What Is Attack Surface Management and a 5-Step ASM Process
9 Minute Read
Attack surface management (ASM) continuously discovers, monitors, evaluates, prioritizes, and remediates exposure to attacks in an enterprise’s IT infrastructure. An attack surface comprises all possible entry points that can potentially allow threat actors to breach an application, system, device, network, or organization.
ASM is similar to asset discovery and management, often present in general IT security solutions. However, the major difference is that ASM approaches threat detection and vulnerability management from the attacker’s perspective. This approach drives organizations to identify and assess risks to both known and unknown assets, including rogue components unknown to the IT organization.
Related content: Read our guide to attack vectors (coming soon)
In this article:
Why Is Attack Surface Management Important?
Even small organizations can have a large attack surface. To make things more complex, the attack surface is constantly changing and growing. The transition to remote work, increased migration of workloads to the cloud, and the growing use of personal devices for work purposes, create new attack surfaces organizations must protect.
Bad actors use automated reconnaissance tools to analyze external attack surfaces and identify points of exploitation. Security teams must perform the same level of assessment to understand their exposure to attacks. Thus, organizations must deploy tools offering visibility and continuous monitoring, in order to discover and manage risks before attackers discover them.
What Are Attack Surface Management Tools?
Some organizations rely on asset discovery tools to understand their extended IT environment. However, while these tools are useful, they cannot fully discover an organization’s attack surface.
Asset discovery tools only provide a picture of IT assets from within a company's security perimeter. Most attackers are positioned outside the security perimeter, scanning the organization’s public facing systems for exploitable vulnerabilities. An attack surface management solution can fill this gap between what internal systems see and what attackers are able to exploit.
ASM tools can help an organization by:
- Identifying visible infrastructure elements.
- Identifying shadow IT, artifacts resulting from mergers and partner activities, IoT devices, and cloud transformation.
- Identifying cyber squatting, malware and the dark web.
- Identifying vulnerabilities in discovered assets.
- Assessing vulnerabilities against a risk scoring system to help prioritize remedial actions.
- Assisting with implementation of security hardening mechanisms such as network segmentation, role-based access control (RBAC), and zero trust security models.
A 5-Step Attack Surface Management Process
Here is the process followed by most ASM tools to discover assets, test them for vulnerabilities, prioritize risks, and remediate them.
1. Discover Assets
You cannot manage an asset without knowing it exists. In the modern digital environment, there are many things, such as outdated IPs and credentials, shadow IT, cloud environments, and IoT devices. Legacy tools and processes can easily miss these assets, which represent important attack surfaces. However, they are quickly discovered with modern attack surface management solutions that use the same advanced reconnaissance techniques as attackers.
Related content: Read our guide to external attack surface management
2. Add Context
Business context and ownership are a critical part of attack surface management. Existing asset discovery tools often do not provide context in a consistent way, making it difficult to prioritize remediation.
Effective attack surface management practices make sure that assets are enriched with information such as IP address, device type, current use, purpose, owner, connection to other assets, and potential vulnerabilities. This allows security teams to prioritize cyber risks and determine whether assets should be removed, removed, patched, or monitored.
3. Prioritize
In almost all cases, it will not be possible to verify and fix the entire list of potential attack vectors against all assets. Therefore, it is important to be able to use contextual information to determine focus and priorities. Security teams can add criteria such as exploitability, detectability, attacker priority, and remediation, to prioritize the most pressing tasks.
4. Test Continuously
Testing the attack surface once has limited value, because attack surfaces grow and change every time a new device, user account, workload, or service is added. Every new account or device creates a risk of misconfiguration, known vulnerabilities, zero day vulnerabilities, and sensitive data exposure.
It is important to continuously test all possible attack vectors against all attack surfaces, and always refer to the most current version of the organization’s attack surface.
Related content: Read our guide to attack surface monitoring
5. Remediate
Once the attack surface is fully mapped and contextualized, remediation can begin. Based on priorities, the organization can remediate security weaknesses. This can be done by:
- Automated tools, which can remediate certain types of vulnerabilities without human intervention.
- Security operation teams, who are responsible for risk enforcement
- IT operations teams, who are responsible for operating the affected systems
- Development teams, who are building, updating, and maintaining assets/applications
These teams need business risk context and clear guidance on how to fix security issues, to establish trust and ensure efficient handling of remediations.
What Are the Components of an Attack Surface Management Program?
An effective attack surface management strategy integrates various security technologies and functionalities to improve the solution’s efficiency and accuracy. When implementing an ASM program, you should consider the following elements.
Identifying and Prioritizing Assets
The first part of an attack surface management program is discovering the organization’s Internet-facing assets. Having a clear record of your assets is important for classifying each asset based on the risk level it presents to the business. One way to classify assets is to set risk tolerance statements and compare them to the risk level of each asset. The next step is to prioritize assets and implement the relevant controls and remediation policies based on individual asset risks.
Security Ratings
Security ratings allow organizations to monitor the health of their IT environments continuously. Knowing an ecosystem’s health is critical to the ASM program’s success. Full supply chain and network visibility enable businesses to identify vulnerabilities faster and minimize the IT attack surface.
Security ratings are also useful for continuously monitoring third-party environments. Managing third-party risks is essential when working with an external vendor because the vendor’s security vulnerabilities impact its customers. Security ratings help identify the security risks associated with your partners and vendors, enabling active management of each third party’s attack surface.
Segmenting the Network
Network segmentation allows administrators to control network traffic and protect assets more easily. Segmenting the network into separate, manageable parts also facilitates threat detection. It provides an added layer of network security, ensuring that attackers cannot traverse the network even if they manage to compromise one network segment.
Network segmentation often involves access controls restricting who can access each part of the network. This approach is important for implementing a zero trust security environment.
Collecting Threat Intelligence
Security threat intelligence offers crucial visibility into an organization’s threat landscape, helping inform protection measures against potential and current attacks.
The insights from the security data collected by monitoring tools can help you identify exploitable network vulnerabilities and prioritize high-risk threats. Threat intelligence feeds can monitor cybercriminal activity, helping ensure your organization’s security levels are adequate.
Attack Surface Management with HackerOne
Visibility alone is not enough to minimize risk and resist attacks. Organizations need to know their attack surface. They need to risk rank their assets based on how a bad actor would prioritize and execute their attacks.
HackerOne Assets blends intelligence from ethical hackers with asset discovery, continuous assessment, and process improvement to reduce risk across your ever-expanding digital landscape. You can identify, analyze, manage testing scopes, and track testing results in one place for a complete asset inventory.
Once identified, asset risk can be ranked, coverage gaps addressed and remediation resources assigned. Our community of ethical hackers can enrich asset data to include technology mapping to enable asset tracking and foot-printing. With HackerOne Assets, organizations will know their attack surface and be armed to effectively resist attacks.
Learn more about HackerOne Attack Surface Management