Strengthening Security with Attack Surface Management – Communications of the ACM
As a rule, corporate network breaches are not typically caused by the exploitation of zero-day vulnerabilities or the use of sophisticated hacker tools. Most breaches occur due to numerous minor perimeter vulnerabilities, such as unpatched servers, misconfigured databases, and uncontrolled shadow IT.
Identifying External Vulnerabilities Swiftly
Attack Surface Management is a relatively new approach, building upon an earlier development by engineers: a network infrastructure graph that illustrates the relationships between domains, IP addresses, server certificates, attackers, malware, and other digital entities across the global Internet.
Initially, the graph was developed for investigative purposes. For example, it allowed investigators to quickly visualize all relevant connections for a known domain used by attackers, including TTP, command & control centers, IP addresses, and much more.
Today, Attack Surface Management solutions enable the collection of assets associated with a specific customer by leveraging data from the global graph. These assets are considered the attack surface, and the data is automatically updated in sync with the broader cyber intelligence graph.
Assets on the attack surface include anything accessible from the outside, such as domains, IP addresses, ports, server certificates, and login forms. At the same time, ASM is not concerned with the company’s internal infrastructure within its perimeter.
Imperfect Scanners and Human Oversight
Experience shows that attackers are generally not interested in targeting a company’s main domain, as it is likely well-protected, with up-to-date software and strong passwords in place.
It is much more appealing for attackers to probe subdomains listed in the DNS or a separate mail server in another domain, as non-core assets typically receive far less attention from administrators—sometimes none at all.
For a long time, vulnerability scanners were quite basic: administrators would input a list of domains and IP addresses for periodic scans. This approach works well for the first few months—the scanner identifies vulnerabilities, and the team addresses them.
However, as the organization grows, the process often goes undocumented, and people forget to update the scanner with information about new assets. As a result, the scanner shows that everything is fine and everyone is satisfied—until an incident occurs. During the investigation, it becomes clear that the address of new assets was never added to the scanner, leaving them in the shadows.
Although scanners have evolved rapidly in recent years, some tasks remain unsolvable for them—particularly in cloud defense environments. Attack Surface Management systems can automatically discover new assets and supplement scanners with this information via API.
This approach is much more resilient to human error. An additional advantage provided by Attack Surface Management is its ability to gather information on data leaks, mentions on the Dark Web, and malware—insights that regular scanners cannot collect. This information comes from the Threat Intelligence cyber reconnaissance system’s database.
If ASM detects a new domain or subdomain associated with a specific client, it suggests adding these assets to the attack surface under investigation.
The company can choose to either ignore the new assets or, alternatively, confirm their importance and include them in the designated section of the overall graph. If confirmed, Attack Surface Management will conduct a more in-depth investigation of these assets.
Improving Relevance Throughout Pilot Phase
For Attack Surface Management, the issue of false positives is typically only relevant during the pilot phase. Two common scenarios can arise.
The first scenario occurs when Attack Surface Management displays assets that are no longer relevant to the customer. For example, a subsidiary may have split from the company, and part of the original infrastructure no longer belongs to them. During the pilot phase, the exact perimeter of interest is determined in collaboration with the client. After several iterations, Attack Surface Management refines its results to show only what the customer expects.
The second scenario relates to the varying levels of problem criticality for different companies. For some, the absence of a DMARC record for a domain is seen as a major issue, while others may have never considered it at all. This is not a false positive in the strictest sense, but for Attack Surface Management to function accurately and autonomously—without requiring an expert to manually verify results—developers may need to adjust the algorithms based on client requests.
Vulnerability Prioritization
Vulnerabilities are typically prioritized into four levels: critical, high, medium, and low. Each category has its own criteria. For example, vulnerabilities with a score above eight are classified as critical. Issues related to SPF and DMARC records are classified as high, as many attacks now involve email spoofing, which SPF records in DNS are designed to prevent.
The same vulnerability can have different levels of criticality depending on the infrastructure. Work is currently underway to implement a tagging system in ASM systems, allowing companies to customize vulnerability criticality levels. For example, if an expiring SSL certificate is critical for a particular company, they will be able to mark it accordingly.
A robust Attack Surface Management system includes a special module that automatically marks identified issues as resolved. For example, if a vulnerability is detected, and the customer updates the software, the problem will be marked as resolved if it does not reappear within the next three days.
The situation is more complex with accounts discovered in data leaks, as Attack Surface Management cannot legally verify whether the leaked login and password pair is still valid. Therefore, it is up to the customer to address and resolve such issues.
It is important to understand that Attack Surface Management is not a strict overseer demanding all issues be resolved. Instead, it is a tool designed to help specialists prioritize what requires their attention.
Key Scenarios for Using ASM
Attack Surface Management becomes essential when an administrator cannot precisely identify the number of IP addresses and subdomains under their management. If the infrastructure consists of just two IP addresses and three domains that can be easily listed, manual checks may be faster and more cost-effective. However, as soon as uncertainty arises—whether there are 45 or 46 domains—Attack Surface Management becomes necessary.
Once a company begins using Attack Surface Management, there are two further paths. The first involves focusing on external data, such as leaks, malware, and Dark Web activity. These insights come from the threat intelligence modules. If a company is interested in strengthening its defense against external threats—those outside its network—this direction provides valuable protection.
The second path arises when a company has sufficient information about external assets and wants to monitor what is happening within its perimeter. In this case, Managed Extended Detection and Response (MXDR) becomes the appropriate solution.
Occasionally, a third scenario emerges—when a company believes it has addressed all vulnerabilities and requests an audit to verify the strength of its defenses. This audit approach is typical of highly mature organizations and requires thorough preparation.
The Future of ASM Systems
I see two paths for the development of Attack Surface Management systems. The first path is where the ASM system is automated, but a vendor-side analyst is involved in preparing reports, providing recommendations, or conducting their own analysis. This approach yields more in-depth results, but it takes longer to prepare and is more costly.
The second path focuses on full automation. All available vulnerability scanners are integrated into a single system, operating entirely without human intervention. The goal of this approach is to accelerate the process, making it more reliable and less dependent on human oversight. Which of these approaches will prove to be more effective and convenient for clients remains to be seen.
Conclusion
The first step a company can take to enhance its security without spending excessive money or resources is to implement an Attack Surface Management system. ASM solutions are suitable for companies of any size and industry. They strengthen the expertise of the company’s specialists and save time by streamlining the detection and remediation of potential vulnerabilities and cyber threats.
Alex Vakulov is a cybersecurity researcher with more than 20 years of experience in malware analysis and strong malware removal skills.