Strengthening security with Attack Surface Management – Communication from the ACM

As a rule, breaches of corporate networks are not usually caused by the exploitation of zero-day vulnerabilities or the use of advanced hacker tools. Most breaches occur due to numerous small vulnerabilities in the perimeter, such as unpatched servers, misconfigured databases, and uncontrolled shadow IT.

Quickly identify external vulnerabilities

Attack Surface Management is a relatively new approach, building on an earlier development by engineers: a network infrastructure graph that illustrates the relationships between domains, IP addresses, server certificates, attackers, malware and other digital entities on the global Internet.

Initially the chart was developed for research purposes. For example, it allowed researchers to quickly visualize all relevant connections for a known domain used by attackers, including TTP, command and control centers, IP addresses, and more.

Today, Attack surface management solutions enable the collection of assets associated with a specific customer using data from the global graph. These assets are considered the attack surface and the data is automatically updated in sync with the broader cyber intelligence graph.

Attack surface assets include anything accessible from the outside, such as domains, IP addresses, ports, server certificates, and login forms. At the same time, ASM does not concern itself with the company’s internal infrastructure within its perimeter.

Imperfect scanners and human supervision

Experience shows that attackers are generally not interested in attacking a company’s main domain, as it is likely well secured, with up-to-date software and strong passwords.

It is much more attractive for attackers to explore subdomains listed in the DNS, or a separate mail server in a different domain, because non-core assets typically receive much less attention from administrators – sometimes none at all.

For a long time, vulnerability scanners were quite simple: administrators entered a list of domains and IP addresses for periodic scans. This approach works well for the first few months: the scanner identifies vulnerabilities and the team addresses them.

However, as the organization grows, the process often becomes undocumented and people forget to update the scanner with information about new assets. This allows the scanner to show that everything is fine and everyone is happy – until an incident occurs. During the investigation, it becomes clear that the address of new assets has never been added to the scanner, leaving them in the shadows.

Although scanners have evolved rapidly in recent years, some tasks remain unsolvable for them, especially in the field of scanners cloud defense environments. Attack Surface Management systems can automatically discover new assets via API and supplement scanners with this information.

This approach is much more resistant to human error. An additional benefit of Attack Surface Management is the ability to gather information about data breaches, Dark Web entries, and malware: insights that regular scanners cannot gather. This information comes from the Threat intelligence cyber reconnaissance system database.

If ASM detects a new domain or subdomain associated with a specific client, it suggests adding these assets to the investigated attack surface.

The company can choose to ignore the new assets or, alternatively, confirm their importance and include them in the appropriate section of the overall chart. If confirmed, Attack Surface Management will conduct a more in-depth investigation of these assets.

Improving relevance during the pilot phase

For Attack Surface Management, the issue of false positives is usually only relevant during the pilot phase. Two common scenarios can occur.

The first scenario occurs when Attack Surface Management displays assets that are no longer relevant to the customer. For example, a subsidiary may have spun off from the company and some of the original infrastructure no longer belongs to them. During the pilot phase, the exact area of interest is determined in collaboration with the client. After several iterations, Attack Surface Management refines the results to show only what the customer expects.

The second scenario concerns the different levels of problem criticality for different companies. For some, the absence of one DMARC record for a domain is seen as a big deal, while others may never have thought about it at all. This is not a false positive in the strict sense of the word, but for Attack Surface Management to function accurately and autonomously (without an expert having to manually verify the results) developers may need to adjust the algorithms based on customer requests.

Vulnerability prioritization

Vulnerabilities are typically prioritized at four levels: critical, high, medium and low. Each category has its own criteria. For example, vulnerabilities with a score above eight are classified as critical. Issues related to SPF and DMARC records are classified as high because many attacks now involve email spoofing, which SPF records in DNS are designed to prevent.

The same vulnerability can have different levels of criticality depending on the infrastructure. Work is currently underway to implement a tagging system into ASM systems, which will allow companies to adjust critical vulnerability levels. For example, if an expiring SSL certificate is critical to a particular company, they can flag it accordingly.

A robust Attack Surface Management system includes a special module that automatically marks identified issues as resolved. For example, if a vulnerability is detected and the customer updates the software, the issue is marked as resolved if it does not reoccur within three days.

The situation is more complex for accounts discovered in data breaches, as Attack Surface Management cannot legally verify whether the leaked login and password pair is still valid. Therefore, it is up to the customer to address and resolve such issues.

It is important to understand that Attack Surface Management is not a strict regulator that demands that all issues be resolved. Instead, it is a tool designed to help specialists prioritize what requires their attention.

Main scenarios for using ASM

Attack Surface Management becomes essential when an administrator cannot precisely identify the number of IP addresses and subdomains under their control. If the infrastructure consists of just two IP addresses and three domains that can be easily listed, manual checks can be faster and more cost-effective. However, as soon as uncertainty arises – whether there are 45 or 46 domains – Attack Surface Management becomes necessary.

Once a company starts using Attack Surface Management, there are two other paths. The first concerns the focus on external data, such as leaks, malware and Dark Web activity. These insights come from the Threat Intelligence modules. If a company is interested in strengthening its defenses against external threats (those outside its network), this direction provides valuable protection.

The second path occurs when a company has sufficient information about external assets and wants to monitor what is happening within its perimeter. In this case, Managed Extended Detection and Response (MXDR) becomes the correct solution.

Occasionally a third scenario arises: a company believes it has addressed all vulnerabilities and requests an audit to verify the strength of its defenses. This audit approach is typical for very mature organizations and requires thorough preparation.

The future of ASM systems

I see two paths for the development of Attack Surface Management systems. The first path is where the ASM system is automated, but an analyst on the vendor side is involved in preparing reports, providing recommendations or conducting their own analysis. This approach produces deeper results, but preparation takes longer and is more expensive.

The second path focuses on full automation. All available vulnerability scanners are integrated into one system and work completely without human intervention. The goal of this approach is to speed up the process, making it more reliable and less dependent on human supervision. Which of these approaches will prove to be more effective and convenient for customers remains to be seen.

Conclusion

The first step a company can take to improve security without spending excessive money or resources is to implement an Attack Surface Management system. ASM solutions are suitable for companies of all sizes and industries. They strengthen the expertise of the company’s specialists and save time by streamlining the detection and remediation of potential vulnerabilities and cyber threats.

Alex Vakulov is a cybersecurity researcher with over 20 years of experience in malware analysis and strong malware removal skills.