What is Attack Surface Management (ASM)?
Named a Leader in The Forrester Wave: Attack Surface Management Solutions, Q3 2024
Attack Surface Management Definition
Attack Surface Management (ASM) is an approach and technology that strengthens security by identifying the attack surface (attack target area) of an organisation from the perspective of an attacker, and then working to reduce the risk of cyber attacks. By incorporating Attack Surface Risk Management (ASRM), which continuously identifies, evaluates and mitigates risks to the attack surface, the occurrence of incidents that threaten the business continuity of an organisation can be reduced.
In order to understand Attack Surface Management (ASM), it is first necessary to know what is meant by the term ‘attack surface’.
As defined by the US National Institute of Standards and Technology (NIST), the attack surface refers to digital assets, services and environments that could be subject to cyber-attacks from the perspective of the attacker. Specifically, this includes network devices such as client terminals, mobile terminals, IoT devices, servers and VPN devices, as well as software, cloud services and services that make up the supply chain.
The attack surface is sometimes classified into the External Attack Surface, which refers to digital assets that are publicly available, and the Internal Attack Surface, which refers to digital assets that exist within the organization's network.
In the past, conventional measures tended to focus only on the attack surface that was publicly available from the perspective of intrusion routes/defense at the point of entry. However, as we will see below, due to changes in the business environment and the increasing sophistication of cyber attacks, it is now common to take measures based on the premise that attackers will gain access to an organization. For this reason, it is necessary to treat the attack surface as including not only publicly available digital assets, but also all internal digital assets that could be misused by attackers.
Why ASM is Important?
There are two main reasons why Attack Surface Management is needed:
IT environment of organizations need to be protected
The digitization of all kinds of work is progressing rapidly in recent years due to changes in the business environment brought about by the promotion of digital transformation and changes in the way we work, such as remote working. As a result, the IT environment is becoming more complex than ever before due to the introduction of new technologies such as the use of VPN devices and cloud services, and the use of IoT devices.
On the other hand, many organizations are unable to keep up with the rapid changes and growing complexity of their own IT environments and the risks they pose, and security measures are being put on the back burner. As a result, from the perspective of cybercriminals, the number of targets for attacks is increasing
The sophistication of cyber attack methods
The methods used in cyber attacks and other crimes are becoming more sophisticated to increase the success rate of attacks. In the past, the main type of cyber attack was the ‘scatter-and-gather’ type, in which malicious programs were sent to a large number of unspecified recipients via email or other means. However, modern cyber attacks are becoming more sophisticated, with an increasing number of ‘targeted attacks’ that exploit the vulnerabilities of VPNs and RDPs, as well as stolen authentication information, to infiltrate the target organization's network and then carry out internal activities such as privilege escalation, lateral movement, and information theft.
As a result, organizations need to consider not only digital assets that are publicly available, but also digital assets within the organization itself, and implement security measures accordingly.
Due to the increasingly complex IT environments of the defense side and the increasingly sophisticated attack methods of the attack side, organizations need to constantly monitor the state of their attack surface to ensure that cyber attacks do not lead to business shutdowns, and to take measures to reduce the possibility of attacks and the impact on business in the event of an attack. In other words, rather than waiting until an incident occurs, organizations need to take steps to control the risk beforehand.
On the other hand, many organizations find it difficult to understand the attack surface and continuously manage that risk, mainly due to the following three issues, so there is a need for technology to support attack surface management.
It is difficult to quantify the risk of the attack surface
There are not enough resources to manage it on an ongoing basis
There is limited visibility of the attack surface and risk
Key Features of ASM
Attack Surface Management is an initiative to strengthen security by visualizing the digital assets that need to be protected within an organization and then monitoring them on an ongoing basis to understand how the attack surface is changing over time. On the other hand, it is not realistic to manually manage an organization's attack surface, which is changing every day, because it takes time and effort. Therefore, in order to achieve sustainable attack surface management, it is important to use technology that supports the entire process through ‘automation’.
The technology that supports attack surface management provides the following functions.
Visualization of the attack surface
By monitoring digital assets that could be targets of attack within an organization, the latest information on the number and types of assets (devices, accounts, cloud services, etc.) and related information (OS versions, host names, etc.) is continuously collected and visualized.
Understanding the factors that make up the attack surface
The factors that could make digital assets targets of attack, such as vulnerabilities that exist in digital assets, inadequate security settings, and whether they are exposed to the outside world, are detected and visualized.
In addition, Attack Surface Management for digital assets that are publicly accessible is sometimes referred to as External Attack Surface Management (EASM), and some organizations treat Attack Surface Management as EASM.
Main functions of ASM
In addition to the functions of attack surface management mentioned above, attack surface risk management provides functions for ‘identifying’, ‘evaluating’ and ‘mitigating’ risks.
Identifying risks on the attack surface in addition to the number and types of digital assets that could be attacked (devices, accounts, cloud services, etc.) and related information (OS version, host name, etc.), information that could be a risk factor, such as account and other authentication information leaks, vulnerabilities, suspicious behavior, and traces of attacks, is collected.
Assessing risk on the attack surface based on the information collected that is a factor in the risk on each attack surface, the severity of the risk is assessed by quantitatively calculating a risk score based on the ‘likelihood’ of an attack occurring and the ‘impact’ of an attack occurring. For example, when assessing the risk of a device, if there is a vulnerability with a high CVSS (Common Vulnerability Scoring System) score and security settings such as behavioral monitoring and machine learning are not enabled, the risk is calculated as high.
Reducing risk on the attack surface to reduce the risk level on the attack surface to an acceptable level for the organization, risk mitigation measures such as endpoint isolation and blocking of suspicious communication destinations are implemented.
The National Institute of Standards and Technology (NIST) has published NIST SP800-30 ‘Guide for Conducting Risk Assessments’, which systematically summarizes methods for risk assessment.
When implementing attack surface risk management in an organization, it is important to be able to comprehensively collect reference information that can be used as a factor in attack surface risk, to quantitatively evaluate risk using established methods, and to adopt technology that can continuously realize a cycle of implementing measures to mitigate risk.
Types of Attack Surface Management
Attack Surface Management (ASM) is categorized into distinct types that address different facets of an organization’s digital environment. These include External ASM, Internal ASM, Cyber Asset ASM, and Open Source ASM. Each type plays a crucial role in monitoring and mitigating risks, providing organizations with a comprehensive approach to protecting their digital assets.
External Attack Surface Management
External ASM focuses on internal business assets that are exposed to the public internet, such as web applications, cloud-based resources, IP addresses and domain names that could be exploited by attackers. These public-internet facing services are often targeted by attackers looking to exploit vulnerabilities or misconfigurations. External ASM identifies and monitors these assets continuously to detect weaknesses that could serve as entry points for an attacker. By maintaining visibility into publicly accessible assets, External ASM reduces an organization’s exposure to potential attacks.
Internal Attack Surface Management
Internal ASM addresses risks within an organization’s private network, including devices, applications, and systems that are not publicly accessible but could be exploited if attackers gain access. It is particularly relevant for combating advanced persistent threats (APTs) and insider threats, which often involve lateral movement and privilege escalation within the network. Legacy systems or poorly secured internal servers may serve as vulnerabilities attackers exploit once inside the network. Internal ASM enables organizations to detect and mitigate these risks by enforcing access controls, monitoring endpoints, and implementing network segmentation helping to reduce the risk of internal threats.
Cyber Asset Attack Surface Management
Cyber Asset ASM focuses on managing and securing individual assets across an organization, including endpoints, user accounts, cloud instances, and mobile devices. This is especially critical in today’s hybrid work environments, where assets are spread across on-premises and cloud-based infrastructures. Organizations operating in multi-cloud environments often have diverse assets, such as containers, virtual machines, and APIs. Cyber Asset ASM provides detailed visibility into these assets by continuously monitoring asset configurations and assessing their risk profiles, allowing organizations to maintain tight control over their expanding ecosystems and proactively mitigate potential vulnerabilities.
Open Source Attack Surface Management
Open Source ASM focuses on managing risks associated with open-source technologies and publicly accessible information. While open-source software is widely used, it introduces vulnerabilities due to its transparency and reliance on community contributions. Additionally, attackers often exploit exposed data such as leaked credentials, API keys, or sensitive configuration files found in open repositories such as Github. For example, an organization might inadvertently publish sensitive information in a public code repository, which Open Source ASM tools can quickly detect and flag. By identifying and addressing these risks, organizations can secure their open-source components and prevent exploitation stemming from publicly accessible data.
Categories of Attack Surfaces
Understanding the categories of attack surfaces is essential for effective Attack Surface Management (ASM). These entry points can be broadly categorized into three types:
The Physical Attack Surface
The physical attack surface refers to the tangible components of an organization's IT infrastructure that can be exploited by attackers. These include any hardware, devices, or physical locations that can provide unauthorized access to sensitive data or systems.
Discarded hardware: Devices such as hard drives, USB sticks, or printers that may still contain sensitive data if not properly disposed of.
Endpoint devices: Desktop computers, laptops, smartphones, and other portable devices that could be stolen or tampered with.
Network infrastructure: Components such as routers, switches, network cables, and data centers, which can be physically accessed or tampered with.
Unsecured ports or peripherals: USB ports or external storage connections that could be used to introduce malicious devices or software.
Physical breaches: Unauthorized personnel gaining access to secure areas or sensitive information, often due to poor access control mechanisms.
The Digital Attack Surface
The digital attack surface encompasses all digital assets that could be targeted by cybercriminals, including external-facing systems, internal networks, and the software or cloud services in use.
Web applications: Vulnerabilities in publicly accessible websites or applications that can be exploited for unauthorized access.
Cloud services: Misconfigured cloud storage, APIs, or virtual machines that are exposed to the internet.
IoT devices: Internet-connected devices such as cameras, sensors, or smart appliances that often lack strong security controls.
Outdated software: Applications or operating systems with unpatched vulnerabilities that attackers can exploit.
User credentials: Weak or stolen passwords that allow attackers to infiltrate internal systems or networks.
The Social Engineering Attack Surface
The social engineering attack surface focuses on the human element, exploiting employees’ or users’ trust and susceptibility to manipulation. Attackers often use psychological tactics to trick individuals into revealing sensitive information or performing actions that compromise security.
Phishing emails: Fraudulent messages designed to trick recipients into clicking malicious links or providing credentials.
Pretexting: Scenarios where attackers pose as trusted individuals or organizations to gain information or access.
Baiting: Offering something enticing, such as a fake job offer or promotional reward, to lure victims into a trap.
Impersonation: Pretending to be a trusted colleague, vendor, or executive to exploit the target’s trust.
Tailgating: Gaining physical access to secure areas by following authorized personnel without proper credentials.
Relationship between ASM and XDR
Attack Surface Management reduces the possibility of cyber-attacks and intrusions during normal times, thereby curbing the occurrence of serious incidents that could affect business continuity. On the other hand, due to the recent sophistication of cyber attacks, countermeasures based on the assumption of intrusion are recommended, and technologies such as XDR (Extended Detection and Response) support threat detection and response. Attack surface risk management is a proactive countermeasure before an incident occurs, while XDR is positioned as a reactive countermeasure after an incident occurs, but the two technologies should work closely together.
For example, by monitoring risks through attack surface risk management during normal times, the number of incidents can be reduced, resulting in a reduction in the burden of reactive response to incidents using XDR. In addition, information on traces of attacks detected by XDR can be shared with Attack Surface Risk Management as a target for risk assessment at normal times, contributing to more accurate risk score calculation.
In this way, although Attack Surface Risk Management and XDR are different technologies, they complement each other by sharing information, which has a synergistic effect in reducing the number of incidents and the burden of response. Therefore, it is important to have a platform that allows the two technologies to complement each other.
Trend Micro's ASM solution
Click here to outpace adversaries with complete visibility, smart prioritization, and automated mitigation.