The complete guide to External Attack Surface Management (EASM)

Get in-depth guidance on External Attack Surface Management, how it works, and why External Attack Surface Management is the best way for AppSec and ProdSec security teams to secure their attack surfaces.

Chapter 1

What External Attack Surface Management is and isn't

1.

What is External Attack Surface Management (EASM)?

External attack surface management (EASM) of applications is the continuous practice of discovering and assessing Internet-facing assets and looking for their vulnerabilities and anomalies. Mapping out your attack surface with External Attack Surface Management will help you understand where and to what degree your Internet-facing assets are exposed.

The Attack Surface Management (ASM) space is growing, with Gartner having named attack surface expansion its top trend in cybersecurity for 2022. Other notable analyst firms such as Forrester and KuppingerCole have also referenced the rapidly expanding attack surface as a growing concern for security teams across industries.

Greater use of the public cloud and highly connected supply chains are leaving organizations vulnerable to attackers. For those working on the frontline of cybersecurity, identifying and monitoring changes in your external attack surface is crucial to discern what actions to take to protect the attack surface.

Learn more in the e-book: External Attack Surface Management - What it is and what it isn't

Are Attack Surface Management and External Attack Surface Management the same thing?

Attack Surface Management (ASM) is an evolving product category, with various methods and attack surface assessment technologies used to approach the attack surface. Forrester defines Attack Surface Management as “The process of continuously discovering, identifying, inventorying, and assessing the exposures of an entity’s IT asset estate.” Attack surface management can be seen as a broader approach to detecting and handling vulnerabilities that weaken your security posture.

External Attack Surface Management is one of the Attack Surface Management processes whereby tooling “continuously scans for, discovers, and enumerates unknown internet-facing assets, establishes the unique fingerprints of discovered assets, and identifies various exposures.” External Attack Surface Management leverages an outside-in approach to understand what is being exposed on the attack surface.

What External Attack Surface Management isn't

Cyber Asset Attack Surface Management (CAASM):
Although CAASM solutions allow organizations to see all their assets, they don't generally apply vulnerability assessments to the assets discovered.

CAASM solutions offer an inside-out approach to covering the attack surface, which may work for some organizations. However, its reliance on API integrations makes it difficult to onboard and scale for organizations with a rapidly expanding attack surface.

Digital Risk Protection Services (DRPS):
DRPS solutions crawl the Internet to attribute assets to organizations and access parts of the Internet like the dark web. Like CAASM, DRPS solutions don't apply vulnerability testing to assets they discover because such assets, like social media profiles, cannot be tested.

DRPS solutions are likely useful for larger enterprise organizations that can implement findings produced into existing Threat Intelligence workflows. This makes DRPS solutions less valuable to organizations that need actionable information on assets that pose a risk to their business.

What is the attack surface?

An attack surface refers to any interface, physical or digital, where an attacker could try to enter their own input or deploy an attack vector to get unauthorized access to a system and extract data or other sensitive information. It could also be used as a point within a chain of attacks.

While inventory and visibility are critical first steps in preventing attacks, they alone are not enough to protect the attack surface. Security teams around the globe are now looking for solutions that can help them better manage what they are exposing, as well as running low noise and high accuracy testing on newly discovered assets.

How to define the attack surface area

Organizations increasingly rely on SaaS services and products, meaning the digital attack surface is more than the firewall and network. It is now a sum of the available entry points of the different web applications publicly accessible on the Internet – both known and unknown assets.

Known assets
Known assets are the assets you know and monitor with extra care. These include the multiple subdomains under the domain, security checking apache installations, central web application, and login interfaces.

Unknown assets
There will always be unknown assets that create weaknesses in the attack surface. These can be harder to catch for a growing business without the right processes and tools and often occur when mistakes are made in the code, rogue or shadow IT software is installed, or the result of an insecure supply chain. There are also occasions when new vulnerabilities come up in existing code from a pentester or ethical hacker’s pure creativity of looking at where others aren’t.

Chapter 2

Attack surface types

2.

COMMON ATTACK SURFACES THAT ARE PRONE TO MISCONFIGURATIONS

Icons for known middleware solutions

Middleware

Software development occurs over multiple cloud environments, languages, tools, and frameworks and is made possible using middleware. Middleware manages the complexity of web development in a scalable and effective way. This includes using web servers, content management systems, application servers, and supporting other tools needed for application development. Detectify's internal research teams have demonstrated how security misconfigurations can occur in middleware, including Nginx web servers.

Traditional middleware, however, is being replaced by integrations and orchestration in modern organizations. This will become even more complex as middleware orchestration becomes a norm in development teams - software integrations and how each component interacts present new challenges for security teams and their attack surfaces.

Cloud storage

Cloud storage providers like Amazon Web Services (AWS) do a great job securing the server hardware your instances run on. Still, the cloud's secure configuration and access management is the organization's responsibility. Cloud providers are addressing concerns with added security features, yet we continue to see data in the cloud compromised due to misconfigured settings. Monitoring for misconfigurations and proper access management controls can be automated today.

Third-party services

An organization's attack surface grows with every new dependency on third-party software or technology. Reliance on third-party software is also likely to be more prominent with every new company Merger & Acquisition. According to Deloitte, third-party vendor use has seen exponential growth over the last five years.

Computers and phones floating around a cloud

DNS Domains and Subdomains

The basics of domain takeover can be summarized as follows:

Visit requests on websites or searches are sent to a Domain Name Server (DNS), directing user traffic to the requested website. A DNS can be hijacked when an attacker intercepts the requested traffic from a DNS and redirects it to another website, usually with malicious intent.

Hacking a Top Level Domain (TLD) means that a hacker has been able to gain control of the name server for websites registered to .com, co.uk, or .io and subsequently has control over the requests sent to these sites. Detectify Co-founder and Security Researcher Fredrik N. Almroth has a fascinating write-up of how he ethically hijacked the top-level domain of a sovereign state and temporarily took over 50% of all DNS traffic for the TLD, something that could have easily been exploited by malicious hackers.

Hijacking of traffic can also happen on the subdomain level. Hostile Subdomain Takeover is a term coined by Detectify Security Researchers whereby an attacker registers and claims ownership of a subdomain that has been forgotten or abandoned by the original site owner. At Detectify, we have over 350+ techniques to identify subdomain takeovers developed by our internal security team.

New research shows that subdomain takeovers are rising but are also getting harder to monitor as domains contain more vulnerabilities.

The following graphic demonstrates a likely scenario of how a subdomain takeover can occur:

Infographic explaining domain takeover from Detectify

Server misconfigurations

Misconfigured servers such as email servers are one of the ways domains are at risk of forced spoofed emails. In 2016, the Detectify security research team conducted email server misconfiguration research on the 500 top-ranked Alexa sites. They found that less than half of the domains had configured email authentication correctly to prevent spoofed emails from being sent, which meant that users were at risk of receiving false emails appearing to come from domains that they trusted.

Other common attack surfaces prone to misconfigurations:

  • Routers
  • Web VPNs
  • Ports
  • Hosted apps, e.g. issue tracking tools
  • Frameworks
  • GitHub repo
  • Physical employee devices

What a growing attack surface means to your organization

Today's software and tech enterprises are advancing daily with the speed and scale of development. This means that available cyberattack surfaces are growing, especially for digital organizations. Whenever a web-facing asset is made public, such as a new marketing campaign subdomain or commits with user inputs in GitHub, your available attack points increase.

Security teams often struggle to maintain visibility over every new asset. At the same time, the discovery of unknown attack vectors by malicious hackers or accidental exposure of the tech stack also increases the surface.

But what does this all mean? In short, your attack surface is growing at scale and probably faster than you realize.

Real-life attack surface examples

A compromised attack surface can happen to any organization. We've seen high-profile cases occur in recent times due to third-party software vulnerabilities and accidental exposure of remote access applications. Some of the most well-known examples include:

Solarwinds

Through a compromised update to SolarWinds' Orion software, a group of hackers gained access to government and other Solarwind systems. Detectify added this zero-day vulnerability, CVE-2020-10148 SolarWinds Orion Authentication Bypass, to its scanner in February 2021.

Kaseya

A ransomware attack in July 2021 compromised software from Kaseya, impacting as many as 1,500 organizations. Malicious hackers carried out a supply chain ransomware attack by leveraging Kaseya's VSA software vulnerability against multiple managed service providers (MSP) and their customers.

Florida water treatment facility

In February 2021, a hacker initiated an attack on a Florida water treatment facility that briefly adjusted sodium hydroxide levels to dangerous levels. Fortunately, a vigilant team member saw the intrusion attempt as it was occurring and stopped it.

Chapter 3

Attack vectors and methods

3.

What is an attack vector?

Attack vector in cybersecurity refers to an attacker's path or route to exploit a vulnerability and break through the attack surface. Attack vectors and the attack surface are closely related but are not the same thing. Attack vector methods include:

Weak or stolen credentials

These can be purchased or gathered by an attacker and then used for brute-forcing or credential stuffing attacks to get past a login interface.

Zero-day (0-day) attacks

A zero-day attack vector exploits a vulnerability in a software or technology that the technology creator is unaware of.

Intercepting traffic

Incorrect encrypted traffic can result in attackers stealing sensitive user data such as usernames, passwords, and credit card details.

Phishing

A type of social engineering attack where attackers send fraudulent messages designed to trick a human victim into revealing sensitive information.

Subdomain takeover

Occurs when an attacker takes over a subdomain and can be done when a subdomain is pointing to a third-party provider that is no longer in use.

Social engineering

Social engineering attacks are the art of using psychological manipulation to get you to divulge confidential information or perform a specific action.

Denial-of-Service

A DoS attack is where a perpetrator seeks to make a machine or network resource unavailable by temporarily or indefinitely disrupting the services of a host connected to a network.

OWASP Top 10 for 2021

This standard awareness document for developers and web application security represents a broad consensus about the most critical security risks to web applications.

Chapter 4

Why does External Attack Surface Management matter now?

4.

It's becoming increasingly difficult for organizations to secure their external attack surfaces. With attack surface expansion making securing the attack surface a more significant challenge, it’s crucial to address the attack surface problem with an EASM solution that gives you the most insights into your attack surface.

Rapidly evolving tech stack

With the modern tech stack rapidly evolving, organizations are shifting more of the tech stack to microservices and multi-cloud deployments, which in turn creates new entry points that malicious hackers have the potential to attack.

Decentralizing security

Security is becoming more of a responsibility for development teams. Shift-left security is a way of preventing vulnerabilities in the development lifecycle, but isn't a silver bullet.

More channels for vulnerabilities

There is increasing pressure on security teams to know what they're exposing, where, and how to identify vulnerabilities in both new and old technologies. This information comes from multiple channels and can identify known and unknown assets.

How does EASM help with expanding attack surfaces?

Knowing what you're exposing online

There are many scenarios where security teams will have the difficult task of keeping track of every single asset their organizations have online. For example, your Marketing team may launch a new campaign hosted on one of your apex domains (e.g., campaign.example.com) but not inform you until after this is shipped, leaving this potentially vulnerable to attacks. The exposure knowledge that an External Attack Surface Management solution can identify is critical in helping security teams discover and map out all of their assets.

Integrating results into existing workflows

Most security teams expect and need critical vulnerability information to be expedited to make their work and the flow of information smoother. Integrations that deliver automated vulnerability feedback with customizable opportunities will minimize and expediates the right information to the right teams as soon as vulnerability or exposed assets are discovered.

Security teams as enablers, not blockers

As software development scales up in your organization, security doesn’t have to be a blocker, left behind, or compromised - web app security can be scalable together with development. External Attack Surface Management solutions with automation and continuous monitoring can enable developers to code more consistently and work directly with security teams to collaborate and prioritize vulnerability management.

Use cases for EASM

Asset discovery

External Attack Surface Management solutions deploy various techniques to discover known and unknown assets, from enumerating domains to Route 53 connectors and zone files. The combination of techniques to map the external attack surface ensures your team has a reliable inventory of exposed assets with the least effort.

Remediating vulnerabilities and anomalies

This entails providing actionable insights on assets and vulnerabilities that are easily implemented into existing remediation workflows or integrations with tools like Jira, Slack, and similar.

Third-party risks

By utilizing an External Attack Surface Management solution, security teams will be aware of any third-party exposed assets and will have peace of mind in knowing that they're constantly being monitored for active vulnerabilities and other anomalies. An EASM solution can help you identify those vulnerabilities and let you know if there are other risks you're unaware of.

Mergers and Acquisitions (M&A)

The bottom line is that every M&A will increase your attack surface, making it more challenging to stay in control. Currently, most organizations have minimal information on what assets from the acquired organization are being exposed on the Internet. The exposure of unknown assets can have potentially severe consequences if attackers exploit such assets - reputation damage and financial loss are two of the most significant impacts.

Learn more in the e-book: Why consider an external attack surface management solution now?

Chapter 5

How External Attack Surface Management fits into existing workflows

5.
4 step EASM process of Discover, Assess, Prioritize and Remediate

Vulnerability assessment tools include continuous security reviews of the entire external attack surface as part of the scope. Detectify is the only external attack surface management solution using the ethical hacker community to collaborate on research and methodology. The External Attack Surface Management scope follows a similar approach as a hacker would by moving through the discovery (aka recon), assessment, and prioritizing phases.

Where many attack surface management tools stop at discovering assets, next-generation tools like Detectify combine them with vulnerability scanning, giving organizations an idea of what entry points exist and how far the exploitation chain will go. It's constructive to explore whether seemingly low severity or informational bugs could lead to something more creative for malicious hackers and ultimately dangerous for organizations.

While use cases like discovering unknown assets are central to any External Attack Surface Management product, it is not enough to simply deliver a pure discovery EASM solution. Low noise and high accuracy testing of what has been discovered on the attack surface are key for AppSec and ProdSec teams to get continuous value from vendors now and into the future.

Security teams work differently across organizations, so figuring out how an External Attack Surface Management solution can best be integrated into your organization's existing workflows will ensure you get the most value out of it. Here are some insights into scenarios where an EASM solution can be best leveraged:

A growing attack surface leads to new challenges for you and your organization

Detectify Discovery light bulb graphic
What internet-facing assets do I have?

Discovering known and unknown assets

This is where all domains, DNS records, IPs, ports, and certificates are mapped out together with their relationship to each other. Malicious hackers would be most interested in knowing what is public-facing and whether that is intentional. An organization's lack of knowledge about its unknown assets can lead to something as severe as a subdomain takeover. That's why Detectify's External Attack Surface Management solution has an active inventory of over 350+ techniques to identify subdomain takeover to check for vulnerable subdomains mapped to your attack surface.

Grammarly, a Detectify customer, had the difficult task of creating an inventory of its product offerings and applications. They were about to build their own and then discovered Detectify, which has provided Grammarly with an effortless discovery and alerting system for vulnerabilities in their system.

Detectify Assess magnifier graphic
What vulnerabilities or anomalies do I have?

Assess vulnerabilities and anomalies in assets

Once you have detected any vulnerabilities, the next step is to assess the exploitable vulnerabilities and investigate any potential risks. Running security tests that are automatically kept up to date is the best way for security teams to assess the vulnerabilities and anomalies in their assets. Organizations should begin application testing of recently discovered assets, so any vulnerabilities can be triaged to the appropriate team. At Detectify, over 3000000 subdomains have been monitored in 2022, which is a 300% increase compared to 2021.

The assessment itself can be a complex stage. It can involve anything from investigating log changes or data or working with developers on code reviews (which is why as an organization, Detectify has four product, engineering, and design teams working on this part of our product internally!). If you are working with ethical hackers, this is where their expertise can really make a difference, as they can provide testing that looks for unique vulnerabilities in software and technologies companies rely on every day, like AWS and other cloud technologies. Hiring all the top security experts to conduct such testing is not possible; this is why getting ahold of relevant research and hacker payloads via crowdsourcing options can give you timely access to actionable insights.

Photobox is one customer that benefits from using Detectify Crowdsource ethical hackers. The organization understood that crowdsourced ethical hacking research could far outpace open source tools. The combination of new research and automation from Detectify is a vital part of Photobox's security setup.

Detectify Prioritize clipboard graphic
Where should I focus my attention?

Prioritizing results from an EASM solution

When vulnerabilities are assessed and identified, the next step is to prioritize them. This can be done with internal risk assessments based on CVSS scoring or other frameworks. You can create certain filters to view the vulnerabilities in Detectify or use our API to request vulnerabilities for certain assets that are important to you.

Not all vulnerabilities are considered business-critical risks, and collaboration between developers and security teams is encouraged to prioritize vulnerability management.

Detectify Remediate tools graphic
How do I fix vulnerabilities or risks?

Remediating vulnerability and risks

It's not enough to just find and prioritize vulnerabilities; action needs to be taken to prevent the most harmful and risky ones from causing too much damage. External Attack Surface Management vendors like Detectify are working aggressively to create processes to prioritize the most critical vulnerability and anomalies affecting your business. Our External Attack Surface Management platform allows security teams to easily set rules and configurations to help free up time for security teams to focus on the issues that most impact their organizations. This innovation is happening quickly, and security teams that integrate EASM solutions earlier will help shape future tools.

Remediation can also refer to improving practices to make sure regression doesn't occur. Visma, a customer of Detectify, started to enumerate subdomains, and they were able to reduce the amount vulnerable to takeovers and successfully reduced their organizational attack surface. Their number of reported vulnerabilities dropped, verifying that they were indicative of improved security practices.

Patrick Zimmermann, Information Security Manager, Bühler Group
We picked Detectify because it continuously monitors our entire external attack surface, discovers new subdomains, and automates scans and security tests sourced by the 400 ethical hackers of Crowdsource.
Patrick Zimmermann, Information Security Manager, Bühler Group
Chapter 6

External Attack Surface Management recommendations

6.

External Attack Surface Management is the only option that goes beyond asset discovery and inventory

This complete guide to External Attack Surface Management has offered insights into how it works, and why External Attack Surface Management is the best way for AppSec and ProdSec security teams to secure their attack surfaces. Although the threat of subdomain takeovers and vulnerabilities in third-party services make complete coverage difficult, organizations and security teams need to focus on getting the most accurate information about their growing attack surfaces, especially as things change.

External Attack Surface Management is the only option that goes beyond asset discovery and inventory by applying rigorous vulnerability assessment to help security teams ensure they are prioritizing threats that matter the most to their organizations.

How Detectify’s External Attack Surface Management works

Detectify offers complete coverage of your attack surface with our External Attack Surface Management platform, meaning we cover both the breadth and depth of your attack surface.

Benefits of Detectify’s complete coverage:

  • Continuous and automated discovery, inventory, and monitoring of all Internet-facing assets.
  • Enriched assets with critical information, such as open ports, DNS record types, and technologies hosted on each asset.
  • 99.7% vulnerability assessment accuracy rate through payload-based testing.
  • Attack Surface Custom Policies on your attack surface and alerts when changes are identified.
  • Unique crawler optimized for security testing of modern web applications.
  • Fuzzing engine that finds new areas to detect security-related bugs or other unexpected behaviors.

Start vulnerability testing to find exploitable anomalies across your attack surface with Surface Monitoring and Application Scanning.

Surface Monitoring

Continuously monitor and secure known and unknown internet-facing assets.
View product details.

Application Scanning

Run in-depth and unlimited scans against web apps with targeted scan profiles.
View product details.