Defining the Assets in Your Attack Surface Management (ASM) Strategy
With the accelerated digital transformation of today, network boundaries are blurry. An organization's IT environment includes complex, constantly moving internet-facing infrastructures.
Attack surface management (ASM) embodies the new way of managing cyber risk to support expanding attack surfaces. ASM provides the big picture of exposed assets, vulnerabilities, and security risks.
With assets being the fastest growing part of an organization’s infrastructure, it’s easy to be left with an unknown, unmanaged or forgotten one. In fact, most enterprises are unaware of around 40-60% of their attack surface.
An efficient, effective and scalable solution, ASM is designed for the modern IT infrastructure and ever-changing threat landscape. Continually discovering assets, understanding and monitoring their security posture and exposures are an important part of any security roadmap.
ASM is a relatively new concept in the cybersecurity space, and different organizations include different assets in their ASM strategy. But not every asset poses the same risk. This is why defining what assets will be included in your attack surface management efforts is crucial in order to effectively reduce risk.
What is Attack Surface Management?
How to choose what assets to include in your ASM strategy?
As ASM becomes a term that is more widely used, what solution providers mean when they talk about ASM becomes less clear.
While every asset can be a potential entry point, it would be misleading to say that every asset will contribute equally to the overall attack surface. It’s important to account for assets that have open handles to sensitive information, ones that are most prone to misconfigurations, and those that originate from sources with high probability to leave them unsupervised.
Some of the main sources of potentially exposed and high-risk assets include:
Development teams: Developers continuously deploy subdomains, IPs, servers, code bases and similar assets and set up staging and development areas to test their code. But these assets are often forgotten, outdated and without proper security controls. Any misconfiguration on these assets can lead to unauthorized access and sensitive data leakage.
DevOps: Rapid and automatic DevOps cycles and cloud deployments mean rapidly created assets such as cloud assets, cloud storage, IPs, domains and subdomains. In any dynamic environment, oversight and lack of visibility is always an issue.
Sales and Marketing: Marketing and sales teams continuously use and change various assets such as domains, subdomains, demo servers, landing pages, etc. for their campaigns. When these changes are made and new assets are spun up, they need to be reported to the security team in order to be monitored and checked for proper security controls.
Vendors: Your attack surface doesn't stop with just your assets: mergers and acquisitions, partners and third-party vendors introduce significant security risk. While your security posture might be up to par, you can’t account for their own security. What you can do is include these assets in your ASM strategy and monitor them for security issues.
These are just some of the sources of high-risk assets that are potentially vulnerable. The number of high risk assets produced makes it crucial that you are aware of all potential asset sources. You can use your knowledge to determine the assets that need to be included in your ASM strategy.
A robust ASM solution should complement your strategy and provide you with complete asset discovery and contextualization. It is important to know where each asset has originated and what kind of a risk it poses. A robust ASM solution is the only way to have and maintain the full picture of your security posture.
Including unknown assets in your ASM strategy
While many ASM strategies focus on assets with the potential for critical risk, their discovery and monitoring strategies still aren’t complete. Why? They focus only on known assets. Unfortunately it is often unknown assets that pose the biggest risk.
Known assets are parts of IT infrastructure that the security team is aware of and currently monitor. Examples of known assets include servers, routers, company and private devices, on-prem and cloud applications, etc. But they are only one small part of the attack surface.
Only 9% of organizations believe they monitor 100% of their attack surface. When they do improve their effort with an ASM strategy, they find sensitive data in previously unknown locations, misconfigured employee credentials, misconfigured SSL certificates, and many more.
Unknown assets are any unsupervised assets that have access to the internal network. Constantly-changing attack surfaces lead to unmonitored assets, which can then go through a configuration change that can leave them exposed. Software may go out of date, third-party resources might get decommissioned, and similar. Adversaries are aware of how changes create unknown assets and will look for easily forgotten assets and paths of least resistance into your network.
As a result, it is important that any attack surface management programs include both known and unknown assets.
What assets Hadrian defines as part of the attack surface and why?
Hadrian provides holistic security insights from a hacker’s perspective. Use of passive data sources and active algorithms lead to the discovery of all your digital assets, both known and unknown. ML models are trained to understand and contextualize found assets, allowing for complete insights into what your attack surface looks like. The insights Hadrian collects has also allowed us to clearly define what critical assets we mean when we discuss ASM.
Code Based Assets
Use of open source has exploded over the last decade or so. However, well-known and used open source libraries present a lot of opportunities for malicious actors. One framework might depend on a library, and that library depends on another one, combined with numerous dependencies, the result is a convoluted architecture that can easily hide a vulnerability. Examples of the impact of code based assets include the Log4j vulnerability in December 2021.
Hadrian pinpoints vulnerable codebase components and any blind spots that are exposed to the public so you can better understand and effectively prioritize your third-party risk.
Modern web applications are complex and contain many layers where potential misconfigurations can happen, making them challenging to secure. Web applications are where both client, financial and other sensitive information lives and attackers are aware of this. Therefore, it is essential for organizations to identify and understand any aspect of a web app that can be a potential entry point for attackers.
In order to understand your application architecture and reduce the overall attack surface, you need to identify apps and their components, and whether they are exposed. As there can be hundreds or thousands of these, Hadrian offers a strategic view by highlighting critical and high-risk assets to identify attack vectors before it’s too late.
Organizations use cloud services, infrastructure and workloads to support their growing remote workforce but this change has amplified the risk of insider threats. Anyone with a set of credentials and access to your infrastructure can be a potential threat. Some individuals aren’t as meticulous with their cyber hygiene, and accidents can happen. No wonder that attackers are increasingly aiming for identity attacks and stealing credentials.
Hadrian’s continuous view into your assets and risks allows you to better understand network usage patterns and detect any abnormalities. While Hadrian can’t change the behavior of your people it can provide insights that ensure you properly investigate access and authorization to your assets.
Everything on your networks uses DNS services. Domains, subdomains, IPs, ports… These are all components of any modern IT infrastructure. By exploring DNS assets, an attacker can find unsecured areas of websites, testing and development areas that might leak sensitive information, and similar. By using passive DNS for effective attack surface reconnaissance, an ASM strategy should involve discovery of subdomains, associate IPs and hostname, open ports, spoofed domains and DNS hijacking.
Going a step further with a blend of passive DNS and active scanning, Hadrian not only discovers your attack surface but also visualizes the path of least resistance and the potential attack chain used by attackers. Cross-asset testing mimics an attacker’s approach to attacking your organization. Hadrian considers how assets in your attack surface are linked in order to map digital assets at a higher level of depth.
Organizations today store enormous amounts of data in cloud assets. And there are many misconfigurations on those cloud assets that can have serious repercussions. An estimated 70% of compromised digital records were due to misconfigured cloud services.
A complete understanding of cloud assets and the ability to continuously discover, manage and calculate risk on them is a crucial part of controlling your attack surface. Any gap in visibility over your cloud architecture can present a foothold that attackers can use to infiltrate your network. Hadrian continuously generates new potential assets and vulnerabilities to test in a company's infrastructure, providing you with visibility needed with an evolving cloud architecture and associated risk.
In the era of digital transformation and cloud adoption, assets are highly dynamic and often difficult to detect and monitor using traditional approaches. Furthermore, as 100% visibility remains elusive in this environment, defining what assets will be included in your attack surface management strategy is crucial.
Hadrian helps today’s organizations with its continuous process of discovering, classifying and assessing the risk profile of critical assets in your IT infrastructure. Using graph-based mapping to understand asset relations, Hadrian ensures a comprehensive view of the attack surface that holistically considers complex IT and cloud infrastructures and allows security teams to prioritize risks and focus on high impact assets.
Fortify your attack surface management strategy and mitigate risk. Sign up for your Hadrian demo to discover more.