What Is Attack Surface Management?

5 min. read

Attack surface management (ASM) is the process of continuously identifying, monitoring, and managing all internal and external internet-connected assets for potential attack vectors and exposures. 

The ultimate goal of ASM is to increase visibility and reduce risk. By taking a proactive approach to identifying and mitigating vulnerabilities, organizations can significantly reduce the risk of cyberattacks and improve their overall security posture.

 

What Is an Attack Surface?

The attack surface is the sum of all the points where an attacker could attempt to gain access to a company's systems and data. This includes the following:

  • Applications: Any software application accessible from outside the company, such as web applications, mobile apps, and APIs.
  • Websites: All websites hosted by the company, including public, internal, and e-commerce websites.
  • Networks: Any network used by the company to connect its devices and systems, including the Internet, private networks, and cloud networks.
  • Devices: Any device connected to the company's networks, including laptops, smartphones, servers, and IoT devices.
  • Cloud infrastructure: Any cloud infrastructure used by the company, such as public clouds, private clouds, and hybrid clouds.

The attack surface of an organization is constantly expanding due to factors such as cloud adoption, and the increasing number of connected devices. This makes it increasingly difficult for organizations to keep track of all of their vulnerabilities and take steps to mitigate them.

 

Why Is ASM Important?

You can’t secure what you don’t know exists. Attack surface management helps organizations gain visibility into and reduce risks on their attack surface. Internal and external attack surface management are both necessary due to the dynamic nature of organizations pursuing a move to the cloud.

Organizations can reduce the risk of cyberattacks and data breaches by minimizing the number of entry points and vulnerabilities in their systems and networks. Minimization ensures your organization has a comprehensive and continuously updated inventory of all internet-facing assets and associated risks.

Creating a complete system of record like this requires a new approach because network perimeters are a thing of the past, so the traditional view of an organization’s attack surface no longer applies. A modern attack surface comprises any internet-facing asset in the cloud, on-premises, or colocated in multiple places.

Between multi, private, and public clouds, inheriting assets via mergers and acquisitions (M&A), and access from supply chain partners and remote workers, it’s impossible for IT experts to keep track of all assets and the people responsible for them via manual methods.

Traditionally, asset inventories have been generated with slow, manual, and infrequent processes, including red team exercises or penetration tests. Unfortunately, modern infrastructure, especially in the cloud, can change instantly. All it takes for a new cloud instance to be created outside of security processes is an employee with a credit card. This is one of the most common ways an attack surface grows.

Additionally, the quality of data in an asset inventory directly impacts the efficacy of all security processes. Vulnerability scanners that only check known assets mean unknown assets cannot be secured. These unknown assets are a direct threat and let security teams lose control.

An MIT Technology Review Insights survey found that 50% of organizations had experienced a cyberattack on an unknown or unmanaged asset, and another 19% expected an imminent incident.

 

The Speed and Scale of the Internet

Malicious actors will find and target unknown assets because they are simply looking for easy targets. Attackers have undergone their own digital transformation and can scan the entire internet for vulnerable systems in less than an hour. This means a defender’s mean time to inventory (MTTI) of all assets on their attack surface needs to be faster than an attacker can stumble on them.

According to Cortex Xpanse, threat actors scan to inventory vulnerable internet-facing internal assets once per hour and even more frequently—in 15 minutes or less—following CVE disclosures. Meanwhile, global enterprises, on average, need 12 hours to find vulnerable systems, assuming the enterprise knows about all assets on its network.

Attack surface management involves considering all aspects to provide a continuously updated and comprehensive inventory of all assets connected to an organization's network. This includes IP addresses, domains, certificates, cloud infrastructure, and physical systems. It also maps out which part of the organization is responsible for each asset.

ASM must work at the speed and scale of the ever-growing IoT to continuously discover, identify, and mitigate risks across all public-facing assets, whether on-premises, in the cloud, or operated by subsidiaries and critical suppliers.

It must also scan from outside in and not rely on asset inventories or logs from other security products because those may need to be completed. External scanning ensures all known and unknown assets are accounted for, and this data can inform security processes.

In its 2021 Hype Cycle for Security Operations, Gartner discussed how looking at exposure through the lens of external attack surface management can provide “better enrichment for organizations to decide what matters to them—without having to look at the threat landscape in a more general way and wonder if they are affected.”

 

Types of Attack Surfaces

Several specialized categories fall under the purview of attack surface management, with each focusing on specific types of assets and their corresponding attack surfaces. A comprehensive understanding of the diverse types of attack surfaces is imperative for ensuring the robust security of our organization's assets.

These types include:

Type Definition Key Characteristics
External ASM (EASM) Focuses on managing external-facing assets. Includes websites, public cloud infrastructure, and social media accounts.
Internal ASM (IASM) Focuses on managing internal assets. Includes internal networks, devices, and applications.
Cyber Asset ASM (CAASM) Focuses on managing cyber assets. Includes software, data, and intellectual property.
Open Source ASM (OSASM) Focuses on managing open source software. Includes libraries, frameworks, and tools.

Deep dive into the types, categories and roles of attack surface management: What Are the Types and Roles of Attack Surface Management?

Known Assets

Known digital assets are devices, systems and applications that an organization's security teams are aware of and have authorized to connect to its network. These assets are included in an organization's inventory and are subject to regular security assessments and monitoring.

Unknown Assets

Unknown digital assets are the opposite: devices, systems, and applications that an organization and its security teams are unaware of and have not authorized in the network. These can include shadow IT, unauthorized devices, ransomware, or unmanaged applications. Unknown assets pose a significant risk to an organization's security as they can provide potential weaknesses in cybersecurity.

Rogue Assets

Like unknown digital assets, rogue digital assets are connected to a network without authorization. However, rogue assets refer to known assets that are unauthorized or pose a security risk.

In contrast, unknown assets are unidentified or undiscovered assets within a network or system that may have been authorized but forgotten. They are typically used to gain unauthorized access to an organization's network or data. Rogue assets can be challenging to detect and manage as they are not included in an organization's inventory or security controls.

Vendors

Vendors can pose a significant risk to an organization's security as they may introduce vulnerabilities or weaknesses into an organization's network or data. Organizations must carefully manage and monitor their relationships with vendors to minimize the risk of cyberattacks.

Management can include regular security assessments, contractual requirements for security, and ongoing monitoring and risk management. In the case of attack surface management, vendors can consist of software vendors, cloud service providers and other third-party service providers.

Core Functions of ASM

An attack surface management solution should utilize five core functions to protect against vulnerabilities. By performing these core functions, organizations can gain a comprehensive view of their attack surface, identify vulnerabilities and weaknesses, prioritize their efforts, and reduce the risk of cyberattacks and data breaches.

Discovery

During discovery, the organization and its security teams conduct scans, review logs, and use other tools to discover both known and unknown assets. The goal is to identify all the assets, systems, applications and entry points within an organization's network.

Mapping

Once all of the assets have been identified, the next step is to ensure that assets are automatically mapped to individual business units and subsidiaries and integrated with existing SOC tools for faster owner identification and enrichment to resolve incidents.

Context

Contextualizing helps organizations prioritize and focus their resources on the greatest risk and impact areas. The discovered assets and vulnerabilities must have context for effective attack surface management. This involves analyzing the assets and vulnerabilities in the context of an organization's specific risk profile, compliance requirements and business objectives.

Prioritization

The vulnerabilities and assets must be prioritized in order of importance based on their risk and potential impact, including factors such as the likelihood of exploitation, the potential impact of an attack, and the difficulty of remediation. This helps organizations and security teams focus their resources on addressing the most critical vulnerabilities first.

Remediation

Once vulnerabilities or weaknesses in an organization's network, systems or applications have been identified, they must be fixed. The goal of remediation is to reduce or eliminate the risk of potential cyberattacks or data breaches that may exploit these vulnerabilities.

Depending on the nature and severity of the vulnerability, remediation can happen in a few different ways. It may involve patching or updating software, configuring firewalls or other security controls, restricting access to certain assets, or decommissioning obsolete systems or applications. Remediation must be ongoing to ensure the vulnerability doesn’t reoccur or is reintroduced.

Explore how the ASM lifecycle approach provides a dynamic framework to help security teams proactively detect and mitigate cyber risks: What is the ASM Lifecycle?

Attack Surface vs. Threat Surface

While often used interchangeably, "attack surface" and "threat surface" are distinct concepts with subtle but crucial differences. Understanding these distinctions is vital for effectively securing your organization's assets.

The attack surface is broader, encompassing all potential vulnerabilities, and aims to reduce overall risk. The threat surface is more specific, focusing on vulnerabilities targeted by known threats and prioritizing vulnerabilities based on specific threats. The attack surface is also relatively static, changing slowly over time, while the threat surface is dynamic, evolving as new threats emerge and attacker tactics change.

By identifying and addressing vulnerabilities across the attack surface, while also focusing on specific threats that present the greatest risk, organizations can markedly improve their security posture and safeguard their critical assets.

Learn how to identify the differences in your attack and threat surfaces to strengthen your security strategies: What is the Difference Between Attack Surface and Threat Surface?

Key Threat Actors

In the ASM context, threat actors refer to individuals, groups, or entities that pose a risk to the security of your IT resources: data, applications, devices, network infrastructure, teams and so forth. Key threat actors in this context can include:

Hackers and Cybercriminals

Black Hat Hackers are individuals or groups with malicious intent who exploit vulnerabilities in software and IT operations for personal gain or to cause harm. Cybercriminals are individuals or (increasingly) groups who engage in activities such as identity theft, financial fraud, or the distribution of malware for financial profit.

Nation-State Actors

Governments or state-sponsored entities may engage in cyber-espionage, cyber-warfare, or other malicious activities to achieve political, economic, or military objectives. The U.S.-based Cybersecurity and Infrastructure Security Agency issues regular Threat Overview and Advisory reports on groups operating from, and working in cahoots with the governments in China, Russia, North Korea and Iran

Insiders

Employees, contractors or business partners who have inside knowledge of an organization's systems and may misuse their access for personal gain, revenge, or other reasons.

Hacktivists

Individuals or groups motivated by social, political, or ideological reasons who hack into systems to promote their beliefs or to protest against certain actions or organizations.

Attack Vectors Commonly Exploited

Attack vectors are the paths or methods that attackers use to exploit vulnerabilities and gain access to an organization's systems and data. It is a way for an attacker to exploit a vulnerability and reach its target. Examples of attack vectors include:

Phishing

Phishing attacks involve sending fraudulent emails or text messages that appear to be from a legitimate source, such as a bank, government agency, or trusted individual. These messages typically contain malicious links or attachments that, when clicked or opened, can install malware, steal sensitive information, or compromise user accounts.

Malware

Malware is software designed to harm or disrupt computer systems. Attackers often use malware to gain unauthorized access, steal data, or damage systems. Common types of malware include viruses, worms, ransomware, and spyware.

Social Engineering

Social engineering involves manipulating people into revealing sensitive information or taking actions that compromise their security. Attackers use various techniques, such as impersonation, pretexting, and fear-mongering, to trick victims into divulging confidential information or performing actions that benefit the attacker.

Web Application Vulnerabilities

Attackers often target web applications due to their widespread use and potential vulnerabilities. Common web application vulnerabilities include SQL injection, cross-site scripting (XSS), and insecure authentication mechanisms. Exploiting these vulnerabilities can allow attackers to steal data, gain unauthorized access, or disrupt website functionality.

Network Attacks

Network attacks target the network infrastructure of an organization, aiming to disrupt network traffic, gain unauthorized access to systems, or steal sensitive data. Common network attacks include denial-of-service (DoS) attacks, man-in-the-middle (MitM) attacks, and network scanning.

Zero-Day Exploits

Zero-day exploits target vulnerabilities that are unknown to the software vendor or developer. These vulnerabilities are highly dangerous as there are no patches or updates available to fix them. Attackers often use zero-day exploits to gain access to systems and steal sensitive information before the vulnerability is publicly disclosed.

Cloud Misconfigurations

Cloud misconfigurations occur when cloud services or applications are not configured securely, leaving them vulnerable to attacks. Common misconfigurations include insecure storage buckets, open ports, and weak access controls. Attackers can exploit these misconfigurations to gain access to sensitive data or disrupt cloud services.

Supply Chain Attacks

Supply chain attacks target third-party vendors or suppliers to gain access to an organization's systems or data. Attackers may compromise a supplier's systems or software to introduce malware or backdoors into an organization's network.

Insider Threats

Insider threats are security incidents caused by individuals who have authorized access to an organization's systems or data. These individuals may intentionally or unintentionally compromise security due to malicious intent, negligence, or lack of awareness.

Physical Attacks

Physical attacks target the physical security of an organization's facilities, equipment, or personnel. They may involve device theft, unauthorized access to restricted areas, or physical damage to equipment.

How to Mitigate Attack Surface Risks

Organizations, and specifically CISOs, should utilize internal and external attack surface management solutions to mitigate risks. This includes taking steps to:

  • Reduce the number of entry points into their systems and networks.
  • Identify and patch vulnerabilities in their systems and applications.
  • Implement strong authentication and access controls to limit sensitive data and systems access.
  • Monitor their systems and networks for unusual activity or suspicious behavior.
  • Regularly review and update their security policies and procedures to ensure they are up to date with the latest threats and best practices.

Explore the definitive CISO’s guide to ASM, with expert strategies for risk assessment, asset control and cybersecurity: How Does a CISO Effectively Manage the Attack Surface?

Attack Surface Assessment

To maintain security, it's crucial to continually assess your attack surface, vulnerabilities, and security protocols. Conducting regular attack surface analyses and vulnerability scanning can uncover emerging threats and points of exploitation.

Attack surface scoring and third-party risk assessment teams are valuable metrics for evaluating security posture. These methods offer insights into exposure to threats and provide recommendations to enhance security.

Assessment Metrics and Indicators

Attack surface scoring is a great way to measure your overall risk exposure and the health of your security posture. Most ASM solutions provide a great tool set for risk scoring, but to get a comprehensive global view of threats and security posture, bringing in a third-party risk assessment team can be a good idea.

The professional attack surface assessment process begins with reviewing and evaluating your existing network topologies, asset inventories, vulnerability scans, and other relevant information. Based on this information, the risk assessment team conducts interviews to further understand goals and concerns and gain knowledge of the attack surface.

These findings can then be enriched with threat intelligence and cutting-edge knowledge of relevant vulnerabilities and threats. The resulting observations and recommendations can be tailored to your environment and specific security concerns, with a focus on high-impact issues that are most likely to be exploited based on industry trends.

This approach allows you to prioritize your limited resources to ensure your defenses are working properly and understand the necessary steps to improve your security posture.

Discover how an attack surface assessment can jump-start and improve your ASM program: What is Attack Surface Assessment?

The Impact of Digital Transformation on the Attack Surface

As organizations have embraced digital transformations and remote work over the past decade, they have experienced significant changes in their attack surface. This has led to an expansion and evolution of potential points of vulnerability that malicious actors can exploit. Several IT trends have contributed to this expansion of vulnerabilities:

Increased Connectivity

Digital transformations often involve the integration of new technologies, devices, and systems. This increase in overall connectivity can expand the attack surface, as each new connection point introduces potential vulnerabilities that attackers may exploit.

Cloud Adoption

Moving services and data to the cloud is a common aspect of digital transformations. While cloud providers implement robust security measures, the configuration of cloud resources, access controls, and data transfers between on-premises and cloud environments can introduce new attack vectors if not properly managed.

Internet of Things (IoT)

The adoption of IoT devices is a key component of digital transformation. These devices, such as smart sensors and industrial IoT, can introduce new entry points for cyber threats. Insecurely configured or poorly maintained IoT devices, particularly those deployed with non-updated default passwords, can become targets for exploitation.

Mobile Workforce

Remote work and mobile computing are often facilitated by digital transformations. While work-from-home policies provide flexibility, they also increase the attack surface by exposing corporate networks to potentially insecure devices and public networks. Antiquated home routers with unpatched security flaws are widely recognized vulnerabilities. Additionally, mobile devices may become vectors for attacks if not adequately protected.

Third-Party Integrations

Organizations often integrate with third-party services and platforms to enhance their digital capabilities. However, each integration introduces a potential risk if not properly vetted and secured. Attackers may target vulnerabilities in third-party systems to gain access to the organization's network.

Cybersecurity Skill Gaps

Digital transformations often require new cybersecurity skill sets. Organizations may face challenges in maintaining a skilled workforce capable of addressing the evolving threat landscape associated with the transformed environment.

The most recent ISC2 Cybersecurity Workforce Study found that more than nine in 10 (92%) of professionals surveyed revealed they had skills gaps in their organization, with 67% reporting a shortage of cybersecurity staff needed to prevent and troubleshoot security issues.

Attack Surface Management Use Cases

Attack surface management (ASM) is not a one-size-fits-all solution but rather a versatile tool that can be applied to various use cases across different industries and organizations. Here are some prominent examples of how ASM can be used to address specific security challenges:

Attack surface management is a versatile tool that can be applied to various use cases across different industries and organizations. By identifying and mitigating vulnerabilities across the entire attack surface, ASM can help organizations reduce the risk of cyberattacks, protect critical assets, comply with security regulations, and enhance their overall security posture.

Explore the various ASM use cases and how they apply across industries: What are Common Use Cases for Attack Surface Management?

Attack Surface Management (ASM) FAQs

This depends on several factors, including the size of the organization, the complexity of the attack surface, and the level of risk. Ideally, attack surface management should be performed continuously rather than seasonally.
Prioritizing vulnerabilities for remediation depends on the organization's attack surface, the level of risk, and exploitability. Organizations should consider prioritizing according to severity rating, the chance of exploitability, impact on business, and which assets are most critical to the organization if compromised.
Organizations can do this in several ways:
  • Evaluate the percentage of vulnerabilities remediated over a given period to track the progress of the program.
  • Determine the time it takes to remediate vulnerabilities to identify areas for improvement in the remediation process.
  • Calculate the reduction in risk associated with the attack surface to demonstrate the program's impact on reducing the risk of cyberattacks.
  • Assess the organization's compliance with relevant industry standards and regulations to ensure that the program is meeting the required standards.
As discussed above, organizations must take a proactive and continuous approach to asset discovery and management. By implementing this approach, organizations can effectively manage the risks associated with unknown and unmanaged digital assets in their attack surface.