Attack Surface Management (ASM) – What You Need to Know

In the ever-evolving realm of cybersecurity, it’s critical for businesses to stay ahead of the curve to ensure the safety of their sensitive data and infrastructure. By implementing proactive and continuous testing of the deployed security controls, teams can optimize their preparedness against advanced threats. It’s no surprise, then, that attack surface management has emerged as a potential solution. In a recent report on implementing continuous threat exposure management (CTEM) programs, Gartner recommends that organizations “tackle threat exposure using emerging areas like attack surface management and security posture validation.”

This is the third post in our series on technologies to test your organization’s resilience to cyberattacks. In this installment, we dive into attack surface management (ASM). By the end of the post, we hope you can make an informed decision as to the best way to add into your security stack and compliment your other exposure management methods.

What is Attack Surface Management (ASM)?

Cloud computing adoption, digital transformation of analog processes, expansion of remote work, and the rise of the API economy have unlocked significant operational innovation. However, they have also expanded the potential risks faced by organizations by expanding the overall attack surface. Consequently, businesses are changing their approach to risk management and enhancing the security of their digital assets giving rise to tools that help teams manage the overall attack surface.

As the name implies, attack surface management  focuses on analyzing and managing the system’s attack surface—various entry points into an organization’s IT system that a hacker can use to gain unauthorized access. ASM involves identifying and tracking which online properties and network assets are public-facing (visible to the internet). This gives teams the ability to determine the potential vulnerabilities and gaps in the IT infrastructure and to develop the appropriate security measures to secure them against evolving threats. 

ASM processes and tools are categorized into three main areas:

• External Attack Surface Management (EASM): EASM identifies public-facing IT assets and monitors them for vulnerabilities/0-days. It focuses on server misconfigurations, credential issues, third-party software code vulnerabilities, and prioritizes weaknesses based on risk severity.
• Cyber Asset Attack Surface Management (CAASM): CAASM discovers and monitors both internal and external IT assets. It relies on API integrations with existing tools, providing visibility that can be limited by existing inventory data. CAASM primarily helps in tracking internal assets.
• Digital Risk Protection Services (DRPS): DRPS offers visibility into environments like the open web, dark web, and social media to detect potential threats to digital assets and data. It’s valuable for comprehensive risk assessments and brand protection but doesn’t provide an inventory of managed IT assets or assess their risk.

ASM tools typically involve mapping to elements of the MITRE ATT&CK® framework. Some ASM solutions enable users to automatically populate findings in dashboards and integrate with security management tools, though most still require manual input and system synchronization. 

It’s worth noting that ASM technologies are effective in discovering assets across diverse IT estates, making them a preferable choice over simple vulnerability scanners. However, like vulnerability scanners, ASM tools mainly focus on identifying asset vulnerabilities and configuration weaknesses, rather than actively testing their exploitability.

Benefits and Limitations of ASM

When it comes to attack surface management, there are several benefits that make it a valuable approach. One of the key advantages is its ability to effectively address the challenges posed by dynamic attack surfaces and the absence of hardened perimeters. Moreover, attack surface management is designed to support continuous operations, ensuring that security measures are in place at all times. 

ASM includes mapping to MITRE ATT&CK®, which provides a comprehensive framework for identifying and categorizing different types of tactics, techniques, and procedures (TTPs). Compared to traditional penetration testing, attack surface management offers wider coverage, enabling organizations to evaluate a broader range of potential vulnerabilities. 

Attack surface management has its limitations that should be taken into consideration. While it’s efficient at finding weaknesses, it does not attempt to attack those weaknesses in order to validate their exploitability. This means that there might be vulnerabilities that go undetected, leaving the potential for exploitation. Additionally, in more sophisticated attacks, attack surface management might not be able to illuminate all elements of the kill chain (e.g. lateral movement, exfiltration), limiting its effectiveness in identifying and addressing threats. This is where integrating ASM and BAS can provide significant value.

Strengthening Your Security Posture with BAS and ASM

BAS and ASM compliment each other well (if you are still learning about BAS, check out our BAS 101 series). While they have distinct functions, they can work together to improve an organization’s overall security. ASM provides the foundational understanding of the organization’s attack surface and vulnerabilities, while BAS helps validate the effectiveness of the security controls and identify any remaining gaps or weaknesses. By combining ASM and BAS, organizations can:

• Continuously monitor and manage their attack surface by conducting regular vulnerability assessments and simulations of real-world attacks.
• Validate the effectiveness of security controls and response mechanisms against evolving threats and attack techniques.
• Prioritize remediation efforts based on the real-world impact of identified vulnerabilities and successful attack simulations.
• Improve security awareness and incident response capabilities by learning from simulated attack scenarios.

What About Other Ways to Test Your Organization’s Cyber Resilience?

If you’re curious about how other security validation technologies perform in different environments, we’ve already covered penetration testing and automated penetration testing in this series. If you’d like a full comparison of each of these types of tools, in addition to red teaming and vulnerability scanning, take a look at our white paper Six Methods to Test Your Organization’s Resilience to Cyberattacks.