External Attack Surface Management

If they make it inside, it’s too late.

Look Beyond Your Network Diagrams

In the salad days of the internet, we built virtual empires around some very basic technologies. A handful of Windows machines and a Microsoft SQL Server were enough to get you started. If you were really fancy, you were using Java with an Oracle server. Back then, you either owned it or you hosted it some place like Rackspace, and the only third party provider you needed to manage was Scene7, your rich media provider. Your firewall rules were simple and so was your vulnerability management.

However, that simple perimeter isn’t your perimeter anymore. Today your perimeter includes Facebook, YouTube, Google, Salesforce, and Cloudflare. You might have code from a dozen sources performing analytics, rich media delivery, video playing, support chat, reviews, CMS, and event handling. That handful of Windows boxes are likely to be virtual machines hosted in Amazon Web Services or containers in Google Kubernetes Engine. You can’t operate as a nice discreet island anymore since everything is connected. This makes sense. A global economy requires global technology.

Understanding what impacts you now goes beyond simple asset management,which is probably a good thing because we weren’t all that great at asset management. Back in 2010, asset management was understanding what the server under the desk in IT was for, and calling the data center to tell them you would make the CD-ROM drive pop open for the system you wanted rebooted. Today the number one concern for CISOs is asset management, but asset management has become just one step in attack surface management.

Forrester defines attack surface management (ASM) as “the process of continuously discovering, identifying, inventorying, and assessing the exposures of an entity’s IT asset estate.” Because the landscape has changed and we’re using systems and solutions hosted by third-party technology providers with security hygiene outside of our control, it’s important to re-evaluate our approach.

Scope Is Whatever They Can Use Against You

You know what hasn’t changed? Hackers. They may have improved their tactics, techniques, and procedures (TTPs), but their motivations remain the same. Their hacks are either opportunistic or targeted. By opportunistic I mean that sometimes your attack surface is so sloppy that they stumble across a way in without even really trying. The truth is, most organizations are seldom intentional targets. This is usually the case even with the most advanced persistent threats. Recognizing that attacker’s are looking for the easiest way in, it’s clear that far, far too much time and attention is given to arguing what’s in or out of scope. I understand that often the cost of an engagement is the driver of these discussions. Unfortunately with an attack surface that has no clear delineations of responsibility, if you don’t at least include everything for discovery, you could be leaving a wide open hole into your network. The scope of any test should include anything they can use against you.

I’ll let you in on a little secret — I loved doing internal pentests. They’re so easy. I nearly always obtained control of the network. There are just too many moving parts for an organization to get a handle on, plus many of the technologies and network protocols have weaknesses built right into them. Bottom line is, if I’m in your network, it’s over. Your number one priority needs to be keeping me out.

What Have You Got To Fight With?

The fact that we continue to see large breaches in the news means that our existing tools are insufficient. Asset management has always been a challenge, but with the modern attack surface, it’s almost an exercise in futility. That leaves us with these tools in our kit:

  • Vulnerability Scanning
  • Phishing Tests
  • Annual Pentests
  • Automated Pentests
  • Expensive Pentests (Red Teams)
  • More Expensive Pentests (Adversarial Emulation)
  • Super Expensive Pentests (Adversarial Simulation)

Vulnerability scanning is usually performed at a high cadence, which is great as you’ll be able to stay on top of an ever-evolving threat landscape. Phishing tests have questionable value and may do more damage to morale than desired. The annual pentest usually has so many restrictions and rules of engagement that it’s nothing like what might happen to you in a real-world attack. Automated pentests are awesome, except they lack the human intelligence necessary to catch attack sequence and advance business logic attacks. Red Teams, Adversarial Emulations, and Adversarial Simulation attacks will help identify previously unknown attack vectors and provide deep insights, but they’re incredibly cost prohibitive and can only be performed once a year, and only by organizations flush with cash.

This Little Hacker Went To Market

Forrester and Gartner identify EASM as an emerging product set that supports organizations in identifying risks coming from internet-facing assets and systems that they may be unaware of. These threats include shadow IT, exposure management, and expanding attack surfaces. They suggest that to stay ahead, organizations must think like an attacker and consider the entire attack surface. Much of the growing importance to EASM service can be attributed to major contributing factors like the need to support employees in work-from-home environments, the push to put everything into the Cloud, and the ever increasing interdependencies on third-party technology providers. You need to do more than vuln scan with a few tricks.

Introducing Halo Security’s EASM platform. We look for risks not detected by traditional vulnerability scanners. We combine Deep Discovery, Attack Surface Management, with traditional scanning, and enhance our automation with integrated manual testing services. An all-in-one platform that our customers use to get the best information available to efficiently manage all of their external risk!

Our online platform is ideal for the manager and C-level looking for deep insights into their risk of compromise and provides a dashboard view of their modern attack surface. It’s this information that can be used to make informed decisions on where to invest time and money in defensive measures.

For more information and to schedule a demo, go to: https://halosecurity.link/N9mMe

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joseph Pierini

A seasoned InfoSec leader, with a career spanning over 20 years. I have authored CVE’s and 0-days and written the methodologies used in thousands of pentests.