Attack Surface Management

Blog Credit : Trupti Thakur

Image Courtesy : Google

Attack Surface Management

Attack surfaces are growing faster than security teams can keep up – to stay ahead, you need to know what’s exposed and where attackers are most likely to strike.

With cloud adoption dramatically increasing the ease of exposing new systems and services to the internet, prioritizing threats and managing your attack surface from an attacker’s perspective has never been more important.

What is your attack surface? 

First, it’s important to understand what we mean when we talk about an attack surface. An attack surface is the sum of your digital assets that are ‘reachable’ by an attacker – whether they are secure or vulnerable, known or unknown, in active use or not.

You can also have both internal and external attack surfaces – imagine for example a malicious email attachment landing in a colleague’s inbox, vs a new FTP server being put online.

Your external attack surface changes continuously over time, and includes digital assets that are on-premises, in the cloud, in subsidiary networks, and in third-party environments. In short, your attack surface is anything that a hacker can attack.

What is attack surface management? 

Attack surface management (ASM) is the process of discovering these assets and services and reducing or minimizing their exposure to prevent hackers exploiting them.

Exposure can mean two things: current vulnerabilities, such as missing patches or misconfigurations that reduce the security of the services or assets. But it can also mean exposure to future vulnerabilities or determined attacks.

Take for example an admin interface like cPanel, or a firewall administration page – these may be secure against all known current attacks today, but a vulnerability could easily be discovered in the software tomorrow – in which case it would immediately become a significant risk. So while traditional vulnerability management processes would say “wait until a vulnerability is detected and then remediate it”, attack surface management would say “get that firewall admin panel off the internet before it becomes a problem!”.

That’s not to mention that having a firewall admin panel exposed to the internet opens it up to other attacks, regardless of a vulnerability being discovered. For example, if an attacker discovers some admin credentials elsewhere, they could potentially reuse those credentials against this admin interface, and this is often how attackers expand their access across networks. Equally, they may just try a sustained “low and slow” password guessing exercise which goes under the radar but eventually yields results.

To highlight this point in particular, ransomware gangs were reported in 2024 targeting VMware vSphere environments exposed to the internet. By exploiting a vulnerability in these servers, they were able to gain access and encrypt virtual hard disks of critical infrastructure to demand huge ransoms. It was reported there are over two thousand vSphere environments still exposed.

So for multiple reasons, reducing your attack surface today makes you harder to attack tomorrow.

The need for attack surface management  

The challenges of asset management 

So, if a significant part of attack surface management is reducing exposure to possible future vulnerabilities by removing unnecessary services and assets from the internet, the first step is to know what you have.

Often considered the poor relation of vulnerability management, asset management has traditionally been a labor intensive, time-consuming task for IT teams. Even when they had control of the hardware assets within their organization and network perimeter, it was still fraught with problems. If just one asset was missed from the asset inventory, it could evade the entire vulnerability management process and, depending on the sensitivity of the asset, could have far reaching implications for the business. This was the case in the Deloitte breach in 2016, where an overlooked administrator account was exploited, exposing sensitive client data.

When companies expand through mergers and acquisitions too, they often take over systems they’re not even aware of – take the example of telco TalkTalk which was breached in 2015 and up to 4 million unencrypted records were stolen from a system they didn’t even know existed.

The shift to cloud 

Today, it’s even more complicated. Businesses are migrating to cloud platforms like Google Cloud, Microsoft Azure, and AWS, which allow development teams to move and scale quickly when needed. But this puts a lot of the responsibility for security directly into the hands of the development teams – shifting away from traditional, centralized IT teams with change control processes.

While this is great for speed of development, it creates a visibility gap, and so cyber security teams need ways to keep up with the pace.

A modern solution 

Attack surface management if anything is the recognition that asset management and vulnerability management must go hand-in-hand, but companies need tools to enable this to work effectively.

A good example: an Intruder customer once told us we had a bug in our cloud connectors – our integrations that show which cloud systems are internet-exposed. We were showing an IP address that he didn’t think he had. But when we investigated, our connector was working fine – the IP address was in an AWS region he didn’t know was in use, somewhat out of sight in the AWS console.

This shows how attack surface management can be as much about visibility as vulnerability management.

Where does the attack surface stop?  

If you use a SaaS tool like HubSpot, they will hold a lot of your sensitive customer data, but you wouldn’t expect to scan them for vulnerabilities – this is where a third-party risk platform comes in. You would expect HubSpot to have many cyber security safeguards in place – and you would assess them against these.

Where the lines become blurred is with external agencies. Maybe you use a design agency to create a website, but you don’t have a long-term management contract in place. What if that website stays live until a vulnerability is discovered and it gets breached?

In these instances, third party and supplier risk management software and insurance help to protect businesses from issues such as data breaches or noncompliance.

6 ways to secure your attack surface

By now, we’ve seen why attack surface management is so essential. The next step is turning these insights into concrete, effective actions. Building an ASM strategy means going beyond known assets to find your unknowns, adapting to a constantly changing threat landscape, and focusing on the risks that will have the greatest impact on your business.

Here are six ways Intruder helps you put this into action:

1. Discover unknown assets
2. Sea Search for exposed ports and services
3. Find exposures (that others miss)
4. Scan your attack surface whenever it change.
5. Stay ahead of emerging threats.
6. Prioritize the issues that matter most

 

 

Blog By : Trupti Thakur