What Is External Attack Surface Management (EASM) ?

As organizations expand, their external attack surface grows proportionally with the addition of more domains, internet-facing services, and cloud assets. Each new endpoint, be it a web portal, API, or cloud service, offers potential entry points for attackers. This expanding digital footprint increases vulnerability risks and emphasizes the need for robust cybersecurity measures to defend against potential external threats.

This blog delves into the external attack surface, its key components, strategies for organizations to manage it, the lifecycle of an EASM program, and insights from Gartner's hype cycle on EASM.

What Is External Attack Surface?

The external attack surface of an organization encompasses the entire area of a system or organization that is susceptible to an attack from external sources. It represents the collection of all points and interfaces exposed to the outside world, where unauthorized users might attempt to gain access or extract information.

Figure 1. Enhancing the Visibility of Your Attack Surface by Picus Security.

An organization's external attack surface typically consists of:

• Internet-facing Assets 

Internet-facing assets are any servers, devices, or systems that are directly reachable from the public internet. They represent the digital face of an organization to the external world. Due to their exposure, they are often the first target for attackers, as exploiting vulnerabilities in these assets can provide initial foothold or access to the organization's internal network or sensitive data.

Web servers, for instance, can be compromised to host malicious content or serve as a platform for further lateral movement inside an organization's network. Mail servers, another pivotal asset, if breached, can be manipulated to intercept or send deceptive emails, aiding in phishing or spear-phishing campaigns. DNS servers are vital for traffic direction; a malicious actor gaining control can redirect users to fraudulent sites, a tactic commonly used for phishing or man-in-the-middle attacks. FTP and file servers, given their primary function of storing and transferring data, can be treasure troves of sensitive information. An adversary targeting these can steal, alter, or ransom the stored data. 

• Web Applications

Websites, online platforms, and web services/APIs that the organization offers to its customers, partners, or the general public are prime targets of adversaries. Vulnerabilities in these platforms can be exploited in various ways.

Web platforms, such as e-commerce sites and customer portals, are susceptible to various cyberattacks. Attackers can exploit SQL Injection vulnerabilities to manipulate databases, for instance, extracting customer data from an online store. Cross-Site Scripting (XSS) allows malicious actors to inject scripts into web pages, potentially hijacking user sessions on an e-commerce site. Cross-Site Request Forgery (CSRF) can deceive users into unintentionally performing actions, like initiating fund transfers on banking portals. Inadequate session management can lead to session hijacking, permitting unauthorized access, while file inclusion vulnerabilities might let attackers run harmful scripts, compromising servers. Furthermore, security misconfigurations, such as unprotected directories, can expose critical data. Given these threats, robust security practices are paramount for web applications.

• Remote Access Points

Remote Access Points, encompassing tools like VPNs, RDP, and SSH, are invaluable for modern organizations, facilitating connections from virtually anywhere to the company's internal network. Their increased use, augmented by the shift to remote work, amplifies their presence on an organization's external attack surface. However, if inadequately safeguarded, this convenience can become a magnet for cyber adversaries. 

Vulnerabilities in VPN solutions, misconfigurations, or compromised credentials of remote employees can be identified and exploited to grant unauthorized access.

For instance, In September 2022, a hacker, who claimed to be 18 years old, used the "MFA fatigue attack" technique to gain access to an Uber employee's VPN account [1]. In this case, the hacker sent the employee dozens of SMS messages, each containing a one-time password (OTP) for the VPN. After about an hour, the employee was so tired of receiving the messages that they clicked on a link in one of them, which took them to a fake login portal that the hacker had created. The employee then entered their VPN credentials in the portal, which the hacker was able to capture.

Once the hacker had gained access to the employee's VPN account, they were able to access Uber's internal network. They then found a PowerShell script that contained hardcoded credentials for a Thycotic PAM admin account. Using these credentials, the hacker was able to access Uber's AWS, Onelogin, and GSuite environments, among others.

• Cloud Assets

Cloud assets have swiftly become cornerstones in modern organizational infrastructure, amplifying operational efficiency through their innate flexibility and scalability. However, their integration also means they significantly shape the external attack surface. While they promise convenience, they bring forth many challenges, notably misconfigurations. 

For instance, an inadvertently exposed S3 bucket on AWS can turn into massive reputation and financial losses due to data breaches. 

• Official and Sub Domains

Official domains and subdomains play a crucial role in defining an organization's online presence, acting as the primary interfaces for external traffic and interactions. They are significant contributors to the external attack surface of an organization, being directly accessible from the internet. 

Domains often carry critical functionalities, and any misconfiguration can lead to potential security lapses. Outdated or misconfigured SSL/TLS certificates, for instance, can compromise the integrity and confidentiality of data during transmission. Additionally, legacy subdomains, which may have been created for past projects or campaigns, might not be monitored or updated regularly, making them susceptible to exploits. 

What Is External Attack Surface Management (EASM)?

External Attack Surface Management (EASM) is a comprehensive approach to identifying, analyzing, prioritizing, and mitigating vulnerabilities associated with an organization's external-facing digital assets. These assets can range from websites, applications, and network infrastructure to previously unidentified assets and connections. 

Thus, EASM goes beyond traditional vulnerability management by focusing on the broader context in which vulnerabilities exist, considering the dynamic nature of the digital landscape, and integrating cross-functional teamwork for effective remediation.

Why Is External Attack Surface Management (EASM) Important?

Running an external attack surface management (EASM) is essential for organizations in today's complex and expanding digital landscape. As organizations deploy increasing external-facing digital assets like websites, applications, and various network interfaces, the potential for vulnerabilities escalates correspondingly. These assets can become an entry point for malicious actors if not appropriately managed and secured. 

EASM systematically identifies, analyzes, and mitigates these vulnerabilities, reducing the external attack vectors available to potential adversaries. This involves pinpointing system misconfigurations, recognizing outdated systems and software, forgotten and unmanaged domains or subdomains susceptible to known exploits, and ensuring third-party integrations meet security standards. 

Thus, an effective EASM strategy goes beyond solely identification of vulnerabilities, providing actionable insights, and facilitating timely remediation. By integrating EASM into their security framework, organizations can ensure robust defense against external threats, uphold their reputation, and safeguard critical data and infrastructure.

Internal vs External Attack Surface Management

The difference between internal and external attack surface management lies in their focus areas within an organization's digital infrastructure. 

• External attack surface management (EASM) emphasizes digital assets exposed to the internet, like public web servers, APIs, and cloud services, ensuring they are well-identified and protected from threats from external sources.

• Conversely, internal attack surface management concentrates on safeguarding assets placed behind an organization’s firewalls, including internal databases, endpoints and private networks, defending against potential insider threats and breaches that might exploit these internal resources. 

Both approaches collectively offer a holistic security strategy for a company's entire digital landscape.

Lifecycle of External Attack Surface Management Program

The lifecycle of an external attack surface management (EASM) program consists of seven steps. In this section, as we explain each step, we will offer a solid, real-life example to illustrate how an EASM process operates within an organization. 

Scenario: While running an external attack surface management program, an organization finds that among their various digital assets, some were using outdated and unpatched Log4Shell vulnerabilities. 

Here's how the EASM program lifecycle might address such a discovery [2]:

• Asset Discovery: The EASM program begins by identifying all external-facing assets, even those previously overlooked. 

In the process, they identify that many of their systems run Java-based applications, indicating potential use of the Log4j library.

• Vulnerability Identification: In the second step, they scan the identified assets to detect potential vulnerabilities, using advanced tools that go beyond legacy technologies. 

The scans discover multiple systems using vulnerable versions of the Apache Log4j library (CVE-2021-44228), a significant concern due to the severity of the vulnerability.

• Contextual Analysis: The security team evaluates the risk associated with each vulnerability, considering its business impact, data at risk, and exploitability.

They discover that an internal application used for financial transactions uses a vulnerable Log4j version, highlighting immediate remediation action.

• Prioritization: For the prioritization effort, rank vulnerabilities based on their potential impact and exploitability, not just on generic classifications.

The vulnerability on the financial transaction application is escalated to the top of their remediation list due to potential financial loss and brand damage. However, due to the pervasiveness of Log4j, a roadmap for patching all affected systems is created.

• Remediation: Collaboratively address vulnerabilities by engaging cross-functional teams, providing them with detailed evidence and guidance.

The organization’s IT team first isolates the financial application from the internet to prevent potential exploitation. After backing up the system, they update Log4j to version 2.17.1, ensuring the server is protected from CVE-2021-44228, as well as the subsequent vulnerabilities CVE-2021-45046 and CVE-2021-44832. The organization also reviews the patching documentation carefully to guarantee correct application. 

Given the lessons learned from this vulnerability's history , they make sure to validate and test the patches in a staging environment before deploying to production.

• Validation: Post-remediation, continuously validate that vulnerabilities have been effectively addressed and remain so.

Given the critical nature of the vulnerability, the security team leverages a Breach and Attack Simulation (BAS) solution to mimic the potential Log4Shell exploit attempts and test the effectiveness of existing security controls against a possible attack.

By simulating real-world attack scenarios, they validate that the patch is successfully mitigating the risk and that the system remains resilient against other related threats.

• Continuous Monitoring: Adopt a proactive stance by continuously monitoring the attack surface for changes and new vulnerabilities.

Post-validation, continuous monitoring solutions are further tightened or behaviors on all systems. Moreover, given the lessons from this vulnerability, the organization decides to conduct periodic deep-dives into their EASM program to identify and rectify potential blind spots.

Challenges in External Attack Surface Management 

External attack surface management (EASM) faces several challenges in the ever-expanding digital landscape, amplified by the complex nature of digital environments. 

• Vast Digital Landscape: As organizations’ IT environments become increasingly complex, attackers are continuously looking for exposed data-points across public domains and subdomains, making the external attack surface more vulnerable, regardless of on-premise or remote assets.

• Cloud Operations Escalation: The increasing shift towards cloud services heightens the exposure of sensitive data points, creating more entry points for adversary reconnaissance and exploitation.

• Unregulated Asset Exposure (Shadow IT): Digital assets, whether on-premise or cloud, might inadvertently get exposed without the knowledge or consent of IT and security teams, creating undisclosed vulnerabilities.

• Operational Fragmentation: Digital assets managed by different departments, from IT to HR, can create visibility gaps. One department might be unaware of vulnerabilities associated with assets managed by another.

• Extended Organizational Risks: The exposure doesn't end at an organization's boundaries. Third-party vendors and suppliers introduce further vulnerabilities, with supply chain risks becoming a significant concern due to potential large-scale downstream impacts from breaches.

What Is the Difference Between EASM and CAASM?

The difference between External Attack Surface Management (EASM) and Cyber Asset Attack Surface Management (CASM) lies primarily in their scopes of focus. 

EASM is primarily concerned with identifying, analyzing, and mitigating risks related to an organization's external-facing digital assets, such as public web servers and applications accessible from the internet. On the other hand, CAASM takes a broader approach, encompassing the management of all cyber assets, both internal and external. This includes assets behind corporate firewalls, such as internal servers and databases, as well as those facing the public. 

Essentially, while EASM focuses on threats from the external digital environment, CAASM provides a more holistic view, covering the entire cyber asset landscape of an organization.

Gartner’s Hype Cycle on External Attack Surface Management (EASM)

In their press release of “Top Security and Risk Management Trends for 2022” [3], Gartner emphasizes the significance of evolving strategies to protect an organization's growing digital footprint against contemporary threats. A key trend identified is the expansion of the enterprise attack surface. As enterprises diversify their operations with cyber-physical systems, IoT, open-source code, cloud applications, digital supply chains, and social media, they are presented with a broadening array of external assets that are potentially at risk. 

Figure 2. Gartner’s Common Use Cases Supported by CAASM, EASM and DRPS. 

Traditional security methods may not be sufficiently comprehensive to monitor, detect, and respond to the vast range of exposures in this expanded attack surface. Gartner suggests that security solutions like 

• Digital Risk Protection Services (DRPS), 

• External Attack Surface Management (EASM), and 

• Cyber Asset Attack Surface Management (CAASM)

are pivotal. These technologies empower Chief Information Security Officers (CISOs) by automating the discovery of security gaps and visualizing both internal and external business systems. This proactive approach ensures that as the digital landscape of organizations evolves, their security measures keep pace.

Microsoft Defender External Attack Surface Management (EASM)

Defender EASM, or Microsoft Defender External Attack Surface Management [4], provides a solution for managing an organization's external digital attack surface. It continuously maps and discovers the digital infrastructure exposed to the internet, giving an external perspective of an organization's online presence. By doing so, it allows security and IT teams to identify unknown assets, prioritize risks, eradicate threats, and control vulnerabilities even beyond the organization's firewall. 

The system uses Microsoft's proprietary discovery technology to recursively search for infrastructure connected to known legitimate assets, using these as "seeds" to further identify and uncover unmonitored and unknown properties. These assets, which include domains, hostnames, web pages, IP blocks, and more, are indexed and categorized in the Defender EASM Inventory. This offers a dynamic record of all online infrastructure affiliated with an organization. 

Additionally, Defender EASM provides dashboards for quick insights into online infrastructure and associated risks. It also allows for flexible management of assets with features to filter specific insights, catering to various use cases. Moreover, it ensures clear user permissions, data residency, availability, and privacy by delineating roles and handling customer data with a strong focus on security and compliance.

Key Features to Seek in External Attack Surface Management Tools 

There are eight main features that a top-tier external attack surface management (EASM) solution should offer to its customers.

• Comprehensive Asset Discovery: A top-tier EASM solution should offer autonomous detection capabilities, promptly identifying all exposed assets, be they known or previously overlooked, across various environments and the supply chain. With Shadow IT rampant and inadvertent human mistakes, it's imperative that the tool captures every digital presence associated with the organization.

• Context-Driven Analysis: An EASM tool should provide business context insights, elucidating which business unit, subsidiary, or third-party vendor is linked to each exposed asset. Furthermore, understanding the asset's connectivity to the primary network is crucial for informed risk assessment.

• Categorized Asset Overview: Automatic asset classification ensures that security teams can immediately view and categorize exposed assets based on distinct criteria like platform, service type, or other specified categories. This assists in streamlining remediation efforts and prioritizing tasks.

• Real-time Risk Notification: Modern EASM tools should not only generate a complete asset inventory but also notify teams in real-time about new vulnerabilities, exposures, and other security concerns. This proactive approach ensures that potential threats are identified and managed promptly.

• Enhanced Operational Efficiency: The solution should streamline security operations. By offering automated risk prioritization and built-in remediation recommendations, these tools reduce manual labor, thus conserving time. Moreover, facilitating seamless sharing of findings with internal units and external vendors ensures unified and efficient remediation efforts.

• Maximizing Existing Tools: It's pointless to have vulnerability scanners or penetration testing tools if they aren’t aware of all assets. By providing an always updated view of every asset, an EASM tool ensures that you derive the maximum potential from your existing security arsenal.

• Cost Optimization: Effective EASM solutions also aid in cost optimization. By spotting legacy systems or superfluous tools and servers, organizations can cut down on redundant IT expenditures.

• Continuous Monitoring: Given the dynamic nature of digital assets and the evolving threat landscape, it's pivotal for the tool to offer continuous monitoring of the external surface. This should generate security insights and risk prioritization grounded on the business context, enabling teams to address the most pressing vulnerabilities.

In essence, when choosing an EASM tool, it’s essential to opt for a solution that offers a blend of comprehensive asset discovery, real-time alerting, context-driven insights, and streamlining capabilities. As the digital domain expands and becomes more complex, these features are indispensable for ensuring robust external attack surface management.