The widespread adoption of cloud services and subsequent growth of networks within organizations, along with recent migrations to remote work had the direct result of an increase in the attack surface of these organizations and created blind spots in the connected architectures.
The unforeseen results of this expanded and attack surface with fragmented monitoring has been a marked increase in the number of successful cyber-attacks, most notoriously, ransomware, but covering a range of other types of attacks as well. Cyber-attackers use unmonitored blindspots to attack organizations and move further, seeking valuable information.
The problem is in discovery. Most organizations have evolved faster than their ability to keep track of all the moving parts involved and to catch up to catalog all past and present assets is often viewed as a complex and resource-heavy task with little immediate benefits.
However, given the potential cost of a successful breach and the increased ability of cyber-attackers to identify and use exposed assets, leaving any single one unmonitored can lead to a catastrophic breach.
This is where new technologies like Attack Surface Management (ASM), can prove to be extremely valuable.
What’s Attack Surface Management?
ASM is a technology that either mines Internet datasets and certificate databases or emulates attackers running reconnaissance techniques. Each approach aims to complete a thorough analysis of the assets discovered during discovery. Both approaches include scanning your domains, sub-domains, IPs, ports, shadow IT, etc., for internet-facing assets before analyzing them to detect vulnerabilities and security gaps.
Advanced SM contains actionable mitigation recommendations to address each security breach. These recommendations range from clearing out unused assets to decrease the attack surface, to alerting individuals that their email addresses might be used for phishing attacks.
ASM includes reporting on Open-Source Intelligence (OSINT) that could be used in a social engineering attack or a phishing campaign, such as personal information publicly available on social media or even on material such as videos, webinars, public speeches, and conferences.
Ultimately, the goal of ASM is to ensure that no exposed asset is left unmonitored and eliminate any blind spot that could potentially devolve into a point of entry leveraged by an attacker to gain an initial foothold into your system.
Who needs ASM?
In his webinar about the 2021 State of Cybersecurity Effectiveness State, the cyber evangelist David Klein directly addresses the concerning findings that were uncovered by Cymulate’s users adoption of ASM. Unbeknownst to them, prior to running ASM:
- 80% did not have anti-spoofing, SPF email records
- 77% had insufficient website protections
- 60% had exposed accounts, infrastructure, and management services
- 58% had hacked email accounts.
- 37% used externally hosted Java.
- 26% had no DMARC record configured for domain.
- 23% had SSL Certificate host mismatch.
Once identified, these security gaps could be plugged, but the worrying factor is the extent of the unknown exposure prior to their identification.
The ASM users included in the analysis come from many industries, countries, and sizes. This indicates that anyone with a connected infrastructure stands to benefit from adopting ASM as an integral part of their cybersecurity infrastructure.
Where can I find ASM in my area?
Though the technology is still recent, there are a growing number of ASM vendors. As always, it is more efficient to consider adding ASM as a part of a more developed platform rather than a stand-alone product.
The focus of an ASM solution is partly dictated by the focus of the basket of products it is associated with. As such, an ASM solution associated with a reactive suite such as Endpoint Detection and Response (EDR) is more likely to me based on expanded scanning abilities, whereas an ASM solution included into a proactive platform such as Extended Security Posture Management (XSPM) is more likely to be focused on leveraging scanning capabilities to expand on emulating cyber-attackers’ recon techniques and tooling.
Selecting an integrated ASM facilitates centralizing data related to the organization’s security posture in a single-pane-of-glass, reducing the risk of SOC teams’ data overload.