How Attack Surface Management Preempts Cyberattacks

Attack Surface Management

The wide-ranging adoption of cloud facilities and the subsequent mushrooming of organizations’ networks, combined with the recent migration to remote work, had the direct consequence of a massive expansion of organizations’ attack surface and led to a growing number of blind spots in connected architectures.

The unforeseen results of this expanded and attack surface with fragmented monitoring has been a marked increase in the number of successful cyber-attacks, most notoriously, ransomware, but covering a range of other types of attacks as well. The main issues are unmonitored blind spots used by cyber-attackers to breach organizations’ infrastructure and escalate their attack or move laterally, seeking valuable information.

The problem lies in discovery. Most organizations have evolved faster than their ability to keep track of all the moving parts involved and to catch up to catalog all past and present assets is often viewed as a complex and resource-heavy task with little immediate benefits.

However, given the potential cost of a successful breach and the increased ability of cyber-attackers to identify and use exposed assets, leaving any single one unmonitored can lead to a catastrophic breach.

This is where emerging technologies such as Attack Surface Management (ASM) can be invaluable.

What is Attack Surface Management (ASM)?

ASM is a technology that either mines Internet datasets and certificate databases or emulates attackers running reconnaissance techniques. Both approaches aim at performing a comprehensive analysis of your organization’s assets uncovered during the discovery process. Both approaches include scanning your domains, sub-domains, IPs, ports, shadow IT, etc., for internet-facing assets before analyzing them to detect vulnerabilities and security gaps.

Advanced ASM includes actionable mitigation recommendations for each uncovered security gap, recommendations ranging from cleaning up unused and unnecessary assets to reduce the attack surface to warning individuals that their email address is readily available and might be leveraged for phishing attacks.

ASM includes reporting on Open-Source Intelligence (OSINT) that could be used in a social engineering attack or a phishing campaign, such as personal information publicly available on social media or even on material such as videos, webinars, public speeches, and conferences.

Ultimately, the goal of ASM is to ensure that no exposed asset is left unmonitored and eliminate any blind spot that could potentially devolve into a point of entry leveraged by an attacker to gain an initial foothold into your system.

Who needs ASM?

In his webinar about the 2021 State of Cybersecurity Effectiveness State, the cyber evangelist David Klein directly addresses the concerning findings that were uncovered by Cymulate’s users adoption of ASM. Unbeknownst to them, prior to running ASM:

  • 80% did not have anti-spoofing, SPF email records
  • 77% had insufficient website protections
  • 60% had exposed accounts, infrastructure, and management services
  • 58% had hacked email accounts.
  • 37% used externally hosted Java.
  • 26% had no DMARC record configured for domain.
  • 23% had SSL Certificate host mismatch.

Once identified, these security gaps could be plugged, but the worrying factor is the extent of the unknown exposure prior to their identification.

The ASM users in this analysis are from a large array of industry verticals, regions, and organizations size. This indicates that anyone with a connected infrastructure stands to benefit from adopting ASM as an integral part of their cybersecurity infrastructure.

Where can you find ASM?

Though the technology is still recent, there are a growing number of ASM vendors. As always, it is more efficient to consider adding ASM as a part of a more developed platform rather than a stand-alone product.

The focus of an ASM solution is partly dictated by the focus of the basket of products it is associated with. As such, an ASM solution associated with a reactive suite such as Endpoint Detection and Response (EDR) is more likely to me based on expanded scanning abilities, whereas an ASM solution included into a proactive platform such as Extended Security Posture Management (XSPM) is more likely to be focused on leveraging scanning capabilities to expand on emulating cyber-attackers’ recon techniques and tooling.

Selecting an integrated ASM facilitates centralizing data related to the organization’s security posture in a single-pane-of-glass, reducing the risk of SOC teams’ data overload.