How to Use Attack Surface Management for Continuous Pentesting
By: Jake Reynolds
Table of Contents
- What is Attack Surface Management?
- How Attack Vectors and Attack Surfaces are Related
- Drilling Down on External Attack Surface Management
- The Rising Need for Attack Surface Monitoring
- Using an Attack Surface Assessment as a Starting Point
- The Adoption of Continuous Pentesting
- 3 Tips to Improve Your Attack Surface Management Strategy
- 3 Must-Have Features in Attack Surface Management Tools
- Quick Guide to Researching Attack Surface Management Vendors
- Streamline Risk Remediation with NetSPI’s Attack Surface Management
Attack surface expansion is a byproduct of doing business today, especially for enterprises that rely on the cloud. As businesses adapt and scale, the assets and platforms they use inevitably grow and change. This can result in attack surface exposures, both known and unknown, giving malicious actors many pathways to gain entry to networks.
One key to adding offensive security to your strategy is to avoid the unmanaged sprawling of attack surfaces. Pentesting is a widely accepted method to discover vulnerabilities and prioritize remediation, but the value of a pentest can be amplified further with continuous pentesting. This is where Attack Surface Management (ASM) comes in.
ASM complements pentesting because it brings an always-on approach to discovering attack surface exposures, validating the impact, and prioritizing updates. ASM shines a light on assets that were previously unknown and incorporates them into pentests as well. Companies are increasingly using Attack Surface Management to bridge the gap between vulnerability management tools and manual penetration testing.
Whether your organization is starting to explore ASM, or you’ve established an offensive security strategy with a custom mix of tactics and technology, this guide to moving toward continuous pentesting with Attack Surface Management will equip security teams with an understanding of how to take vulnerability risk management practices to the next level.
What is Attack Surface Management?
Attack surface management (ASM) provides continuous discovery, inventory, testing, and prioritization of known and unknown assets and exposures on global external attack surfaces. In the last three years the industry has agreed on the term “attack surface management” as an all-encompassing description for tools used to discover an organization’s digital footprint.
The best ASM tools today go beyond delivering a high volume of alerts to sort through, and instead reduce the workload of internal security teams by prioritizing risk response decisions. This not only maximizes the value of resources, but it also brings greater alignment between IT and security teams for a comprehensive offensive security strategy.
Forrester defines ASM as, “the process of continuously discovering, identifying, inventorying, and assessing the exposures of an entity’s IT asset estate.”
Let’s clarify exposures and assets through examples:
- Exposures include internet-facing ports, SSL certificates, and applications. Exposures may pose cybersecurity risk to your organization.
- IT assets include IP addresses, domain names, subdomain names, software, cloud-based workloads, user accounts, and IoT devices.
Tip: Core to the success of any cybersecurity program is first to understand the external attack surface of the organization, so you can manage it.
Attack surface management is a complex area that spans several cybersecurity domains, including:
- Digital asset discovery and identification
- Attack surface monitoring
- Data leakage detection
- Digital footprint management
- Digital risk monitoring
- External attack surface management
In Contrast, What ASM is Not
To better understand what attack surface management is, let’s exclude what external attack surface management is not:
|What ASM is Not:||In Contrast, ASM:|
|A stand-alone, siloed service or technology||Integrates into security processes, DevSecOps, pentesting services, messaging systems, and ticketing systems to enrich other security services|
|A voluminous list of unverified vulnerabilities produced by scanner technology||Drives action with verified, prioritized alerts|
|A configuration management database||Pushes enriched data to improve IT security practices overall|
|A replacement for vulnerability management tools and manual penetration testing||Fills the security gap between vulnerability management tools and manual pentesting for continuous pentesting|
How are Attack Vectors and Attack Surfaces Related?
Attack vectors are entry points into an organization’s network. All the attack vectors combined make up an attack surface. Two major types of attack surfaces are digital and physical. An enterprise attack surface typically includes a mix of both of these. Many other types of attack surfaces exist, but we’ll focus on managing external attack surfaces because they are the most lucrative area for threat actors to focus.
Sixty-nine percent of organizations admit they had experienced at least one cyberattack that started through the exploit of an unknown or unmanaged internet-facing asset, including software, cloud-based workloads, user accounts, and IoT devices.– SC Magazine, 2021
Definition of External Attack Surface
An external attack surface is comprised of all public-facing digital assets and exposures across an enterprise, such as cloud accounts, websites, IP addresses, domain names, servers, networks, applications, Internet of Things (IoT) and operational technology (OT) devices, credentials, and third-party services. The size of an organization’s external attack surface varies depending on the size of the business, and its technology stack.
Companies that experience mergers and acquisitions are specifically susceptible to unmanaged external attack surfaces that may pose security gaps. The security of an organization is largely unknown until integration begins. Combining divergent systems without having a full understanding of the acquired company’s security posture results in an opportunity for attackers to gain entry to larger systems.
ASM is gaining adoption as part of a larger offensive security strategy because breaches can be traced back to a baseline vulnerability in an unmanaged attack surface, as opposed to a sophisticated threat actor. External attack surface management equips teams with continuous monitoring of known and unknown assets for potential exposures.
Tip: Subsidiaries gained through mergers and acquisitions can expose global organizations. Attack surface management identifies which legal entities expose your global organization to the most risk.
Drilling Down on External Attack Surface Management
External attack surface management (EASM) provides an outside-in view across an organization’s attack surface to reveal assets and exposures. Focusing on external attack surfaces brings the greatest security value to organizations quickly because of the sprawling growth of external attack surfaces.
In theory, anyone can access your attack surface anywhere, anytime, making external attack surface the best area of focus. EASM officially became a market category in 2021 with its ability to shine a light on unknown attack surfaces. ASM vendors such as NetSPI added the capability to feed scan results into already established security workflows to prioritize assets and remediate vulnerable exposures.
EASM is one aspect of defense in depth that feeds into a larger vulnerability management program. As the lines are blurred between EASM, cyber asset attack surface management (CAASM), and security risk rating services, the question is less about ‘Which strategy do we need?’ and more about ‘Which mix of security strategies are right for our business?’.
“EASM is an emerging product set that supports organizations in identifying risks coming from internet-facing assets and systems that they may be unaware of.”– Gartner®, Emerging Technologies: Critical Insights for External Attack Surface Management
The Rising Need for Attack Surface Monitoring
Staying on top of a changing external attack surface requires vigilance. Market drivers that led to the rise of attack surface management include rapid business expansion into the cloud, the pace at which applications are developed and deployed, continued mergers and acquisitions resulting in unknown, unmanaged attack surfaces, and increasing remote work models.
These trends result in a high volume of new exposures on external networks. The IT team is responsible for managing all IT assets, regardless of whether they are known or unknown, while security must understand and communicate the business risk of every exposure. Attack surface monitoring helps IT and security teams inform risk response decisions and prioritize their workloads for vulnerability remediation.
“On average, attack surface management tools initially discover 30% more cloud assets than security and IT teams even know they have. Simply put, you can’t secure what you can’t see.”– Forrester, Find and Cover Your Assets With Attack Surface Management
Key Functions of Attack Surface Management
- Prioritize vulnerabilities based on business risk
- Identify gaps in external attack surface visibility
- Discover known and unknown assets, systems, and shadow IT
- Assess merger and acquisition (M&A) and subsidiary risk globally
- Continuous observability and risk management
- Identification of external gaps in visibility
- Risk-based vulnerability prioritization
Using an Attack Surface Assessment as a Starting Point
Every ASM engagement starts with a baseline attack surface analysis to map the scope of an organization’s attack surface. This is done by providing an ASM vendor with known domains and IP addresses.
Attack surface visualization is just the start. The next step is to understand the business risk of your exposures. Data analysis of an attack surface assesses whether an exposure is risky and whether an asset is vulnerable or behaving abnormally. Automated asset detection tools that are part of modern offensive security strategies today enable organizations to:
- Track and trend data over time to measure the impact of the attack surface management program.
- Identify a broad spectrum of information, such as domains, DNS records, IP addresses, ports, products, and certificates for every IT asset.
- Group related assets together to create a risk view of the attack surface that enables prioritization.
- Investigate global attack surface for outliers and all ports exposed to the internet.
ASM platforms including NetSPI’s may have the ability to check other parts of the internet for related entities to identify unknown assets as well. When this analysis is paired with human evaluation, vulnerabilities are accurately prioritized to only deliver relevant alerts about what to address/fix on an organization’s attack surface.
Tip: Choose an ASM vendor that pairs human analysis with innovative attack surface management tools. This allows for strategic prioritization of results for the best ROI on cybersecurity investments.
The Adoption of Continuous Pentesting
ASM platforms are inherently continuous in their discovery of assets. When security teams pair ASM with external network penetration testing, they can narrow the focus of pentesting engagements to the highest priority exposures. Conducting regular pentesting is a valuable part of offensive security, but attack surfaces are expanding rapidly making continuous pentesting a more advanced approach. With the always-on nature of ASM, businesses can keep pace with today’s rate of change.
Here’s how it works:
- ASM continuously monitors exposures.
- Manual analysis of these exposures by an attack surface operations team determines the level of risk they pose.
- This information is relayed to a security team for remediation, and then passed along to pentester to validate the remediated exposure.
The right mix of cybersecurity strategies depends on every organization’s unique needs, but pairing ASM with external network penetration testing for continuous pentesting is a modern method of bringing greater security to an environment.
Unknown Attack Surfaces: What You Don’t Know Can Hurt You
Do you really need to monitor unknown attack surfaces? In short, yes, because unknown attack surfaces have a greater potential for gaps. At NetSPI, our ASM discoveries often shed light on external attack surfaces that were previously unknown to an organization. Attack surface sprawl is a reality most security teams face today. Pairing a continuous attack surface monitoring platform with human analysis is a strong defense to stay protected.
Unknown assets are a problem because:
Individuals can, and will, use software or hardware without IT awareness.
Cloud security misconfigurations result in breaches.
You can’t prioritize security testing or build defenses for unknown assets.
If Your Goal is Attack Surface Reduction…
Attack surface management inherently results in attack surface reduction. It helps organizations identify unknown or problematic parts of their attack surface and shut them off to the outside world.
Take this analogy for example: If your house only has one entrance, you can put 100 locks on it to enhance security. But if you have 100 doors to your house, each door can only get one lock. In this case, reducing the number of doors on a house, or the assets for attackers to gain entry, creates a more secure environment.
“One Fortune 100 prospect felt confident that their company was using nine different cloud providers, but the ASM vendor’s initial scan of the internet revealed that they had applications and data in 23.”– Forrester, Find and Cover Your Assets With Attack Surface Management
Tip: Organizations experience greater security benefits quicker by partnering with an attack surface management vendor for strategy and guidance.
3 Tips to Improve Your Attack Surface Management Strategy
Human intuition, creativity, and expertise are vital to secure your attack surface. The following three best practices will improve any organization’s attack surface management strategy, getting the most out of internal workloads and cybersecurity spending.
Assess your attack surface consistently
Avoid giving adversaries time to find risky exposures before you do. Assess your attack surface, including new cloud assets, on a consistent basis.
Incorporate human expertise
Dig into scan results, find more attack vectors, add business context, and eliminate noise with expert triage.
Prioritize exposures based on risk
Stay focused on what matters most: real threats to your business, not a flood of unverified scanner data.
Tip: Effective asset management and change control processes are challenging, and even the most well-intentioned organizations see attack surface management as an opportunity for improvement.
How to Improve Your Attack Surface Management Strategy
Adjust your cyberattack surface management strategy to keep pace with change.Read the Blog
The Role of Attack Surface Management in a Vulnerability Management Strategy
Gartner® recommends making attack surface management part of a vulnerability management strategy through a unified offensive security approach with integrated controls and processes.
Attack surface management is not a replacement for vulnerability management tools nor manual penetration testing services, but rather it fills an existing gap between the two cybersecurity strategies and helps focus effort for manual pentesting.
Analysts recommend attack surface management implementation “as part of a broader, enterprise-wide vulnerability and threat management effort, where known and unknown risks, vulnerabilities and assets are handled as part of a concerted and integrated strategy,” according to Gartner® Emerging Technologies: Critical Insights for External Attack Surface Management report.
Mastering the Art of Attack Surface Management
Learn how prevent cyberattacks through attack surface management.Watch Now
3 Must-Have Features in Attack Surface Management Tools
Anyone who uses ASM tools wants a clean UX, cloud integrations, and the ability to export a full list of vulnerabilities — and most ASM tools do all of these to some degree. However, the quality of scan reports varies based on technology capabilities, leading us to identify three key features to look for when researching ASM tools: unknown asset discovery, human analysis, and prioritized notifications.
The ability to discover the unknown.
You can’t protect what you don’t know, making the ability to find unknown assets essential for effective cybersecurity. For example, NetSPI’s ASM engagements start with a list of known domains and IPs; then we expand our search to related entities to uncover all assets tied to a company. This takes human intellect to provide a higher quality of results, leading us to the second feature to look for in ASM tools…
The inclusion of human analysis.
Powerful vulnerability scanners are a good starting point to identify weaknesses in assets, but the inclusion of human analysis delivers the strongest cybersecurity results. The best ASM tools will have manual pentesters review every exposure to contextualize it and determine if it’s exploitable. This work takes effort, but without the human element, ASM tools result in a cluttered list of vulnerabilities, bringing us to our final feature…
The prioritization of alerts.
ASM tools that rely on human analysis can vet vulnerabilities before they are added as alerts. While the full listing of all vulnerabilities is always available, a prioritized list of notifications that has been manually reviewed helps eliminate alert fatigue and center IT resources around the most relevant next steps. Say goodbye to notification overload and false positives.
The differences between tools for attack surface management are nuanced. Conducting research into ASM tools in light of your business objectives is the best way to evaluate which solution will meet your needs. Read our full criteria for selecting an Attack Surface Management platform here.
Quick Guide to Researching Attack Surface Management Vendors
The cybersecurity industry has no shortage of attack surface management vendors, but they aren’t all created equal. The qualities needed in an ASM vendor are specific to your overarching security goals. These three factors for evaluating attack surface management companies will help security leaders differentiate providers and expedite decisions around vendor selection.
Is this vendor a new player in the ASM field, or do they have a proven history in offensive security? Choosing a legacy vendor means streamlined processes, fast access to support teams, and tried-and-true methods to enhance security.
Convincing Proof of Value
Proof of Value (POV) is a standard practice that dives deep into a specific use case for technology or services to prove the efficacy of a proposed strategy. Comparing POVs between potential vendors helps security teams evaluate who meets their needs.
ASM Software Demos at the Ready
The ability to take an ASM tool for a test drive through a guided demo or webinar is a must-have before committing to an ASM vendor. This lets your team experience the user interface, ask pointed questions about capabilities, and compare features between tools.
Gaining recognition from third parties such as Gartner® or Forrester is a surefire way to confirm the validity of attack surface management platforms. Analysts at these organizations perform a factual review of information from technology providers to recognize solutions that demonstrate innovation. Forrester included NetSPI in the External Attack Surface Management Landscape Report highlighting 36 notable EASM vendors.
These three qualities are just a starting point in your search. One of the best ways to conduct research into attack surface management vendors is to look internally. Gather anyone who would be impacted by security decisions and ask them to weigh in with what would make a cybersecurity partnership successful. Use the broader team’s input to guide questions and criteria when evaluating attack surface management companies.
Or you can always turn to the Twitterverse to ask the masses like @AlyssaM_InfoSec.
I know I'll probably regret asking this, but…— 👑 Alyssa Miller 🦄🛩️ (@AlyssaM_InfoSec) October 11, 2022
Attack surface management? Worth it? Useless? What features/capabilities matter most? Better alternatives?
And finally, if you're using it, what product and why that choice?
Types of Attack Surface Management Vendors
Human-based ASM services
Penetration testing services and vulnerability assessment services that use humans to manually test the external network, usually on a quarterly basis
Pure-technology ASM solutions
Attack surface management tools or scanners that look at what you have on the internet and use scores to prioritize impactful findings
Hybrid ASM services
Attack surface management vendors like NetSPI that merge human intuition with automated technology to find more vulnerabilities and filter prioritized alerts
Tip: Use a hybrid approach to attack surface management to combine the best of human-driven triage and context with ASM tools.
Questions to Ask Attack Surface Management Vendors
To better understand the specific capabilities and differences between attack surface management companies and software, NetSPI recommends asking the following questions:
- How often are you running tests?
- How broad and fresh is the data?
- How quickly will a new asset appear in the ASM tool?
- How do you approach continuous pentesting?
- Do you support exposure remediation efforts? How?
- How do you manage the number of alerts?
- How will you help me understand what’s most important on my attack surface?
- Can I access all of my scan data if needed?
- What are the critical risk factors that will affect the business?
- Who are the potential threat actors?
- Which vulnerabilities should I remediate first?
- Which exposures are attackers most likely to exploit?
Streamline Risk Remediation with NetSPI’s Attack Surface Management
NetSPI’s attack surface management service combines automated attack surface management technology platform and a global follow-the-sun expert penetration testing team in a proven scalable method. We help IT and security teams manage attack surface sprawl, identify unknown assets, uncover exposures, and prioritize remediation efforts. Attack surface management paired with manual external penetration testing is an advanced method for continuous pentesting.
NetSPI helps organizations through:
- Simple setup and onboarding
- Comprehensive asset discovery
- Always-on continuous pentesting
- Manual triaging of exposures
- Prioritized alerts
Take our free ASM tool for a test drive here: https://asm.netspi.com/