Attack Surface Management: Looking Right Back at You

Traditional security approaches focus on defending a well-defined perimeter from outside attacks. Attack Surface Management (ASM) flips that perspective, prompting organizations to step outside their digital perimeter. It allows them to look back at their digital landscape to gauge what an attacker might see — exposed systems, unpatched servers, misconfigurations, and more. This “looking back at you” approach helps identify vulnerabilities and potential entry points before attackers can exploit them.

However, comprehensive ASM must go beyond the external viewpoint and allow organizations to achieve an internal perspective as well. As such, both the internal and external attack surfaces are critical components of ASM. While EASM analyzes the enterprise attack surface from the outside in, mimicking how an external attacker might see it, internal ASM scrutinizes systems and networks from the inside out, identifying vulnerabilities accessible to insiders. Together, they allow organizations to address exploitable vulnerabilities, regardless of where attackers try to gain entry from.

Internal vs External Attack Surface

The internal attack surface refers to the vulnerabilities and exposures present inside an organization’s internal network and infrastructure. It covers threats originating from authorized users — malicious or negligent insiders — as well as attackers who may have already infiltrated the internal network via social engineering and/or malware. Some of the assets that constitute the internal attack surface include:

• IoT and end-user devices
• Internal servers and application
• Network equipment
• Security software and tools
• Shadow IT

On the other hand, the external attack surface refers to the vulnerabilities and exposures related to an organization’s remote users and internet-facing assets that can be exploited by external attackers. Assets that make up the external attack surface include:

1. Web applications, APIs, and SaaS
2. Cloud infrastructure
3. Remote access software
4. DNS servers
5. Dark Web exposures

As businesses undergo digital transformation, they rapidly adopt new technologies like cloud, edge computing, and work-from-anywhere (WFA) models. This rapid integration results in a surge in known and unknown (shadow IT) devices, connections, and applications. Each new addition can introduce potential attack vectors and vulnerabilities. Furthermore, the growing software complexity and their rapid release cycles can also introduce vulnerabilities. As a result, organizations end up struggling to keep pace with their expanding attack surfaces and complete coverage becomes a challenge.

Internal and External Exposures are Not Mutually Exclusive

Internal and external exposures are essentially two sides of the same coin — both can cause a security breach. Attackers can exploit a weakness in your external attack surface, like an exposed API, to gain access to internal assets. Once inside the network, they can move laterally across the internal network to compromise more systems and data, thus making the internal environment vulnerable as well.

Similarly, an internal threat, such as a disgruntled employee, can leak sensitive data to external adversaries, resulting in an inside-out attack. This interconnectedness of both internal and external attack surfaces underscores the importance of a holistic approach to ASM which covers both internal and external exposures when determining risks.

EASM and Internal ASM — What to Test First?

Given the unprecedented rate at which attack surfaces are increasing, organizations must prioritize which assets to test first, regardless of whether they are internal or external. The criteria for prioritization will vary for different organizations based on their core operations and risk appetite. Typically, it is based on factors such as:

1. Criticality: Assets essential for business operations and continuity, as well as those subject to regulatory compliance
2. Vulnerability: Assets with known vulnerabilities
3. Exploitability: Assets that are more visible or accessible to malicious actors
4. Threat Intelligence: Latest attacker TTPs and trends based on historical testing data

How to Prioritize Risks in Both Environments Effectively?

Effective risk prioritization across both internal and external attack surfaces involves:

1. A comprehensive inventory of all internal (servers, routers, workstations) and external (websites, cloud resources, APIs) digital assets.
2. Asset classification based on criticality to business continuity.
3. Vulnerability assessments to identify known weaknesses and their impact across internal and external surfaces.
4. Risk scoring based on attack likelihood and impact.
5. Establishing an acceptable level of risk based on the organization’s risk appetite and threat landscape.
6. Integration with threat intelligence to understand the current attacker TTPs.
7. Continuously re-evaluating risk prioritization across internal and external attack surfaces.

In addition to asset inventory and classification, ASM enables effective identification and prioritization of internal and external risks. This prioritization can then serve as a starting point for penetration testing and red teaming, allowing organizations to address the most critical assets and vulnerabilities first.

Risk Mitigation Strategies with ASM

The role of ASM is not over once risks have been identified and prioritized across the entire attack surface. ASM’s AI-driven, real-world context-based insights can also help organizations implement risk mitigation strategies effectively. Here’s how ASM helps guide risk mitigation and remediation:

1. Network Segmentation: Network segmentation can limit the impact of a security breach on the affected segment. ASM empowers smarter segmentation by providing a complete view of internal/external assets. It lets organizations group network assets and traffic based on their criticality and implement security measures accordingly.
2. Patch Management: ASM identifies unpatched vulnerabilities and prioritizes patching for critical systems and applications. Through continuous monitoring and threat intelligence integration, ASM also alerts security teams to newly released patches, streamlining the patching process.
3. Role-Based Access Control (RBAC): Internal ASM helps identify weak authentication and unauthorized access points. This facilitates robust Role-Based Access Control (RBAC) enforcement, a key risk mitigation strategy.
4. Endpoint Protection: ASM identifies internal assets lacking endpoint protection, allowing organizations to ensure that all user devices accessing the internal network are secure.
5. Continuous Monitoring and Logging: ASM keeps track of any changes across both internal and external attack surfaces in real-time. It enables swift detection and response to potential vulnerabilities and threats.
6. Cybersecurity Insurance: ASM accurately assesses risks associated with the organization’s internal and external attack surfaces, allowing them to secure better coverage. It also enables organizations to negotiate lower premiums through a demonstrably strong security posture.
7. Regulatory Compliance: ASM helps maintain compliance by continuously monitoring for potential violations and enabling corrective actions. Regulatory compliance itself strengthens the security posture and mitigates risks.

Continuous Attack Surface Discovery with BreachLock

BreachLock’s advanced ASM solution unifies internal and external attack surface management. BreachLock identifies exposed assets and their most critical attacker entry points, taking ASM a step further by prioritizing these exposures based on criticality, potential impact on the organization, and risk tolerance. Moreover, by using ASM with other offensive security methodologies, we are seeing improved outcomes for customers.

BreachLock also offers flexible and versatile solutions for continuous attack surface discovery including Pentesting as a Service (PTaaS), and automated pentesting and red teaming with evidence-based results integrated into the Breachlock platform.

Discover how BreachLock’s ASM, automated penetration testing, and RTaaS solutions can enhance your cyber resilience and improve your security posture over time. Schedule a discovery call with BreachLock today!

About BreachLock

BreachLock is a global leader in Continuous Attack Surface Discovery and Penetration Testing. Continuously discover, prioritize, and mitigate exposures with evidence-backed Attack Surface Management, Penetration Testing and Red Teaming.

Elevate your defense strategy with an attacker’s view that goes beyond common vulnerabilities and exposures. Each risk we uncover is backed by validated evidence. We test your entire attack surface and help you mitigate your next cyber breach before it occurs.

Know your risk. Contact BreachLock today!