessment, where they cannot see how adversaries see the organization. 

Thus, attack surface management is essential to continuously identify and address possible security flaws before they can be exploited, reflecting the attacker's perspective. It significantly improves cybersecurity resilience by changing how security teams perceive and handle digital assets.

Use Cases for Attack Surface Management

Every organization, irrespective of size or sector, can significantly benefit from attack surface management. It provides a comprehensive understanding of not only internal assets but also all potential access points, helping them to understand an adversary's external perspective of their organization. This approach helps to detect vulnerabilities before adversaries do, securing data and business operations.

Below, you will find three use cases that show how attack surface management can be leveraged in various sectors and industries.

• Healthcare Sector 

Attack surface management is critical for healthcare organizations that handle Protected Health Information (PHI). For example, a hospital utilizing this management can monitor a wide range of devices, from MRI machines to administrative endpoints, ensuring any vulnerabilities, like outdated firmware on medical equipment, are identified and patched before exploitation. This proactive approach prevents potential breaches that could compromise sensitive patient data and attract substantial regulatory fines.

• Financial Institutions

Financial institutions like banks, credit unions or insurance companies manage sensitive information, including credit card numbers and bank account details. With attack surface management, a bank can continuously monitor its digital infrastructure, identifying potential threats. For instance, unpatched software in the online banking system could be detected before cybercriminals exploit it, preventing substantial financial losses and maintaining their reputation and customer trust.

• Government Bodies

Holding vast quantities of sensitive citizen data, government organizations greatly benefit from attack surface management. For instance, governmental institutions may realize that their third-party supply chain possesses a remote access vulnerability in one of their equipment pieces, which can be easily overlooked and may have a catastrophic impact. By addressing the critical access points to their digital assets, governmental organizations can proactively safeguard national security and protect citizen data from politically motivated threat actors.

What Is the Life Cycle of Attack Surface Management (ASM)?

The life cycle of attack surface management consists of 5 main steps.

• Step 1: Asset Discovery

• Step 2: Vulnerability Assessment 

• Step 3: Risk Analysis 

• Step 4: Remediation and Countermeasures

• Step 5: Continuous Monitor of the Organizational Environment

By its nature, before engaging an attack surface management exercise, organizations first need to perform an attack surface discovery. 

Attack surface discovery consists of 

• listing all digital assets within an organization, 

• performing vulnerability assessments for each asset to gain a better understanding of how it can be turned into an access point in the hands of an adversary, and 

• conducting a risk assessment to understand better the potential risk and the impact an asset can pose if it is compromised. 

To learn more about “Attack Surface Discovery”, click here. 

Upon listing all the assets and questioning the risk they pose to your organization, it's time to manage your attack surface with prioritized remediation actions. 

Consider how every piece doesn't hold the same amount of risk in your chess game. You might want to follow a strategy where you protect every single pawn on your board, but this idea isn't feasible and would prevent you from devising a successful strategy. This situation is similar to your environment. A user computer with very limited privileges doesn't pose the same risk as a possibly compromised IT manager account does, as this account likely has access to various critical databases, servers, etc. Hence, when it comes to taking countermeasures, you need to put your effort into those that require immediate attention.

Prioritizing your efforts will enable you to secure the potential entry points to your assets that could cause the most severe damage. This practice will help you manage your human resources in the most efficient way possible. However, attack surface management isn't a one-time task that you can carry out once a year and then relax. As your organization's business operations grow, so does the complexity of your IT and security infrastructure. You may need to deploy new software or hardware, build new servers, run new services, add new endpoints, subnetworks, etc. In other words, your IT infrastructure is dynamic, and it needs to be monitored constantly and continuously.

What Is Attack Surface Reduction?

Attack Surface Reduction (ASR) is a security strategy that involves reducing the number of access points to your digital assets or 'attack vectors' an adversary can use to compromise your organizational systems or networks. This approach may involve implementing the Multi-Factor Authentication (MFA), patching your vulnerable exchange servers, making sure their software is updated, removing unused software and services, and following the principle of least privilege (PoLP), etc. 

By reducing the attack surface, the likelihood of a successful cyber attack is diminished because there are fewer opportunities for attackers to gain access to your assets. This does not mean that your systems or networks will be completely protected against threats, but it will significantly improve your security posture and will create a tough time for adversaries to find a way to breach into your organization.

Attack Surface Reduction Rules on Windows

Attack Surface Reduction (ASR) Rules are a set of security features provided by Microsoft in its Defender for Endpoint service [1]. These rules are designed to significantly reduce the attack vectors that an adversary can exploit to compromise a Windows system. 

The rules work by identifying and blocking potentially risky behaviors often associated with cyber threats, such as running executable files or scripts that download and run files, or using office communication applications to create executable content. They provide granular control, enabling system administrators to block, audit, or simply monitor these behaviors depending on their security posture. The ASR rules require careful management to ensure legitimate processes are not impacted. 

Microsoft provides a mode called 'audit mode' for testing the effects of these rules, allowing for a safe environment to observe the potential impacts before fully implementing the rules. Therefore, ASR rules are a crucial tool in minimizing security vulnerabilities and enhancing overall system protection.

Traditional Security Assessments vs. Attack Surface Management

Traditional security assessment solutions, such as vulnerability scanners and penetration testing, and attack surface management processes are both integral parts of an organization's cybersecurity strategy, but they differ in scope, methodology, and focus.

• SCOPE

Traditional security assessment solutions typically possess an internal perspective, where they focus on known systems within an organization's internal network. Hence, they are designed to identify, classify, and prioritize vulnerabilities in these systems.

On the other hand, attack surface management adopts a broader view, examining the entire digital attack surface of an organization both internally and externally. Therefore, it aims to identify all assets from an outsider's perspective that could serve as potential attack vectors for adversaries. These external assets, which constitute the perimeter of an organization, may include public-facing web services, cloud services, third-party software, and so on.

• METHODOLOGY

Traditional security assessment solutions usually involve regular scanning of the network for known vulnerabilities that are referenced in databases such as CVE (Common Vulnerabilities and Exposures).

Attack surface management is an ongoing process that involves not just scanning for known vulnerabilities, but also discovering unknown assets, monitoring for changes in the attack surface, and analyzing risks from the perspective of an attacker.

• FOCUS

Traditional security assessment solutions primarily focus on the weaknesses in the organization's systems and the potential impact if these vulnerabilities were exploited.

Attack surface management focuses on the entirety of an organization's cyber exposure, including identification of unknown assets and prioritization based on actual risk and potential impact to business operations.

In summary, while traditional security assessment solutions are a crucial part of maintaining an organization's cybersecurity, attack surface management is a complementary approach that provides a continuous, holistic, and proactive approach to cyber risk management.

Attack Surface Analyzer 

The Attack Surface Analyzer by Microsoft is an open-source security tool that evaluates potential vulnerabilities within a system [2]. Its primary role is to analyze changes in the security landscape of a system before and after the installation of software or configuration changes. This analysis helps organizations to identify any unintended alterations that could pose a security risk.

Core features of Attack Surface Analyzer include

• monitoring changes to the file system, 

• user accounts, 

• services, 

• network ports, 

• certificates, 

• registry, 

• COM objects, 

• event logs, 

• firewall settings, 

• Wi-Fi networks, 

• cryptographic keys, and 

• processes. 

It's also capable of assessing TPM information. It stores all collected data in a set of local SQLite databases.

The Attack Surface Analyzer typically runs in an Administrator Shell or as root. The tool can be initiated with a simple command to start default all collectors. Post collection, the tool allows users to compare the results of two different collection runs. 

Moreover, it provides a GUI interface for a web-based overview of the system's attack surface. Through continuous monitoring and reporting, it empowers users to proactively mitigate potential security vulnerabilities.

Attack Surface Management Gartner: What Do They Say?

Gartner, a leading research and advisory company, has stressed the significance of CAASM for managing the expanding attack surface in their "Top Trends in Cybersecurity 2022" report. This expansion includes risks associated with cyber-physical systems, IoT, open-source code, cloud applications, and complex digital supply chains [3]. 

Gartner predicts that Cyber Asset Attack Surface Management (CAASM), Digital Risk Protection Service (DRPS), and External Attack Surface Management (EASM) will help CISOs visualize and automate security coverage gaps. 

Continuous Attack Surface Management with CAASM

Organizations can leverage various solutions, such as Cyber Asset Attack Surface Management, to automate their attack surface management processes.

• Step 1: Save human effort by automating manual asset data collection and aggregation tasks. 

Cyber Asset Attack Surface Management (CAASM) can be used to identify all digital assets within an organization's network, including servers, databases, and applications. By aggregating data from across your IT environment, CAASM can provide a centralized view of your assets so you can make better security decisions about how to protect them.

Figure 2. Picus Cyber Asset Attack Surface Management (CAASM).

• Step 2: Perform vulnerability and risk assessment for each identified asset

Once digital assets have been identified, CAASM can be used to assess the potential security risks associated with each asset, such as vulnerabilities, misconfigurations, or weak authentication protocols.

• Step 3: Take remediation actions based on prioritization 

Once you have identified the assets that pose the greatest risk to business operations, you need to take countermeasures for the assets that require immediate attention.

For more information, click here to read our comprehensive blog on CAASM.