With the rise of hybrid work and software-as-a-service (SaaS) applications for core business functions, as well as the near ubiquity of the cloud, organisations’ attack surfaces are no longer easily defined. In many cases, they are rapidly expanding. This presents both new opportunities for threat actors and new challenges for security teams, giving rise to a new tactic for security posture improvement — attack surface management.
What is Attack Surface Management?
Attack surface management (ASM) is the practice of continually identifying, analysing, prioritising, and mitigating attack vectors across an organisation’s environment.
Attack surface management is the proactive process of increasing visibility and reducing risk. It is a continual process designed to help organisations respond to new threats that arise as their environment evolves. ASM is conducted from the threat actor’s point of view, as security teams work to understand what risk points exist, where threat actors may seek access and launch attacks, and what is needed to harden the attack surface.
Attack surface management includes what is referred to as external attack surface management (ESAM), which focuses solely on internet-facing applications and cloud environments. ASM is more comprehensive and holistic than just ESAM.
Core Aspects of Attack Surface Management
Attack surface management follows a lifecycle similar to risk-based vulnerability management, where each stage happens concurrently and continuously as new threats arise as an organisation’s attack surface changes.
The four core aspects of attack surface management are:
1. Asset discovery and mapping. This is an all-encompassing discovery process, where every application, asset, access point, and endpoint are known and accounted for. Asset discovery and mapping should include third-party assets and include a process of trying to discover any shadow IT applications or assets. Visibility is critical to both proactive and reactive components of broader cybersecurity practices, so attack surface mapping is vital for posture-hardening measures as well as threat detection and response.
2. Analysis and prioritisation. For any organisation, there may be a plethora of applications and endpoints spread across regions and countries, a high-volume of cloud-based assets, and a growing number of users to protect. This means risks can grow exponentially, and not every risk within the attack surface can be quickly mitigated due to lack of internal staffing, other priorities, or a lack of proper tooling and expertise. It’s important for organisations to take a high-level view and prioritise what to work on first, and what the short-, medium-, and long-term goals are. How this analysis and prioritisation happens will be different for every organisation depending on their business and security goals, but an overarching question of, “Where are we most at risk?” should guide the decision making, and those decisions should be validated by up-to-date threat intelligence, when possible.
3. Remediation. This is the hands-on-keyboards work of remediating risks within the attack surface. Common ASM remediation techniques include vulnerability patching, securing Active Directory, access control refinement, remediation of cloud misconfigurations, security awareness training, and more.
4. Monitoring. While full visibility into your environment is key to a strong security posture, equally important is the monitoring of the entire environment to ensure risk remediation has been successful and new risks can be identified swiftly as they occur. Security risks can change as an environment evolves, so being aware of those changes and potential threats in near real-time through 24×7 monitoring reduces the chance of a successful cyber attack and the potential damage one can cause.
ASM and Vulnerability Management
If attack surface management looks similar to vulnerability management, it’s because both processes follow a proactive lifecycle built around risk reduction. However, there is one key difference: ASM takes a much broader approach, looking at every aspect of the attack surface, vulnerabilities included. Vulnerability management focuses solely on known vulnerabilities that exist within an IT environment, and is often considered a subset of attack surface management
The two processes can inform each other. New vulnerability patch information may be included in an attack surface management prioritisation session, and the visibility gained in asset discovery can be used to remediate previously unknown vulnerabilities.
Vulnerability management needs to be included as part of ASM to achieve a properly hardened attack surface.
Attack Surface Management Best Practices
How a specific business assesses, remediates, and monitors their attack surface will differ depending on that organisation’s security goals, business outlook, and risk profile. Some may have a rapidly expanding attack surface and need to focus on visibility, while others, for example, may be more focused on securing their identity attack surface due to a high volume of remote users.
But there are steps every organisation can take to better manage their attack surface.
1. Map out your attack surface. Include all applications and assets, such as internet of things (IoT) devices, user endpoints, cloud environments, and web-based applications. If visibility will be limited in the short-term, focusing on core business applications first is a good approach, as those are targeted more frequently by threat actors.
2. Employ a risk-based vulnerability management system. While ASM goes far beyond vulnerability management, many cyber attacks begin with external exposure or vulnerability exploitation. Making this a priority is a strong way to secure your attack surface.
3. Establish procedures and policies for security posture improvements. Knowing where your organisation’s risks may lie is not helpful if action is never taken to remediate them. The procedures and policies aspect of ASM is where key stakeholders should come together to determine which vulnerabilities have been or will be remediated, what access controls are in place, what network segmentation exists, and more, all with an eye toward long-term security goals.
4. Establish your security monitoring system. Having eyes-on-glass 24×7 can not only increase threat response times, but it can also help your organisation better understand how it is being targeted by threat actors, which will lead to more effective ASM in the future. However, in-house security operation centers (SOCs) and full-time monitoring can be difficult to achieve and maintain due to resource and budget constraints. Outsourcing a security monitoring system to a third-party provider, such as a managed detection and response (MDR) provider, might be the best option as your organisation grows.
5. Don’t forget about the human attack surface. It’s easy for organisations to focus on endpoints and applications and forget that many parts of the attack surface are tied back to users. Threat actors are increasingly targeting those users – identity signals represented seven of the top 10 threats or IOCs leading to alerts in the 2024 Arctic Wolf Security Operations Report — so hardening your IAM structure, deploying security awareness training, and utilising identity threat detection and response (ITDR) techniques are critical components of any ASM strategy.
Why is ASM Important?
It’s not news that the threat landscape is evolving. 48% of organisations identified evidence of a successful breach in their environment over the last 12 months. Additionally, Arctic Wolf has observed a rise in threats on our customers’ core business functions, a rise in threat actors targeting known vulnerabilities, and a trend of social engineering and other attacks that target organisations’ IAM systems. Additionally, for sophisticated breaches such as ransomware, threat actors are often targeting multiple parts of the attack surface, increasing an organisation’s overall risk. A threat actor may target a user’s email in a social engineering campaign, then use the obtained credentials to log into a cloud application, then may exploit a vulnerability to gain privileged access to other vital data.
Every part of the attack surface can be under threat, so if an organisation focuses primarily on only vulnerabilities, or users, or the cloud, they’re leaving other areas exposed.
Benefits of implementing an attack surface management plan include:
- Risk reduction among various assets and applications, including SaaS applications and the cloud environment
- Proactive elimination of potential threats before they escalate
- Accelerated threat detection and response due to increased visibility and knowledge of the attack surface
- Vulnerability reduction — Arctic Wolf has observed that exploitation of known and patched vulnerabilities outnumber exploitation of zero-day vulnerabilities by roughly 7.5 times.
- Visibility into an organisation’s digital footprint
- Continuous monitoring that allows for both proactive security measures and increased threat detection
ASM and Security Operations
By taking an operational approach, where proactive and reactive components work together in tandem, ASM and other security measures can be undertaken more effectively and efficiently. A security operations approach can deliver business context, strategic guidance, and a stronger security posture alongside automated threat protection, response, and remediation.
Arctic Wolf programmatically addresses cyber risk end–to end through an open-XDR platform backed by Security Teams who combine to mitigate risks and strengthen your security posture over time. The Aurora Platform™ leverages AI to enable cyber defence at an unprecedented capacity and scale and the Concierge Delivery Model provides on-demand expertise and strategic guidance based on your organisation’s unique business context and risk factors.
Additionally, Arctic Wolf knows that security is a journey, so the Arctic Wolf Security Journey works with your organisation to strengthen your security posture and harden your attack surface over time.
Understand how a security operations approach to attack surface management can help you deter the threats of today and tomorrow with the 2024 Arctic Wolf Security Operations Report.
