Most IT admins know vulnerability management as that painful process of finding large numbers of vulnerabilities (CVEs) on your network and then trying to convince the powers-that-be to patch them.
So how does attack surface management differ from vulnerability management? Attack surface management (ASM) takes a broader view of vulnerabilities and also takes an adversarial vantage. From our earlier blog on ASM, below is a working definition of ASM.
What is Attack Surface Management (ASM)? Attack surface management is the process of continuously discovering, identifying, remediating, and monitoring attack surfaces for exposures an attacker can exploit.
Discover means to find devices on the network
Identify means to find exposures these devices may have
Remediate means to correct the exposures whether through reconfiguring, patching, or mitigating the cause of the exposure
Monitor means to continuously surveil the network attack surface like a radar sweep for new devices and exposures.
Attack Surfaces to Manage
A good question to start with is: which surfaces need managing? We take an adversarial view of attack surfaces. If you want to know what surfaces to scan and manage, think like an adversary trying to break on a network and escalate privileges. Below are attack surfaces adversaries focus on:
External: the internet facing surfaces including your domain server, web server, SSH and VPN services, and insecure protocols such as ftp, telnet, rdp and others. In addition to software vulnerabilities, you also need to look for expiring SSL certificates and weak ciphers. This is also a good surface to check for weak domain security credentials including DMARC and SPF, which protect others from misusing your domain for phishing and spam. Pen testing your web services is also important as web applications provide a rich attack surface for exploitability.
Cloud: your M365 and Google Workspace is not only the hub of all your email, messaging, and document management, but also a rich attack surface for adversaries. Here you can examine: (1) who has super admin privileges, (2) which accounts are stale, (3) which accounts do not have multi-factor authentication (MFA), (4) when and where people are logged in from, (5) which 3rd party apps have been given access to the tenant, (6) which documents have been shared with non-corporate accounts, and (7) dark web monitoring of user accounts. All of these can introduce risk for organization if not properly set up, configured or monitored.
Behind the firewall: These include all your company assets that connect to the network including (1) endpoints, (2) servers, (3) routers, (4) smart tvs, (5) IP cameras, and other IoT, (6) printers, (7) work from home machines, (8) Active Directory servers, (9) cloud compute and storage services. Each of these devices are running some network services and possibly vulnerable software. Adversaries typically find these devices to exploit from an initial "beach head" compromised machine, then scan for other opportunities to pivot to.
Taking a Risk Based Approach
One of the challenges with traditional vulnerability management approaches is that they produce large numbers of CVEs then leaves it up to the user to figure out what to do with all these CVEs.
An ASM approach looks at the various attack surfaces from an adversarial vantage and then prioritizes based on the risk posed from each. For example, not having MFA enabled on accounts can pose higher risk than an unpatched endpoint working from home. Likewise, configuring your DMARC correctly can stop bad actors from using your domain in executing phishing attacks against your employees.
At ThreatMate we derive risk based scores for each of these attack surfaces and then create mission plans for addressing the highest risk items that adversaries are likely to exploit.
Get started on managing your attack surfaces before adversaries do!