Cymulate just announced the upcoming expansion of its Attack Surface Management (ASM) solution to incorporate a combination of external asset surface management (EASM) with cloud infrastructure discovery, cloud misconfiguration identification, network vulnerability scanning, active directory scanning, and attack path analysis in a single module. The ingested data is translated into a unique-to-Cymulate unified attack path mapping analysis (UAPMA).
The updated solution’s capabilities will enable at-a-glance visualization of threat exposures across multi-cloud and hybrid environments, including analyzing Azure, GCP, and AWS Cloud footprints for misconfigurations and remediable security concerns.
What is Attack Surface Management
According to NIST, ASM is “the set of points on the boundary of a system, a system element, or an environment [the assets] where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, or environment.” Read more: What is Attack Surface Management
Taking a Surface Management Holistic Approach
Most solutions in the market today are focused on the attackers’ view, looking at the external attack surface. These are emulating the reconnaissance phase of the attack by running a variety of scans to find different types of exposed assets that can be exploited for obtaining potential initial foothold points of entry.
Internal discovery via authenticated scans simulates a post-breach situation. It is essential to complete the picture and provide the information required to create holistic visibility into an organization’s exposure.
Typical EASM and open-source tools extend vulnerability scanners but are still focused on internet-facing assets in the network. Cloud Security Posture Management (CSPM) solutions are focused on cloud infrastructure discovery and misconfiguration, and the more advanced ones can correlate the findings into an attack path. However, they are limited to cloud-hosted environments and do not address on-premises assets – such as active directories, for example. Hence, there is no unified solution in the market that analyzes the data collected from on-premises, hybrid, and different cloud infrastructures into a single attack path mapping.
What is a Unified Attack Path Mapping Process
The success criteria or the real value of this visibility is in the ability to support risk management decisions and tradeoffs. The key is connecting the dots.
A unified attack path mapping process integrates the findings across all cloud and premise environments, of both external and internal (authenticated) scans, into a single attack path map:
- EASM discovers within data systems the elements that could be used to attack the organization (servers, applications, services, cloud components, workstations, etc.)
- Internal authenticated scan identifies exploitable assets that an adversary can leverage to propagate from a foothold to crown jewels.
The Cymulate vision for the combination of EASM, CSPM, and internal asset discovery into a unified attack path mapping and analysis process is to provide a predictive analysis of potential attack path spanning all network and infrastructure components, from external assets to internal ones, including active directories. The analysis of the aggregated data contextualizes the risk posed by security gaps and evaluates the actual exposure they generate along the end-to-end attack paths. In other words, it verifies whether security controls are effectively detecting and alerting each attack step.
If they are not, adjustments are needed, which requires identifying where fine-tuning configuration will be most effective and then validating that the reconfiguration has the desired effect.
Turning the Outcomes Into Actions Requires a Business Context
Detecting individual exposures, such as unpatched vulnerabilities, misconfigurations, and other security gaps, is only the first step in identifying where to focus limited remediation resources.
Mapping the potential path an attack could take to use those uncovered security gaps is a revolutionary force multiplier. By connecting the dots, the unified attack path mapping process shows specific combinations of inadequately defined permissions and identities, vulnerabilities, and unoptimized configurations open viable attack paths to the crown jewel.
Information security teams can then assess the risk and prioritize remediation efforts. Here is an example:
Vulnerabilities with a high CVSS score would be flagged for immediate patching by vulnerability scanners. It might not be, however, exploitable or even accessible (or alternatively, well protected), and as such, not posing an acute risk to the infrastructure.
By contextualizing uncovered exposures, UAPMA provides a validated evaluation of the actual risk factor attached to each uncovered security gap.
This enables remediation teams to zoom in on the most high-impact mitigation targets, which considerably accelerates security posture consolidation without additional resources.
How does Cymulate UAPMA work?
Cymulate enhanced ASM module will combine internal and external ASM capabilities and integrate the result into a single unified attack path mapping and then analyze the result.
The two arms of the enhanced ASM each cover specific capabilities as follow:
- Internal ASM: an agent-based internal scanner (using the same agent as the Breach and Attack Simulation module, for customers already using BAS) will rely on asset discovery, vulnerability prioritization, and attack pathing technologies to answer questions about internal assets’ exact location in the hybrid, cloud or multi-cloud infrastructure and evaluate their vulnerability, identify vulnerabilities that are not protected by compensating security controls and use attack mapping to attempt to reach crown jewels.
- External ASM: an agentless scanner that scours the internet for exposed assets relying on asset discovery and Cloud Security Posture Management (SPM) technologies to identify external facing assets and tests their resilience to breach attempts.