What is Attack Surface Management (ASM)

Attack surface management is a relatively new technology that has emerged to answer the new security needs born out of the new risk exposure due to the evolving nature of external attack surfaces and the increased efficacy of cyber-attackers access to advanced and automated recon tools. 

 

What is ASM?  

The short definition of Attack Surface Management (ASM) is that it is a process that continuously scans internal and external environments to exhaustively catalog all assets of an organization’s IT infrastructure. 

The difference between ASM and asset discovery is that it adopts an attacker’s perspective to cover all exposed assets, including on the Internet and in discoverable assets in supply chains. 

What Types of Assets are Uncovered Through ASM? 

The goal of ASM is to ensure that all assets, secure or insecure, known or unknown, are exhaustively listed and that the list is continuously updated so that asset monitoring can be comprehensive.  

Exposed assets uncovered through ASM include: 

  • Shadow and orphaned IT – covers a wide range of data and practices, ranging from employees’ unapproved use of hardware or software to forgotten previous versions that have not been fully deactivated and could enable an intruder to gain an initial foothold. 
  • Active or inactive assets – Though classic asset discovery procedures rarely miss active assets, inactive assets might be forgotten in successive deployments  
  • Managed and unmanaged devices – including employee-owned BYOD 
  • Rogue assets – assets generated by malicious actors to impersonate your domains 
  • Hardware – including all devices, listed or unlisted inherited through an M&A, email servers, data storage centers, and more
  • Software – including unknown open-source software, public code repositories such as Github, APIs, web and mobile applications, and more 
  • SaaS-related and vendor-managed assets 
  • Leaked credentials 
  • Other  

Many of these assets can appear at any time on the Internet and are completely ignored by traditional firewalls or EDR services. In other words, ASM discovers assets on the external asset surface typically ignored by defensive tool arrays. 

 

Why Do You Need ASM Today? 

The combination of technological development such as increased reliance on external services, abrupt societal change, such as the massive move to work from home in the last two years, and the acceleration of the threat landscape expansion is creating a perfect mix for turning unknown assets into time bombs. 

 While security teams still often focus on reducing attack surfaces, without an adversarial-based discovery process such as ASM, the reduced surface fails to include unknown assets. On the other hand, cyber attackers have no qualms about using advanced reconnaissance tools that will uncover those overlooked exposed assets.  

 

What is Included in ASM Tools? 

Robust ASM tools provide a full range of services that include: 

  1. Discovery – the reconnaissance phase (AKA recon) during which the ASM tool impersonates attackers by scanning multiple sources for intelligence that could later be exploited, including domains and sub-domains (for application and infrastructure vulnerabilities, web misconfigurations, and open ports,) organizational, employee, and technical information that can be used in a social engineering attack or to gain illicit network access and initial foothold, and other exploitable intelligence that an attacker may take advantage of.
  2. Findings classification – there are different ways of classifying uncovered assets and the degree of severity of the exposure they generate. Cymulate’s ASM uses the following classification categories:• Network-level – Firewall policies and “network level” protocols findings

    • Server level – Everything which can be considered infrastructure. 
    • Operating System, built-in administrative capabilities, HTTP servers such as IIS and Apache
    • Service level – Services that are installed on top of the “infrastructure” |
    • Application-level – Web application and other custom applications scanners
    • Data level – Privacy related and sensitive information disclosure findings
    • Policy level (Insights) – Missing security controls rather than misconfiguration
  3. Report generation – Once the uncovered assets have been classified, tan ASM tool generates a report listing all uncovered assets, categorized and correlated with the type of risk they generate. 

Cymulate ASM solution also provides a dynamic interactive dashboard with a wealth of information accessible at a click. 

 

Cymulate ASM Dashboard 

ASM Dashboard

As you can see, Cymulate’s ASM main dashboard provides a wealth of information at a glance, ranging from the overall security score (the higher the score, the higher the risk), the number of assets uncovered, the number of findings, where findings indicate a potential risk, the assets listed by types, and the findings repartition per category, severity, or status (new, or previously listed). 

The information displayed combines purely informational data, such as the number or type of assets with risk data, such as all information related to findings 

Each asset or finding can be examined more in-depth in the asset of finding respecting tab.   

Viewing ASM results per Asset  

 

ASM Results

 

By default, assets are listed in decreasing order of the number of findings per asset, causing assets with the highest number of findings to be displayed on top, immediately drawing attention to those necessitating immediate action. 

Clicking on the number of findings corresponding to that asset displays the list of related findings in the Findings dashboard. 

Viewing ASM Results per Findings 

ASM Findings

 

You can access the findings dashboard by pre-filtering the findings by asset by clicking on the findings number of an asset or access all the findings by clicking on the findings tab. 

Regardless of how you access the findings dashboard, the information about each finding includes the finding’s name, such as Vulnerable Software in Use, External Hosted JavaScript, Low IP Reputation, etc., its category, the affected asset, the finding’s risk severity, its status, the date it was first seen, the type of action you opt to take, (Investigating, To Be Defined or Irrelevant) and access to more information. 

Accessing More Info on the Findings

ASM More info findings

 

The More info dashboard provides in-depth information about the related finding, ranging from a generic description and a mitigating action recommendation to a list of evidence related to the finding, such as the related CVEs and more. 

Viewing the Asset Discovery Graph 

ASM Asset Discovery Graph 

 

ASM Results Chart

 

Unique to the Cymulate ASM dashboard, you can also visualize the discovery path, both globally or granularly. 

Watch Cymulate ASM Live Demo or see Cymulate ASM in action for your environment by starting a free trial 

Start A Free Trial