What to Look for When Choosing An Attack Surface Management Tool

What to Look for When Choosing An Attack Surface Management Tool

Attack surface management (ASM) is one of the most essential components of IT security. Any software, hardware, SaaS, and cloud assets that store an organization’s data and can be accessed by the internet make up the attack surface. These all become points of entry for a cybercriminal attempting to steal data. In the past, a company could perhaps profess to have control and awareness on all of its attack surfaces. ASM has long been used to address cyber risk.

Today, protecting an organization’s data has become ever more complex. Companies building applications work with third-party vendors who in turn work with more third-party vendors. For one SaaS product or webpage, hundreds of indirect vendors could be involved. Covid has further exacerbated the situation.

In the months following March 2020, the US saw an intense spike in cyber attacks. Employees are now working from home and using their own internet connections to handle sensitive company data. The use of cloud applications, virtual desktops, sharing of devices with family members can all present security concerns.

Companies were not prepared to keep a remote workforce secure. Many processes and procedures like mortgage approvals have not been designed to be done from less-secure home environments. Many organizations improvised and the results were less than secure. Furthermore, a new government call for data disclosure around the pandemic may force companies to re-evaluate the security of that data. All of these factors have created an expanded attack surface. To protect against malicious attacks, the right ASM is essential for this process.

Pre-Covid ASM

Before the pandemic, companies were certainly facing many cyber threats. ASM was developed to address these threats and ensure asset and data security. In order to keep an asset secure, it must be known. All the assets belonging to an organization must be uncovered and accounted for. ASM is a strategy for doing this and ensuring these assets are secure. In pre-covid days, managing an attack surface would require the following:

1. Uncover Known assets: Accounting for assets such as a corporate website, servers, and dependencies running on them, such as SaaS applications.
2. Uncover Unknown assets: Discovering forgotten IT infrastructure, also known as shadow IT, that has been outside of the purview of an IT security team. This could include development websites or marketing sites.
3. Uncover Rogue assets: Threat actors may have already spun up malicious infrastructures such as malware, typo squatted domains, or a website or mobile app impersonating your domain—all of these need to be discovered.

ASM usually involves several phases—discovery, inventory and classifications, risk scoring, monitoring, and malicious asset and incident monitoring. A decent pre-Covid ASM would uncover all your internet-facing assets as well as those managed by third parties. These would include:

1. Web applications, services, and APIs
2. Mobile applications and their backends
3. Cloud storage and network devices
4. Domain names, SSL certificates, and IP addresses
5. IoT and connected devices
6. Public code repositories such as GitHub, GitLab, and BitBucket
7. Email servers

Post-Covid ASM

As the threats presented by the expanded attack surfaces of the Covid world grew, all the above was not enough to keep cybercriminals out. From email or Gmail phishing addresses to malicious apps disguised as Covid tracing tools, remote employees have been targeted by cyberattacks. Between third and fourth-party vendors and remote workers, ecosystems have become highly exposed to numerous threats.

The pandemic world posed new and unique security risks to organizations. Companies had to respond quickly to the environment with increased security. As we settle into the ‘new normal,’ there is an opportunity to improve data security further. Many companies are taking a zero-tolerance policy when it comes to poor IT security and actively working to improve the IT hygiene of their employees and infrastructure.

ASMs must become even more sophisticated than the cybercriminals they are attempting to thwart. To protect an organization in the new normal, an ASM needs to be able to do the following:

1. Have the ability to uncover the risk presented by third-party and fourth-party vendors.
2. Uncover your data/assets on the dark web. This includes data leaks and assets being discussed by cybercriminals.
3. Be able to find exposed datasets on the open and deep web, such as open S3 buckets, public GitHub repositories, FTP servers, etc.
4. Have the ability to risk-rate each attack surface by correlating the exposed asset against industry, geo, tech, or unique ways of rating that are more relevant and accurate.
5. Have the ability to evaluate threats by looking at an attack surface against vulnerabilities. Doing this increases accuracy significantly and saves time. It is critical to take action before a hacker does.
6. Use attack surface discovery not just as a ‘detection’ tool but also as a tool to understand a threat actor’s ‘attack path.’
7. Identify weaknesses not just in technology but also in people and processes. It should evaluate whether your employees and various stakeholders have the training and know what to do to prevent cyberattacks. The ASM should also evaluate the configure process, asset discovery, operational processes while including other IT departments.

The pandemic has brought with it expanded opportunities for cyberattacks. The ‘New Normal’ requires organizations to adopt new tools. It has also brought with it many opportunities to institute new security tools to combat these attacks. Attack Surface Management is one of these tools. However, the previous standards for ASM no longer apply. Organizations must continuously assess threats and have visibility over all assets, third parties, and remote workers. ASM must work in tandem with vulnerability and patch management platforms and be guided by cyber-intelligence to provide continuous monitoring of digital risk profiles. Attack surface discovery, vulnerability intelligence, brand intelligence, digital risk protection, cyber situational awareness and cyber-intelligence should be integrated into a single pane of glass to give cyber defenders a solid hold over new and emerging cyber threats.