Attack surface mgmt

SW Labs | Overview: Attack Surface Management

April 22, 2021
  • ASM products can start with minimal input – as little as a company name and nothing more. From that starting point, or seed, ASM products will discover and explore other, related properties, subsidiaries, and assets. For example, if you start with a parent company, it’s possible an ASM product will discover a one-off project abandoned and forgotten by a subsidiary company three years ago. This concept of ‘seed discovery’ happens through a variety of methods: website scraping, subdomain guessing, business record lookups, domains with common WHOIS information, information in certificate metadata and many more.
  • Several ASM vendors will score findings based on how ‘attractive’ they are to attackers. While the source for this attractiveness score is part of their secret sauce, it is presumably the product of penetration testing experience and breach analysis (e.g. what gets attacked during actual breaches?).
  • Many ASM products gather additional data that an analyst would typically have to enrich through manual processes. For example, an analyst might not recognize the IP address attached to a finding. Is it ours? Is it something we have hosted somewhere? Does it belong to a third party? They’ll open another tab to check the ownership records for the IP. Many ASM products do this work for you, automatically tagging assets as Linode or AWS if they are owned by these public cloud providers.
  • Most ASM products continuously search for new findings and assets. For example, acquire a new subsidiary or register a new domain and the ASM product will likely begin collecting assets from them on some point, with zero input from the operator (at least, in theory – see the individual product reviews for more information). Keep in mind, this continuous search is doing more than checking existing seeds for new assets, it’s looking for new seeds entirely. In theory, if your company acquired another company, some of these ASM products will automatically pick up on this and catalogue the new acquisition’s assets as well.
  • Statistical research on the frequency of technology use and exposed vulnerabilities
  • Historical research on the same
  • The third party risk monitoring (aka Cyber “Scorecard”) business model
  • False positives
    • Assets related to, but not owned by the customer (asset attribution)
    • Lookalikes – similar domains and company names, but different organizations
  • Completeness
    • Breadth – finding all the attack surface
    • Depth – collecting all the details and metadata related to each entity or asset
    • Types – continually adding new types of assets that can be collected (e.g. checking for GitHub accounts associated with a company, mobile apps, etc)
  • Prioritization
    • The more complete these scans are, the bigger the organizational problem becomes. Prioritization is already a key challenge with the products that aim to surface issues in the asset data they collect
    • Assigning risk scores – can be done without customer input, but can be much more accurate once asset importance and sensitivity is known
  • Validation
    • Less effective validation methods leading to high false positives (Banner grabbing, keyword searches)
    • A few ASM products separate “confirmed” issues from “potential” ones, even providing the proof of confirmed findings. This makes for considerably less work for the analyst tasked with validating these findings.
  1. Internet Patterns Research
  2. Historical Research
  3. Asset Discovery
  4. 3rd Party or M&A Due Diligence
  5. Attack surface reduction
  1. Detailed asset information
  2. Tagging
  3. Metadata search
  4. Complex queries
  5. API
  • Quick and easy to perform Internet research or a quick targeted assessment
  • Historical data in some cases
  • Freemium or low-cost options
  • Relatively few use cases
  • Gaps in coverage due to requests not to scan some networks or dropped probes
  • Internet patterns research
  • Historical research
  • Asset discovery and monitoring
  • Third party asset discovery and monitoring
  • M&A due diligence
  • Certificate monitoring
  • Competitive intelligence gathering
  • Attack surface reduction
  • Detailed asset information
  • Tagging
  • Metadata search
  • Alerts on new findings
  • Alert on expiring certificates
  • Detailed software composition analysis (SCA)
  • API
  • Supports both Internet research use case and asset management use case
  • Generally return the most complete dataset on IP-based assets
  • Large amounts of data to validate with no prioritization
  • Missing a some non-IP-based assets
  • Asset discovery and monitoring
  • Third party vendor discovery
  • External asset management
  • Risk prioritization
  • Risk validation (via either automated or manual penetration testing)
  • Detailed asset information
  • Seed discovery
  • Tagging (manual and automated)
  • Metadata search
  • Alerts on new findings
  • Detailed software composition analysis (SCA)
  • Built for teams with support for commenting
  • Issue management with ability to set status, asset importance
  • Broad integration support
  • API
  • Identifies issues with assets and prioritizes them
  • Discovers risks related to third party vendors
  • Issue tracking and management interfaces
  • Broad integration support
  • Generally don’t support Internet or Historical research use cases
  • False positives are a natural consequence of dynamic asset crawling
  • Everything in the previous category
  • Everything in the previous category, plus
  • Outsourced staff to perform validation on any findings
  • All signal, no noise (in theory – note we did not directly test either of these products)
  • Higher cost
Adrian Sanabria
Adrian Sanabria
Adrian joined SC Media's parent company, CyberRisk Alliance in 2020. He will focus primarily on cybersecurity product reviews, but will also provide industry insight trends for both SC Media and Security Weekly (another CyberRisk Alliance company). He brings two decades of industry experience, working as a practitioner, penetration tester, and industry analyst. He spent the last few years as an entrepreneur, challenging norms in sales and marketing for a variety of vendors. Adrian loves to cook, eat, hike, play music and regale his teenagers with stories of what the early days of the Internet were like.