The complete guide to External Attack Surface Management (EASM)

Get in-depth guidance on External Attack Surface Management, how it works, and why it’s a great way for AppSec teams to scale attack surface assessment to each and every asset they expose.

Chapter 1

What External Attack Surface Management is and isn't

1.

What is External Attack Surface Management (EASM)?

External attack surface management (EASM) is the continuous practice of discovering and assessing Internet-facing assets and looking for their vulnerabilities and anomalies. Mapping out your attack surface with External Attack Surface Management will help you understand where and to what degree your Internet-facing assets are exposed.

Industry experts have highlighted Attack surface expansion for years, from Gartner and Forrester to KuppingerCole. Detectify's CEO, Rickard Carlsson, framed it as follows in an interview with HelpNetSecurity. "There is virtually no difference between office work and remote work anymore. There is no inside and outside, just outside. What is to be secured now is a growing, dynamic, and sprawling mess of endpoints, cloud services, and third-party applications that form an external attack surface."

Gartner also recognised Detectify as a Sample Vendor in the External Attack Surface Management Category in their research.

Greater use of the public and hybrid cloud and highly connected supply chains are leaving organizations vulnerable to attackers. For those working on the frontline of cybersecurity, identifying and monitoring changes in your external attack surface is crucial to discern what actions to take to protect the attack surface.

Learn more in the e-book: External Attack Surface Management - What it is and what it isn't

Are Attack Surface Management and External Attack Surface Management the same thing?

Attack Surface Management (ASM) is an evolving product category, with various methods and attack surface assessment technologies used to approach the attack surface. Forrester defines Attack Surface Management as “The process of continuously discovering, identifying, inventorying, and assessing the exposures of an entity’s IT asset estate.” Attack surface management can be seen as a broader approach to detecting and handling vulnerabilities that weaken your security posture.

External Attack Surface Management is one of the Attack Surface Management processes whereby tooling “continuously scans for, discovers, and enumerates unknown internet-facing assets, establishes the unique fingerprints of discovered assets, and identifies various exposures.” External Attack Surface Management leverages an outside-in approach to understand what is being exposed on the attack surface.

What External Attack Surface Management isn't

To better understand EASM, we can have a quick look at what it isn't. EASM is not a standalone product or service. It's not a replacement for security testing, vulnerability management, or other parts of a security program. It's not for insider threats and it's not an asset inventory. We can also look at a couple of other concepts that differ from EASM.

Cyber Asset Attack Surface Management (CAASM):
Although CAASM solutions allow organizations to see all their assets, they don't generally apply vulnerability assessments to the assets discovered.

CAASM solutions offer an inside-out approach to covering the attack surface, which may work for some organizations. However, its reliance on API integrations makes it difficult to onboard and scale for organizations with a rapidly expanding attack surface.

Digital Risk Protection Services (DRPS):
DRPS solutions crawl the Internet to attribute assets to organizations and access parts of the Internet like the dark web. Like CAASM, DRPS solutions don't apply vulnerability testing to assets they discover because such assets, like social media profiles, cannot be tested.

DRPS solutions are likely useful for larger enterprise organizations that can implement findings produced into existing Threat Intelligence workflows. This makes DRPS solutions less valuable to organizations that need actionable information on assets that pose a risk to their business.

Read more: How does EASM differ from CAASM and DRPS?

What is the attack surface?

An attack surface refers to any interface, physical or digital, where an attacker could try to enter their own input or deploy an attack vector to get unauthorized access to a system and extract data or other sensitive information. It could also be used as a point within a chain of attacks.

While inventory and visibility are critical first steps in preventing attacks, they alone are not enough to protect the attack surface. Security teams around the globe are now looking for solutions that can help them better manage what they are exposing, as well as running low noise and high accuracy testing on newly discovered assets.

How to define the attack surface area

Organizations increasingly rely on SaaS services and products, meaning the digital attack surface is more than the firewall and network. It is now a sum of the available entry points of the different web applications publicly accessible on the Internet – both known and unknown assets.

Known assets
Known assets are the assets you know and monitor with extra care. These include the multiple subdomains under the domain, security checking apache installations, central web application, and login interfaces.

Unknown assets
There will always be unknown assets that create weaknesses and blindspots in the attack surface. These can be harder to catch for a growing business without the right processes and tools and often occur when mistakes are made in the code, rogue or shadow IT software is installed, or the result of an insecure supply chain. There are also occasions when new vulnerabilities come up in existing code from a pentester or ethical hacker’s pure creativity of looking at where others aren’t.

Chapter 2

Attack surface types

2.

COMMON ATTACK SURFACES THAT ARE PRONE TO MISCONFIGURATIONS

Icons for known middleware solutions

Middleware

Software development occurs over multiple cloud environments, languages, tools, and frameworks and is made possible using middleware. Middleware manages the complexity of web development in a scalable and effective way. This includes using web servers, content management systems, application servers, and supporting other tools needed for application development. Detectify's internal research teams have demonstrated how security misconfigurations can occur in middleware, including Nginx web servers.

Traditional middleware, however, is being replaced by integrations and orchestration in modern organizations. This will become even more complex as middleware orchestration becomes a norm in development teams - software integrations and how each component interacts present new challenges for security teams and their attack surfaces.

Cloud storage

Cloud storage providers like Amazon Web Services (AWS) do a great job securing the server hardware your instances run on. Still, the cloud's secure configuration and access management is the organization's responsibility. Cloud providers are addressing concerns with added security features, yet we continue to see data in the cloud compromised due to misconfigured settings. Monitoring for misconfigurations and proper access management controls can be automated today. As attack surfaces grow, they do so in a decentralized manner. By 2026, it is projected that over 90% of enterprises will expand to multi-cloud environments.

Third-party services

An organization's attack surface grows with every new dependency on third-party software or technology. Reliance on third-party software is also likely to be more prominent with every new company Merger & Acquisition. According to Deloitte, third-party vendor use has seen exponential growth over the last five years.

Computers and phones floating around a cloud

DNS Domains and Subdomains

The basics of domain takeover can be summarized as follows:

Visit requests on websites or searches are sent to a Domain Name Server (DNS), directing user traffic to the requested website. A DNS can be hijacked when an attacker intercepts the requested traffic from a DNS and redirects it to another website, usually with malicious intent.

Hacking a Top Level Domain (TLD) means that a hacker has been able to gain control of the name server for websites registered to .com, co.uk, or .io and subsequently has control over the requests sent to these sites. Detectify Co-founder and Security Researcher Fredrik N. Almroth has a fascinating write-up of how he ethically hijacked the top-level domain of a sovereign state and temporarily took over 50% of all DNS traffic for the TLD, something that could have easily been exploited by malicious hackers.

Hijacking of traffic can also happen on the subdomain level. Hostile Subdomain Takeover is a term coined by Detectify Security Researchers whereby an attacker registers and claims ownership of a subdomain that has been forgotten or abandoned by the original site owner, mostly due to organizations having dangling DNS. At Detectify, we have over 600+ techniques to identify subdomain takeovers developed by our internal security team.

New research shows that subdomain takeovers are rising but are also getting harder to monitor as domains contain more vulnerabilities.

The following graphic demonstrates a likely scenario of how a subdomain takeover can occur:

Server misconfigurations

Misconfigured servers such as email servers are one of the ways domains are at risk of forced spoofed emails. In 2016, the Detectify security research team conducted email server misconfiguration research on the 500 top-ranked Alexa sites. They found that less than half of the domains had configured email authentication correctly to prevent spoofed emails from being sent, which meant that users were at risk of receiving false emails appearing to come from domains that they trusted.

Other common attack surfaces prone to misconfigurations:

  • Routers
  • Web VPNs
  • Ports
  • Hosted apps, e.g. issue tracking tools
  • Frameworks
  • GitHub repo
  • Physical employee devices

What a growing attack surface means to your organization

Today's software and tech enterprises are advancing daily with the speed and scale of development. This means that available cyberattack surfaces are growing, especially for digital organizations. Whenever a web-facing asset is made public, such as a new marketing campaign subdomain or commits with user inputs in GitHub, your available attack points increase.

Security teams often struggle to maintain visibility over every new asset. At the same time, the discovery of unknown attack vectors by malicious hackers or accidental exposure of the tech stack also increases the surface.

But what does this all mean? In short, your attack surface is growing at scale and probably faster than you realize.

Real-life attack surface examples

A compromised attack surface can happen to any organization. We've seen high-profile cases occur in recent times due to third-party software vulnerabilities and accidental exposure of remote access applications. Some of the most well-known examples include:

Solarwinds

Through a compromised update to SolarWinds' Orion software, a group of hackers gained access to government and other Solarwind systems. Detectify added this zero-day vulnerability, CVE-2020-10148 SolarWinds Orion Authentication Bypass, to its scanner in February 2021.

Kaseya

A ransomware attack in July 2021 compromised software from Kaseya, impacting as many as 1,500 organizations. Malicious hackers carried out a supply chain ransomware attack by leveraging Kaseya's VSA software vulnerability against multiple managed service providers (MSP) and their customers.

Florida water treatment facility

In February 2021, a hacker initiated an attack on a Florida water treatment facility that briefly adjusted sodium hydroxide levels to dangerous levels. Fortunately, a vigilant team member saw the intrusion attempt as it was occurring and stopped it.

Chapter 3

Attack vectors and methods

3.

What is an attack vector?

Attack vector in cybersecurity refers to an attacker's path or route to exploit a vulnerability and break through the attack surface. Attack vectors and the attack surface are closely related but are not the same thing. Attack vector methods include:

Weak or stolen credentials

These can be purchased or gathered by an attacker and then used for brute-forcing or credential stuffing attacks to get past a login interface.

Zero-day (0-day) attacks

A zero-day attack vector exploits a vulnerability in a software or technology that the technology creator is unaware of.

Intercepting traffic

Incorrect encrypted traffic can result in attackers stealing sensitive user data such as usernames, passwords, and credit card details.

Phishing

A type of social engineering attack where attackers send fraudulent messages designed to trick a human victim into revealing sensitive information.

Subdomain takeover

Occurs when an attacker takes over a subdomain and can be done when a subdomain is pointing to a third-party provider that is no longer in use.

Social engineering

Social engineering attacks are the art of using psychological manipulation to get you to divulge confidential information or perform a specific action.

Denial-of-Service

A DoS attack is where a perpetrator seeks to make a machine or network resource unavailable by temporarily or indefinitely disrupting the services of a host connected to a network.

OWASP Top 10 for 2021

This standard awareness document for developers and web application security represents a broad consensus about the most critical security risks to web applications.

Chapter 4

Why does External Attack Surface Management matter now?

4.

As attack surfaces keep expanding, securing them becomes more difficult. To tackle this, security teams need a dynamic way to gain insight into what's exposed. EASM solutions can play a crucial role in this, providing an external view of your attack surface.

Rapidly evolving tech stack

Tech stacks are evolving fast as organizations shift to micro-services and multi-cloud deployments. It's a challenge to secure these new potential entry-points from malicious actors exploiting them. It's an even bigger challenge to do so while maintaining security for old parts that still remain.

Decentralizing security

Today's business landscape often premiers agility, which also comes with implications for security. We see more decentralized and hybrid approaches, especially from the software development perspective. Shifting security left in the SDLC adds a lot of value in shipping code that is more secure. But it's no silver bullet as you cannot catch everything in the development stage.

More channels for vulnerabilities

Security teams need to know what's exposed. They need to know where and how to identify vulnerabilities, in both new and old technologies. But the hunt for more vulnerability findings can come with a backside. False positives, duplicates, and unreachable findings keep us from focusing on what matters. The answer is seldom more findings, but relevant findings. Knowing where to look closer by identifying and assessing known and unknown assets.

How does EASM help with expanding attack surfaces?

Knowing what you're exposing online

There are many scenarios where security teams will have the difficult task of keeping track of every single asset their organizations have online. For example, your Marketing team may launch a new campaign hosted on one of your apex domains (e.g., campaign.example.com) but not inform you until after this is shipped, leaving this potentially vulnerable to attacks. The exposure knowledge that an External Attack Surface Management solution can identify is critical in helping security teams discover and map out all of their assets.

Integrating results into existing workflows

Most security teams expect and need critical vulnerability information to be expedited to make their work and the flow of information smoother. Integrations that deliver automated vulnerability feedback with customizable opportunities will minimize and expedite the right information to the right teams as soon as vulnerabilities or exposed assets are discovered.

Security teams as enablers, not blockers

As software development scales up in your organization, security doesn’t have to be a blocker, left behind, or compromised - web app security can be scalable together with development. External Attack Surface Management solutions with automation and continuous monitoring can enable developers to code more consistently and work directly with security teams to collaborate and prioritize vulnerability management.

Use cases for EASM

Asset discovery

External Attack Surface Management solutions deploy various techniques to discover known and unknown assets, from enumerating domains to cloud connectors and zone files. The combination of techniques to map the external attack surface ensures your team has a reliable inventory of exposed assets with the least effort.

Remediating vulnerabilities and anomalies

This entails providing actionable insights on assets and vulnerabilities that are easily implemented into existing remediation workflows or integrations with tools like Jira, Slack, and similar.

Third-party risks

By utilizing an External Attack Surface Management solution, security teams will be aware of any third-party exposed assets and will have peace of mind in knowing that they're constantly being monitored for active vulnerabilities and other anomalies. An EASM solution can help you identify those vulnerabilities and let you know if there are other risks you're unaware of.

Mergers and Acquisitions (M&A)

The bottom line is that every M&A will increase your attack surface, making it more challenging to stay in control. Currently, most organizations have minimal information on what assets from the acquired organization are being exposed on the Internet. The exposure of unknown assets can have potentially severe consequences if attackers exploit such assets - reputation damage and financial loss are two of the most significant impacts.

Learn more in the e-book: Why consider an external attack surface management solution now?

Chapter 5

How External Attack Surface Management fits into existing workflows

5.
4 step EASM process of Discover, Assess, Prioritize and Remediate

We know that EASM is more than discovering assets from an external point of view. To get the most value out of an EASM tool is to also apply rigorous attack surface assessment. This includes prioritizing and remediating vulnerabilities. Hackers go through similar steps: recon, assessment, and exploiting what they have discovered. Detectify is unique in its offering of EASM by combining attack surface recon with vulnerability assessment, essentially scaling DAST-style testing on each and every exposed asset. It's also the only EASM offering with research crowdsourced from a community of ethical hackers. Using Crowdsource, we tap into the power of the crowd by automating human ingenuity. Resulting in more 'flavors' of tests, an unmatched array of technologies covered, and more relevant findings.

EASM's discovery, assessment, and prioritization needs to fit into your current workflows. It needs to play well with how you triage and delegate across your security program today. AppSec teams relying on deeper testing, e.g. DAST, need to be able to be more effective using EASM. Not adding yet another source of vulnerability findings that could be irrelevant. Detectify pairs its EASM offering with deeper scanning, much like DAST. Delivering broad external discovery and assessment with the ability to dig deep where it matters. Always payload-based using crowdsourced research for unparalleled signal-to-noise levels.

Apart from a smooth way to move from broad to deep testing, we know interoperability is key in today's security programs. No platform does everything well (enough) everywhere it's needed. With a range of possible integrations there are many use cases for EASM solutions like Detectify's. Here are some insights into scenarios where an EASM solution can be best leveraged:

A growing attack surface leads to new challenges for you and your organization

Detectify Discovery light bulb graphic
What internet-facing assets do I have?

Discovering known and unknown assets

This is where all domains, DNS records, IPs, ports, and certificates are mapped out together with their relationship to each other. Malicious hackers would be most interested in knowing what is public-facing and whether that is intentional. An organization's lack of knowledge about its unknown assets can lead to something as severe as a subdomain takeover. That's why Detectify's External Attack Surface Management solution has an active inventory of over 600+ techniques to identify subdomain takeover to check for vulnerable subdomains mapped to your attack surface.

Grammarly, a Detectify customer, had the difficult task of creating an inventory of its product offerings and applications. They were about to build their own and then discovered Detectify, which has provided Grammarly with an effortless discovery and alerting system for vulnerabilities in their system.

Detectify Assess magnifier graphic
What vulnerabilities or anomalies do I have?

Assess vulnerabilities and anomalies in assets

Once you have detected a vulnerability, the next step is to assess if it can be exploited to understand its potential risks. Running security tests that are automatically kept up to date is the best way to assess anomalies across your attack surface.

The assessment itself can be a complex stage. It can involve anything from investigating log changes or data or working with developers on code reviews. If you are working with ethical hackers, this is where their expertise can really make a difference, as they can provide testing that looks for unique vulnerabilities in software and technologies companies rely on every day, like AWS and other cloud technologies. Hiring all the top security experts to conduct such testing is not possible; this is why getting ahold of relevant research and hacker payloads via crowdsourcing options can give you timely access to actionable insights.

Photobox is one customer that benefits from using Detectify Crowdsource ethical hackers. The organization understood that crowdsourced ethical hacking research could far outpace open source tools. The combination of new research and automation from Detectify is a vital part of Photobox's security setup.

Detectify Prioritize clipboard graphic
Where should I focus my attention?

Prioritizing results from an EASM solution

When vulnerabilities are assessed and identified, the next step is to prioritize them. This can be done with internal risk assessments based on CVSS scoring or other frameworks. Detectify makes this easy in the Domains page. Using templated filters or by creating custom ones, you can highlight certain vulnerabilities. The page also lets you explore the domain data in a network graph.

Not all vulnerabilities are considered business-critical risks, and collaboration between developers and security teams is encouraged to prioritize vulnerability management. Using Detectify's Domains page filters, it's easy to create Attack Surface Policies. These let you know when breaches occur and can also be used over our API and integrations, feeding alerts into your workflow, such as Slack and Jira.

Detectify Remediate tools graphic
How do I fix vulnerabilities or risks?

Remediating vulnerability and risks

It's not enough to just find and prioritize vulnerabilities; action needs to be taken to prevent the most harmful and risky ones from causing too much damage. External Attack Surface Management vendors like Detectify are working aggressively to create processes to prioritize the most critical vulnerability and anomalies affecting your business. Our External Attack Surface Management solution allows security teams to easily set rules and configurations to help free up time for security teams to focus on the issues that most impact their organizations. This innovation is happening quickly, and security teams that integrate EASM solutions earlier will help shape future tools.

Remediation can also refer to improving practices to make sure regression doesn't occur. Visma, a customer of Detectify, started to enumerate subdomains, and they were able to reduce the amount vulnerable to takeovers and successfully reduced their organizational attack surface. Their number of reported vulnerabilities dropped, verifying that they were indicative of improved security practices.

Patrick Zimmermann, Information Security Manager, Bühler Group
We picked Detectify because it continuously monitors our entire external attack surface, discovers new subdomains, and automates scans and security tests sourced by the 400 ethical hackers of Crowdsource.
Patrick Zimmermann, Information Security Manager, Bühler Group
Chapter 6

External Attack Surface Management recommendations

6.

External Attack Surface Management goes beyond asset discovery and inventory

This complete guide to External Attack Surface Management has offered insights into how it works, and why External Attack Surface Management is a great way for AppSec teams to secure their attack surfaces. Although the threat of subdomain takeovers and vulnerabilities in third-party services make complete coverage difficult, organizations and security teams need to focus on getting the most accurate information about their growing attack surfaces, especially as things change.

External Attack Surface Management goes beyond asset discovery and inventory by applying rigorous vulnerability assessment to help security teams ensure they are prioritizing threats that matter the most to their organizations. We go one step further by only:

Building in vulnerability tests that we can automate. Our users leverage our service to continuously test for the latest threats. That's why we don’t bother with vulnerabilities that can't be automatically detected with Detectify.

Keeping vulnerability tests relevant to our users. It doesn’t matter if we can find a vulnerability in a piece of tech that our users don’t use. That's why we only build tests that are reflected in the technology fingerprinting that we run every day on our customers’ assets.

Triggering a finding when we can prove that it’s exploitable. We don’t trigger a finding just because we know that a specific version of tech has a vulnerability - that doesn’t add any value. We send a payload with every vulnerability test to validate that a vulnerability is exploitable. We then present each detected vulnerability with the payload, response, and remediation tips.

How Detectify’s platform works

We've built our platform on the concept of both EASM and DAST. Reinventing these methods into a platform for complete coverage of your attack surface. AppSec and ProdSec teams rely on Detectify for both broad and deep testing that is easy to deploy and scales as needed. The platform consists of two parts:

Surface Monitoring

Surface Monitoring runs assessment by continuously scanning for vulnerabilities across your attack surface. Starting at the domain level, it discovers and monitors assets you may not even be aware of.

Application Scanning

Application Scanning goes beyond the capabilities of "traditional" DAST scanners. It leverages proprietary engines for crawling, fuzzing, authentication, and payload-based testing.

Benefits of Detectify’s approach to EASM:

  • Surface Monitoring is unique in that it not only runs discovery but also vulnerability testing at scale - across your entire attack surface. Application Scanning goes deeper where it matters, utilizing stateful testing and advanced fuzzing.
  • By presenting changes to your attack surface, Surface Monitoring guides you to where to focus your efforts.
  • We do not build in all CVEs because they are not all relevant and cannot be accurately found. We build payload-based tests and deeply value a high signal-to-noise ratio.
  • Thanks to Crowdsource, we provide better coverage for different types of relevant technologies.
  • We know Subdomain takeovers. Because we build our own scanning engines we innovate and explore new attack vectors. Like when we pioneered subdomain takeovers as an attack vector.
  • Get started with Surface Monitoring with a click. Start discovering and testing your attack surface in an instant with our cloud connectors.
  • Don't take our word for it, read what our customers have to say.