A Guide to Effective Attack Surface Management

A study by the Ponemon Institute reveals that the average enterprise now manages approximately 135,000 endpoint devices, of which 48%, or 64,800 per enterprise, are undetected.¹ Another study highlights how the average organization owns a portfolio of 323 SaaS applications.² The enterprise attack surface has expanded and the need for both manual and automated security testing practices is necessary as enterprises continue to be vulnerable to the increasing threat landscape.

The rising cost of a security breach, averaging $4.45M, emphasizes the need for more proactive offensive security solutions.³ Offensive Security can establish well-defined, efficient processes and leverage best-in-class tools to provide a comprehensive understanding of your attack surface. As a result, continuous attack surface discovery using such tools as Attack Surface Management (ASM) and automated pentesting have become increasingly important and proactive security practices to identify, evaluate, and mitigate potential exposures across the entire attack surface before an attack occurs.

What does the ASM process look like?

A comprehensive ASM process follows a cycle of four key steps:

• Asset Discovery: It involves the identification of all devices, systems, and applications that constitute an organization’s digital ecosystem.
• Asset Inventory & Classification: Next, discovered assets are categorized and classified based on their criticality and importance to the organization’s operations.
• Vulnerability Identification & Risk Assessment: Detailed vulnerability scans are conducted to find known vulnerabilities and determine the level of risk they pose to the organization.
• Asset Prioritization & Risk Scoring: Vulnerabilities are prioritized based on their severity, likelihood of exploitation, and potential impact on the organization’s operational continuity and bottom line. Each vulnerability gets a risk score to guide remediation efforts.
• Remediation & Reporting: The final step of the ASM cycle includes comprehensive reporting of the identified assets and their associated vulnerabilities. Based on the report, organizations can orchestrate a remediation execution plan.

A Guide to Effective ASM

Although these core steps and principles remain constant, different approaches to ASM can lead to drastically different results across organizations and platforms. Here’s how you can optimize your ASM strategy for comprehensive coverage and security:

Ensure Continuous Asset Discovery and Real-time Monitoring

Modern IT environments are dynamic, where infrastructure can be deployed with a single line of code across any cloud environment. Policies like Bring Your Own Device (BYOD) and Work From Anywhere (WFA) enable new devices to frequently access the distributed enterprise network and resources. These new devices, along with emerging vulnerabilities, necessitate continuous, real-time discovery and monitoring. Attack Surface Management (ASM) must support this process to identify potential vulnerabilities and entry points as soon as they emerge. This ensures an up-to-date, comprehensive view of the attack surface at all times.

Implement Context-based Risk Prioritization

Last year, the number of disclosed IT security vulnerabilities and exposures (CVEs) surpassed a staggering 29,000.⁴ The sheer number of vulnerabilities makes it impractical to patch each and every one of them all at once. In trying to do so, organizations can exhaust their limited security resources, potentially leaving the most critical entry points unaddressed. Therefore, ASM must support precise prioritization of risks based on real-world context.

Context is crucial for understanding the criticality and relevance of a threat to a particular organization. For instance, the mere discovery of an unpatched device does not necessarily signify an active threat. However, if the device has a history of accessing critical assets, communicating with known Command and Control (C&C) servers, or exhibiting other Indicators of Compromise (IoCs), it warrants immediate remediation efforts, including network scans for intrusion detection. Context-based prioritization ensures optimal resource allocation, allowing organizations to mitigate the most critical threats first.

Integrate EASM and Internal ASM

External Attack Surface Management (EASM) involves analyzing an IT environment from the perspective of an external attacker, focusing on vulnerabilities and exposures that can be exploited from outside the organization. Similarly, internal ASM, a.k.a Cyber Asset Attack Surface Management (CAASM), provides an internal view of the risks that originate from within the corporate perimeter.

While organizations often prioritize external threats, comprehensive ASM should include both EASM and CAASM. This approach ensures defense against external exposures, such as firewall misconfigurations and third-party vulnerabilities, as well as internal risks posed by malicious or negligent insiders. In addition, next-generation ASM must also have awareness of the latest attacker tactics, techniques, and procedures (TTPs) and historical threat intelligence to identify anomalies indicative of external threats that have already infiltrated the network or internal threats that can lead to external attacks.

Leverage AI and Automation

Given the continuous nature of ASM and the multitude of tedious tasks involved, relying solely on manual processes cannot deliver the speed, coverage, and accuracy that enterprise networks require. In addition, security teams are already struggling with scarce resources. Automating continuous or repetitive tasks, such as asset discovery and risk assessments, can free IT and security teams to redirect their focus toward mission-critical operations and tasks that require human intervention, such as red-teaming exercises.

AI in ASM also serves as a powerful ally for security teams facing constant alert fatigue and the overwhelming volume of false positives. AI and ML-based algorithms can rapidly analyze the massive number of generated alerts through statistical, heuristic, and behavioral analysis and correlate them with real-world data. It allows AI-powered ASM to make data-driven decisions, facilitating precise identification and prioritization of risks while minimizing false positives.

Augment ASM with Automated Pentesting and Red Teaming

While ASM is a powerful tool for identifying and managing exposures, augmenting ASM with other cybersecurity tools and strategies can help explore vulnerabilities more in-depth. Automated pentesting will exploit the vulnerabilities discovered by ASM, ensuring that they are indeed genuine and exploitable. Red teaming takes it a step further, practically demonstrating their exploitability through simulated attack scenarios.

By combining ASM, automated penetration testing and red teaming, organizations can establish a robust foundation for concentrated and effective offensive security practices leading to accelerated prioritization and remediation. This approach enables optimal resource allocation, ensuring that security measures are targeted towards addressing the most critical vulnerabilities and threats first.

Following these best practices can improve the overall effectiveness of your ASM strategy. However, to make sure that your ASM is yielding the desired results, it’s important to measure metrics, like mean time to detect (MTTD), mean time to remediate (MTTR), the reduction in security incidents, etc., and set KPIs to help establish baseline and benchmarks to derive tangible results and outcomes.

Bolster Security and Optimize ASM with BreachLock

Managing Risks & Costs at the Edge offers a comprehensive suite of human-delivered, AI-powered, and automated continuous attack surface discovery and penetration testing solutions. BreachLock’s deep understanding of the latest and most pervasive attacker TTPs and threat intelligence is based on thousands of evidence-backed security tests. Data-driven insights from past engagements allow BreachLock’ to accurately identify and accelerate the prioritization and remediation of vulnerabilities and risks based on real-world context.

Beyond initial discovery, BreachLock offers automated pentesting, Penetration Testing as a Service (PTaaS), and red teaming as a service (RTaaS) to validate and help mitigate ASM discoveries more effectively. Collectively, Breachlock offers offensive security solutions to provide a comprehensive approach to improve cyber resiliency.

Schedule a discovery call with BreachLock today and learn more about our offensive security solutions!

About BreachLock

BreachLock is a global leader in Continuous Attack Surface Discovery and Penetration Testing. Continuously discover, prioritize, and mitigate exposures with evidence-backed Attack Surface Management, Penetration Testing and Red Teaming.

Elevate your defense strategy with an attacker’s view that goes beyond common vulnerabilities and exposures. Each risk we uncover is backed by validated evidence. We test your entire attack surface and help you mitigate your next cyber breach before it occurs.

Know your risk. Contact BreachLock today!

References:

1. Managing Risks & Costs at the Edge
2. 2022 SaaS Management Index Report
3. IBM Cost of a Data Breach Report 2023
4. Number of common IT security vulnerabilities and exposures (CVEs) worldwide from 2009 to 2024 YTD