What is Attack Surface Management?
Introduction
Attack Surface Management (ASM) is one of those terms that is used in different contexts to mean different things. Is it a product? A service? A process? A random phrase produced by Gartner's buzzword generation script? In this post we are going to look at what it really means, what value it provides, and how you go about actually doing it.
What, Exactly, is ASM?
Attack Surface Management is the act of managing your attack surface. That is all.
Let’s start with a bit of a reality check. ASM, like many other effective security measures, does not generally start and end with you going out and buying something. There are a lot of ways that various tools and services can help you to effectively manage your attack surface but there really isn’t any kind of magic box or service you can buy that is just going to do the job for you.
But wait! Where are the fancy lifecycle diagrams? The long drawn out pseduo-techno-marketing terms? The elaborate explanation of why you must buy something or you will immediately be invaded by a horde of angry hackers? Sorry, but my aim here is to educate rather than sell you something so we are going to stay in the real world [well, ok, we actually would like to sell you something but we will get to that later].
Why Does ASM Matter?
The act of proactively managing your attack surface does mark a significant cultural change. Historically, an organisation’s attack surface was essentially an unmeasured emergent property. You buy and deploy whatever you need to run your business, some things get deployed internally, some go on the Internet and some live in the cloud. You buy lots of firewalls to keep everything nice and secure and generally life is good and you sleep well at night.
Then three things happen that really drop a spanner in the works:
First, you wake up one morning and realise that your network now spans so many different locations and combinations of on-prem, colocated, and cloud based infrastructure that you are no longer sure about the real extent of your network or what it really exposes to the Internet.
Then it becomes clear that a good chunk of your software real estate, generally described as being “100% secure with extra military grade security and unbreakable high security 372.5 bit encryption”, is actually so riddled with vulnerabilities that you are spending more time patching it than using it.
Finally, the entire world of organised crime suddenly realises that network and data access can be used to extort significant sums of money, and you find yourself in the middle of a raging ransomware pandemic.
So, what do you do now? [hint: buying more security software that is riddled with yet more vulnerabilities is probably not the right answer]. The right step is to get control of your attack surface. Or, more generally, to start proactively understanding, monitoring and reducing your attack surface to ensure your organisation can withstand the current onslaught of attacks. You just took your first step into the world of ASM.
The above may be something of an extreme example but many organisations are going through this type of perspective change and are starting to put more focus on proactive attack surface management and risk reduction.
This is an awesome development. The cybersecurity industry is full of people trying to sell 'magic security boxes' (that actually tend to increase your attack surface) so this shift towards real and effective risk reduction is a breath of fresh air. If you are looking to take your first steps into ASM then let me be the first to congratulate you: it is genuinely one of the most strategically critical steps that any organisation can take to protect itself, so you are going in the right direction.
What is my Attack Surface?
Simply put, an attack surface is all the reachable elements of your organisation that a specific attacker can interact with. There is one subtlety here that needs to be understood, so allow me to introduce the Special Theory of Relativity Attack Surface Management: Your attack surface depends on the observer’s frame of reference. In other words: there are lots of different ‘views’ of your attack surface.
As an anonymous Internet based attacker, I see one specific view of your organisation. As an employee, I see a different one, as an attacker that just connected to your office WiFi, I see yet another attack surface. There are two key characteristics of an attacker that dictate their specific view of an organisation's attack surface:
Where Are They? The physical and logical position of an attacker generally dictates the elements of your organisation that are within reach.
Who Are They? Who, in this context, means which accounts or identities does the attacker have access to.
You can now start to form a picture of your organisation as a set of layered attack surfaces that are accessible to a specific set of potential attackers. The true nature of ASM then becomes clear: it is essentially a continuous organisation-wide threat modeling and risk mitigation process.
How do I do It?
The good news is that there isn't really any "wrong" way to do ASM. Everything you do that involves looking at your organisation from the perspective of an attacker, and then shoring up your defenses accordingly, is likely have a good return in terms of real world risk reduction.
The optimal set of tools and processes will vary widely between organisations so there isn’t really a single prescriptive process that will work for everybody. That said, there are some generally applicable areas of focus. We would recommend that any ASM process includes some elements of the following:
Definition: Define the specific attack surface views that are most applicable to your organisation. For many, a good starting point is to consider your attack surface from the perspective of an unauthenticated Internet-based attacker. You can add additional attack surface views later and then follow the same process in an iterative manner.
Measurement: Make sure you fully understand the existing elements of your attack surface. This can involve asset enumeration, internal or external scanning, or use of other existing tools and processes. Completeness and accuracy are key here, so it always helps to use two or more approaches and then cross check the results.
Risk Monitoring: Attack surfaces grow and evolve as systems are deployed or retired. Your current risk picture will also be constantly changing as threats, weakness, and vulnerabilities appear and are mitigated. Risk Monitoring will give you a current picture of areas you need to focus on and immediate threats that need to be mitigated.
Reduction: Software contains vulnerabilities. More software and more features means more vulnerabilities. This is not rocket science. Reducing your attack surface is the single most powerful tool you have to reduce real-world security risk. This can range from removing whole products through to reducing the range of versions and features that you deploy.
Restriction: Using strong authentication and authorisation to effectively hide attack surface elements from unauthenticated attackers can make a material difference when it comes to limiting exposure to zero day vulnerabilities and automated attacks. Hiding remote services behind a VPN, or any other authenticating gateway, or even just using IP level restrictions can all be valuable defense measures.
Resilience: The set of components that form your attack surface should be supported, patched and securely configured. This is an ongoing process that encapsulates vulnerability management and software assurance maintenance. Remember that secure deployment best practices do evolve over time so it is important to look at secure deployment as an ongoing process rather than something that is just done when a new product is initially deployed.
Planning and Risk Management: Forward planning is key to being able to keep your attack surface under control. The mitigation of existing risks, implementing strategic changes such as strong authentication, the consolidation and homogenisation of deployed software components and ensuring that security assurance is a prime consideration when selecting new software components are all part of an ASM process.
Towards Zero Trust
An effective ASM process will tend to move you towards having a minimal attack surface that is visible to unauthenticated users. The ideal end goal is that the only attack surface visible to an unauthenticated attacker will be a hardened authentication and authorisation service. In other words, ASM will tend to encourage a gradual transition towards a Zero Trust architecture.
While a Zero Trust architecture can be significantly more robust than a traditional complex and sprawling network perimeter, making the transition to Zero Trust can be so difficult that it is often seen as an unreachable goal. Adopting an effective ASM process will help you to realise real short term assurance improvements while helping you with a longer term shift towards a Zero Trust architecture, this means that ASM can be a valuable strategic stepping stone.
Conclusion
Attack surface management marks a fundamental change in attitude towards security. It amounts to taking proactive ownership of security risks and is a vastly more effective strategy than going out and playing "cyber-shopping-bingo" by buying a shiny new security appliance to cover every new threat and industry buzzword. Even the very best exploit detection and response technologies will simply never catch all the attacks in time to prevent a data breach.
Fundamentally, ASM is about focusing on prevention rather than cure. With the relentless growth in ransomware attacks, and the continuing tsunami of reported vulnerabilities in widely used software, it is difficult to see how any organisation will be able to remain secure unless they put a strong focus on maintaining a minimal and secure attack surface.
Can we Help?
We provide a range of options that can help organisations to define and implement an effective ASM process.
Our EdgeScope Attack Surface Management platform is designed to enable organisations to get a continually updated, risk centric perspective on all the resources, components, and risks that are externally visible. EdgeScope's full attack surface index makes it easy find specific resources or components and to extract a range of deployment metrics, while SurfaceWatches enable an organisation to closely monitor their attack surface for any changes. These features were explicitly designed to effectively support the range of ASM activities outlined earlier in this post.
We also provide a range of consulting engagements and subscription services that are designed to help organisations manage and monitor their attack surface. These range from attack surface and asset enumeration through to a managed vulnerability monitoring service.
As mentioned above, the optimal approach to ASM will tend to vary between organisations. If you are looking for some help and support with your ASM process then we can also provide custom consulting engagements, or a customised package of EdgeSope and supporting consulting effort, to help you on the way. If you would like to discuss this then please get in touch.