Understanding attack surface management

The attack surface is simply the number of potential security vulnerabilities that can be exploited to gain access to a system, network, and organization using attack vectors. If organizations are unable to identify their security vulnerabilities and implement countermeasures, they are simply leaving themselves susceptible and exposed to cyber-attacks and threats. Attack Surface Management (ASM) is not a new study in the cybersecurity industry, rather it’s a new focus for cybersecurity professionals and organizations around the world. ASM is a strategy that’s used by cybersecurity professionals that enables them to focus on identifying, analyzing, and reducing the attack surface of an organization. As a result, by reducing the attack surface of an organization, it reduces the risk of being compromised by cyber-attacks and threats while safeguarding its assets, resources, and sensitive information.

Adopting ASM within an organization enables the security team to identify and prioritize security vulnerabilities based on their vulnerability score and potential impact. The Common Vulnerability Scoring System (CVSS) is commonly referenced within many vulnerability scanning tools to provide vulnerability of between 0 and 10, where 0 is the least impact and 10 is critical. These scores help cybersecurity professionals to apply high priority and resources to remediate security vulnerabilities with higher severity.

For instance, the following screenshot shows the base metrics of the CVSS calculator:

Figure 1.3 – CVSS calculator

As shown in the preceding snippet, the metrics within the base score influence the vulnerability score. For instance, if an attacker can compromise a security vulnerability on a targeted system over a network, where the attack complexity is low and does not require any user interaction or escalated privileges, where the impact will greatly affect the confidentiality and integrity of the system, the CVSS calculator provides a vulnerability score of 9.4. Keep in mind, these scores are assigned to a vulnerability based on the criticality and impact on the system.

Tip

To learn more about the CVSS calculator, please see https://www.first.org/cvss/calculator/3.1.

The following snippet shows the results of a Nessus vulnerability scan, displaying the number of security flaws and their scores:

Figure 1.4 – Nessus scan results

As shown in the preceding snippet, the CVSS scores were referenced from the CVSS calculator.

It’s important to recognize that cybersecurity professionals may identify a security vulnerability that is critical to the operation of the organization and its business processes but has a low potential impact. There can be security vulnerabilities that are less critical to the operation of the business but have a greater potential impact if they’re exploited by a threat actor. Therefore, ASM helps organizations in prioritizing security vulnerabilities based on their impact levels while allocating their resources to remediating the most critical security vulnerabilities first.

Additionally, organizations that implement ASM are able to better identify and track changes to their attack surfaces. For instance, if an organization installs a new update to an existing system, this new update could introduce new security vulnerabilities and potentially change the attack surface, enabling a threat actor to use new techniques to compromise the system. Similarly, if an organization implements a new system or application on its network infrastructure, it has the potential of bringing new security flaws to the attack surface. However, ASM enables cybersecurity professionals to track changes that are being made to the attack surface of the organization while ensuring the security team is aware of any new security vulnerabilities that are introduced during this process. Furthermore, the organization can take the necessary actions to remediate these security vulnerabilities before they can be exploited by a threat actor.

Another benefit of ASM is its capability of helping organizations efficiently monitor their attack surface and identify any suspicious activities. This improves real-time threat detection and response within the company, enabling the security team to take immediate action to prevent, contain, or remediate the threat from systems and networks. Lastly, when ASM is implemented properly, it helps security teams to identify whether any malicious activities or threats that evaded security solutions have gone undetected on their systems and networks.

The following are the major benefits of ASM within the cybersecurity industry:

• Reducing risk – Organizations that adopted ASM are able to identify and reduce their own attack surfaces, thereby reducing the risk of potential cyber-attacks and threats, and protecting their assets from threat actors. Hence, by identifying and remediating security vulnerabilities, it becomes more difficult for threat actors to compromise systems and gain a foothold.
• Prioritization – ASM helps companies to prioritize their resources to remediate security vulnerabilities that are more critical than others.
• Continuous monitoring – For organizations to ensure their attack surface is small, continuous monitoring and maintenance are needed. This helps both cybersecurity professionals and organizations to always be aware of any new security vulnerability that may exist, either due to a new implementation or an upgrade to a system, therefore, taking the necessary actions needed to mitigate any security vulnerabilities before they can be exploited.
• Improving incident response – ASM helps security teams to efficiently identify and respond to security incidents on their network in real time, as a result, reducing the impact and spread of a threat.
• Compliance – There are regulatory standards and frameworks that are needed within organizations that operate in certain industries. For instance, organizations that operate in the payment card industry need to ensure their systems and networks are compliant with the Payment Card Industry Data Security Standard (PCI DSS). Being compliant means the organization’s systems and networks have the specific security controls in place to ensure data is protected.
• Cost-effectiveness – Since ASM helps organizations to improve the identification and remediation of security vulnerabilities, it reduces the risk of data breaches and increases the availability of systems that are critical to the organization.

The following are key steps that organizations and cybersecurity professionals can use to get started with ASM:

1. Asset management – Ensure all assets within your organization are properly tracked and entered into your inventory. These may include computers, servers, applications, and mobile devices. This helps organizations to better understand which assets are to be protected and identify security flaws in them.
2. Identifying and mapping the attack surface – At this stage, the cybersecurity professionals are to identify security vulnerabilities and map the attack surface of the organization. This stage includes potential attack vectors that could be used to deliver an exploit and points of entry such as open ports and vulnerable running services on systems and networks.
3. Assessing risk – This stage focuses on assessing the risk of each security vulnerability and its impact on the organization. This phase helps with prioritizing and focusing on the most critical security vulnerabilities, then on less critical vulnerabilities.
4. Implementing security controls – This phase focuses on implementing security controls and solutions to remediate and mitigate security vulnerabilities that were identified in the previous stages. Here, the security team will implement network security devices, threat monitoring and prevention solutions, network segmentation, and so on.
5. Monitoring and maintenance – For ASM to be effective, continuous monitoring of all assets, systems, and devices is required. It’s important to continuously monitor and maintain security controls that are responsible for mitigating cyber-attacks and threats from exploiting security vulnerabilities. In addition, continuous monitoring and maintenance help ensure security controls are effective in safeguarding the assets of the organization.
6. Continuously perform reconnaissance – To identify new security vulnerabilities on the attack surface, organizations need to continuously perform reconnaissance on their assets, systems, and network infrastructure. Once new security vulnerabilities are identified, the lifecycle of ASM is repeated, taking the necessary steps to mitigate the security risk.

In addition to using the preceding key steps, there are several tools that will help both cybersecurity professionals and organizations with ASM:

• Vulnerability scanners – These are specialized, automated tools that help cybersecurity professionals identify security vulnerabilities in a system and provide recommendations on how to remediate the issue. Furthermore, these tools provide severity ratings, vulnerability scores, and potential impact.
• Network scanners and mappers – This type of tool helps cybersecurity and networking professionals to determine live hosts, open service ports, and running applications on host devices. In addition, they help organizations to map their entire network infrastructure and identify unauthorized devices that are connected to the company’s network.
• Configuration management tools – This type of tool helps organizations track and manage their configurations on systems and networks. It also helps cybersecurity professionals to identify new security vulnerabilities such as misconfigurations that are introduced onto a device after a new change.
• Application security testing tools – These are specialized tools that are commonly used by cybersecurity professionals to perform security testing on applications and software to identify any unknown security flaw.
• Attack Surface Reduction (ASR) tools – These tools are designed to help organizations reduce their attack surfaces. It works by identifying and denying any malicious network traffic and disabling unnecessary services on systems and protocols.
• Risk management tools – Risk management tools enable organizations to both track and manage the risk as it’s associated with their attack surface. Furthermore, this tool helps cybersecurity professionals to monitor the effectiveness of the security controls that are in place to prevent cyber-attacks and threats.
• Security Information and Event Management (SIEM) – This is a security solution that collects, aggregates, and analyzes security-related log messages generated from systems and devices within an organization to identify any potential cyber-attack and threat in real time.

While these tools are simply recommendations, it’s important to remember no single tool has the capability of providing complete coverage of the attack surface of an organization. Therefore, a combination of different tools, techniques, and procedures is required to ensure the organization can effectively manage its attack surface. Furthermore, as many tools are software-based, it’s important they are regularly updated to ensure they have the capability of detecting the latest security vulnerabilities and threats in the industry.

In the next section, you will learn about the tactics, techniques, and procedures that are used by adversaries during the reconnaissance phase of a cyber-attack.