External Attack Surface Management

Aruneesh Salhotra
October 13, 2023

External Attack surface management (EASM) is the continuous process of identifying unknowns, discovery, analysis, remediation, and monitoring the attack vectors of an organization's external attack surface. It is the cybersecurity vulnerabilities and potential attack vectors that make up an organization’s attack surface. The goal of an EASM solution is to uncover threats that are difficult to detect (due to reasons like shadow IT), so you can better understand your organization’s true external attack surface.

With the shift to the cloud and IT democratization, it posed newer challenges for organizations. Organizations can have blind spots and limited visibility into their Shadow IT and asset exposure to the Internet. Trying to map the external attack surface with the visibility provided by traditional tools is almost impossible.

External Attack Surface is not just limited to your Externally facing Web Applications or APIs that are exposed to the internet.  It may very well include your source hosted on SaaS SCMs (like GitLab, GitHub, BitBucket, etc.), your secrets, your infrastructure, and your partners. Any effective EASM solution should help you identify misconfigurations in Cloud or On-Prem, Source Code, discover Shadow IT continuously, and software vulnerabilities.

In today's fast-paced business environment, companies need to be able to quickly respond to changing market conditions and customer needs. Businesses need to be able to quickly scale their operations up or down in response to changing business needs. Additionally, the COVID-19 pandemic highlighted the importance of remote work and digital transformation for businesses. Cloud computing enables remote work and collaboration, allowing employees to access data and applications from anywhere, on any device, with an internet connection.

Cloud computing has brought new challenges to organizations because it has introduced new technologies and platforms that organizations may not be familiar with. These technologies and platforms may have different security risks and require different security controls compared to traditional on-premises systems.

So, what is Shadow IT and why is it a security concern?

Shadow IT refers to the use of technology solutions, software, or services by employees within an organization without the knowledge, approval, or control of the organization's IT department. Shadow IT can occur when employees use personal devices, cloud services, or third-party applications that are not sanctioned by the organization's IT policies. This can lead to potential security risks, data breaches, and compliance violations since the IT department may not have visibility or control over these technologies.

Shadow IT can be a significant security concern for several reasons:

  1. Lack of control and visibility: When employees use unauthorized technology solutions, it can be challenging for the IT department to maintain control and visibility over the organization's data and systems. This can make it difficult to enforce security policies and procedures, which can increase the risk of security breaches and data leaks.
  2. Unknown security risks: Many shadow IT solutions may not have undergone the same security checks and assessments as the authorized solutions, which can make them vulnerable to security risks. These risks may include malware, phishing attacks, or other cyber threats that can compromise the confidentiality, integrity, and availability of an organization's data.
  3. Compliance violations: Shadow IT solutions may not comply with the organization's regulatory and legal requirements, such as data privacy laws or industry-specific regulations. This can expose the organization to legal and financial risks and damage its reputation.
  4. Integration challenges: Shadow IT solutions may not be compatible with the organization's existing technology infrastructure, which can lead to integration challenges and inefficiencies.

 Trends and Reports

  • The latest data breach report by Verizon indicates that 70% of attacks are perpetrated by external threat actors. These attackers are seeing and exploiting weak points in the network perimeter which companies leave unprotected.
  • In 2016 Gartner predicted that by 2020, 30% of successful attacks experienced by enterprises will be on their shadow IT resources. Our recent analysis indicates that around 38% of successful attacks in 2019 were results of shadow IT, misconfiguration, and unknown exposures to the internet that could have been avoided if organizations had better visibility of their attack surface.
  • According to Randori’s State of Attack Surface Management 2022 report, 67 percent of organizations have seen their attack surfaces expand in the past 12 months, and 69 percent have been compromised by an unknown or poorly managed internet-facing asset in the past year. (Randori is a subsidiary of IBM Corp.)
  • Industry analysts at Gartner named attack surface expansion a top security and risk management priority for CISOs in 2022.

Overall, shadow IT can undermine an organization's security posture and increase the risk of cyberattacks and other security incidents. As such, organizations need to develop policies and procedures to manage and mitigate the risks associated with shadow IT.

According to the article "What is attack surface management?" published by IBM:

Traditional asset discovery, risk assessment and vulnerability management processes, which were developed when corporate networks were more stable and centralized, can‘t keep up with the speed at which new vulnerabilities and attack vectors arise in today's networks. Penetration testing, for example, can test for suspected vulnerabilities in known assets, but it can’t help security teams identify new cyber risks and vulnerabilities that arise daily.

The first step toward protecting the organization is visibility. One of the key pillars for visibility is discovering the unknowns and building the asset inventory for the organization.  Organizations should ideally then rank their risks based on how a threat actor (adversary) would prioritize and execute their attacks. (Think Red Team)

 Key Attributes of an EASM Solution

With any reasonable EASM solution, one will be able to:

  • Discover all your domains, subdomains, subsidiaries, and the assets associated with it
  • Discover unsolicited ports, certificates, and applications running on exposed assets
  • Identify SSL weaknesses and certificate expiration
  • Identify potential vulnerabilities and weaknesses in exposed assets
  • Provide an option to add or remove entire domains or certain IPs
  • Break down the inventory based on different business units, regions, countries, or service types
  • Provide actionable remediation and common workflow integrations to help reduce, mitigate, or reprioritize the risk
  • Integration with ticketing systems like JIRA, ServiceNow, or notifications systems like a Slack channel

Business context and intelligent prioritization help organizations and security teams focus on the most critical risks to the network. This functionality should be leveraged during M&A (mergers and acquisitions) to understand the individual risk they present.

In summary, external attack surface management (EASM) solutions are designed to quantify the attack surface and minimize and harden it. Protecting the external attack surface is crucial to safeguarding digital assets and maintaining organizational security against malicious actors.

Fractional CISO, SNM Consulting Inc.