The complete guide to External Attack Surface Management (EASM)

Get insights into what External Attack Surface Management is, how to protect your growing attack surface, and what this means for you and your organization.

Chapter 1

Defining attack surface management and the attack surface

1.

What is External Attack Surface Management (EASM)?

External attack surface management (EASM) of applications is the continuous practice of looking for vulnerabilities and anomalies in various systems and technologies, such as infrastructure, third-party services, and applications that could take advantage of entry or exit points on public interfaces. Mapping out your attack surface will help you understand what internal and external system interfaces speak to each other.

The EASM space is growing and for those working on the frontline of cybersecurity, identifying and monitoring changes in your external attack surface is crucial to discern what actions to take to protect the attack surface.

What is the attack surface?

An attack surface refers to any interface, physical or digital, where an attacker could try to enter their own input or deploy an attack vector to get unauthorized access to a system and extract data or other sensitive information. It could also be used as a point within a chain of attacks.

How to define the attack surface area

Organizations increasingly rely on SaaS services and products, meaning the digital attack surface is more than the firewall and network. It is now a sum of the available entry points of the different web applications publicly accessible on the Internet – both known and unknown assets.

Known assets
Known assets are the assets you know and monitor with extra care. These include the multiple subdomains under the domain, security checking apache installations, watching the main application, and login interfaces.

Unknown assets
There will always be unknown assets that create weaknesses in the attack surface. These can be harder to catch for a growing business without the right processes and tools and often occur when mistakes are made in the code, rogue or shadow IT software is installed, or the result of an insecure supply chain. There are also occasions when new vulnerabilities come up in existing code from a pentester or ethical hacker’s pure creativity of looking at where others aren’t.

Chapter 2

Different types of attack surfaces

2.

COMMON ATTACK SURFACES THAT ARE PRONE TO MISCONFIGURATIONS

Icons for known middleware solutions

Middleware

Software development occurs over multiple cloud environments, languages, tools, and frameworks and is made possible using middleware. Middleware manages the complexity of web development in a scalable and effective way. This includes using web servers, content management systems, application servers, and supporting other tools needed for application development. Detectify's internal research teams have demonstrated how security misconfigurations can occur in middleware, including Nginx web servers.

Traditional middleware, however, is being replaced by integrations and orchestration in modern organizations. This will become even more complex as middleware orchestration becomes a norm in development teams. Software integrations and how each component interacts present new challenges for security teams and their attack surfaces.

Cloud storage

Cloud storage providers like Amazon Web Services (AWS) do a great job securing the server hardware your instances run on. Still, the cloud's secure configuration and access management is the organization's responsibility. Cloud providers are addressing concerns with added security features, yet we continue to see data in the cloud compromised due to misconfigured settings. Monitoring for misconfigurations and proper access management controls can be automated today.

Third-party services

With every new dependency on third-party software or technology, an organization’s attack surface grows. The reliance on third-party software is also likely to be more prominent with every new company merger & acquisition. According to Deloitte, third-party vendor use has seen exponential growth over the last five years.

Computers and phones floating around a cloud

DNS Domains and Subdomains

The basics of domain takeover can be summarised as follows:

Requests sent to visit websites or conduct searches while browsing the Internet are sent to a Domain Name Server (DNS), directing user traffic to the requested website. A DNS can be hijacked when an attacker intercepts the requested traffic from a DNS and redirects it to another website, usually with malicious intent.

Hacking a Top Level Domain (TLD) means that a hacker has been able to gain control of the name server for websites registered to .com, co.uk, or .io and subsequently has control over the requests sent to these sites. Detectify Co-founder and Security Researcher Fredrik N. Almroth has a fascinating write-up of how he ethically hijacked the top-level domain of a sovereign state and temporarily took over 50% of all DNS traffic for the TLD, something that could have easily been exploited by malicious hackers.

Hijacking of traffic can also happen on the subdomain level. Hostile Subdomain Takeover is a term coined by Detectify Security Researchers whereby an attacker registers and claims ownership of a subdomain that has been forgotten or abandoned by the original site owner. At Detectify, we have over 350+ techniques to identify subdomain takeovers developed by our own security team.

New research shows that subdomain takeovers are rising but are also getting harder to monitor as domains contain more vulnerabilities.

The following graphic demonstrates a likely scenario of how subdomain takeover can occur:

Infographic explaining domain takeover from Detectify

Server misconfigurations

Misconfigured servers such as email servers are one of the ways domains are at risk of forced spoofed emails. In 2016, the Detectify security research team conducted email server misconfiguration research on the 500 top-ranked Alexa sites. They found that less than half of the domains had configured email authentication correctly to prevent spoofed emails from being sent, which meant that users were at risk of receiving false emails appearing to come from domains that they trusted.

Other common attack surfaces prone to misconfigurations:

  • Routers
  • Web VPNs
  • Ports
  • Hosted apps e.g. issue tracking tools
  • Frameworks
  • Github repo
  • Physical employee devices
Chapter 3

Attack vectors and methods

3.

What is an attack vector?

Attack vector in cybersecurity refers to an attacker's path or route to exploit a vulnerability and break through the attack surface. Attack vectors and the attack surface are closely related but are not the same thing. Attack vector methods include:

Weak or stolen credentials

These can be purchased or gathered by an attacker and then used for brute-forcing or credential stuffing attacks to get past a login interface.

Zero-day (0-day) attacks

A zero-day attack vector exploits a vulnerability in a software or technology that the technology creator is unaware of.

Intercepting traffic

Incorrect encrypted traffic can result in attackers stealing sensitive user data such as usernames, passwords, and credit card details.

Phishing

A type of social engineering attack where attackers send fraudulent messages designed to trick a human victim into revealing sensitive information.

Subdomain takeover

Occurs when an attacker takes over a subdomain and can be done when a subdomain is pointing to a third-party provider that is no longer in use.

Social engineering

Social engineering attacks are the art of using psychological manipulation to get you to divulge confidential information or perform a specific action.

Denial-of-Service

A DoS attack is where a perpetrator seeks to make a machine or network resource unavailable by temporarily or indefinitely disrupting the services of a host connected to a network.

OWASP Top 10 for 2021

This standard awareness document for developers and web application security represents a broad consensus about the most critical security risks to web applications.

Chapter 4

Growing attack surfaces and examples

4.

What a growing attack surface means to your organization

Today software and tech enterprises are advancing daily with the speed and scale of development. This means that available cyberattack surfaces are growing, especially for digital organizations. Whenever a web-facing asset is made public, such as a new marketing campaign subdomain or commits with user inputs in Github, your available attack points increase.

Security teams often struggle to maintain visibility over every new asset. At the same time, the discovery of unknown attack vectors by malicious hackers or accidental exposure of the tech stack also increases the surface.

But what does this all mean? In short, your attack surface is growing at scale and probably faster than you realize.

Real-life attack surface examples

A compromised attack surface can happen to any organization. We've seen high-profiled cases occur in recent times due to third-party software vulnerabilities and accidental exposure of remote access applications. Some of the most well-known examples include:

Solarwinds

Through a compromised update to SolarWinds' Orion software, a group of hackers gained access to government and other Solarwind systems. Detectify added this zero-day vulnerability, CVE-2020-10148 SolarWinds Orion Authentication Bypass, to its scanner in February 2021.

Kaseya

A ransomware attack in July 2021 compromised software from Kaseya, impacting as many as 1,500 organizations. Malicious hackers carried out a supply chain ransomware attack by leveraging Kaseya's VSA software vulnerability against multiple managed service providers (MSP) and their customers.

Florida water treatment facility

In February 2021, a hacker initiated an attack on a Florida water treatment facility that briefly adjusted sodium hydroxide levels to dangerous levels. Fortunately, a vigilant team member saw the intrusion attempt as it was occurring and stopped it.

Chapter 5

Protecting your attack surface - attack surface reduction in steps

5.
4 step EASM process of Discover, Assess, Prioritize and Remediate

How to manage and protect your growing attack surface

External Attack Surface Management can be seen as a broader approach to detecting and handling vulnerabilities that weaken your security posture.

Vulnerability assessment tools include continuous security reviews of the entire external attack surface as part of the scope. Detectify is the only EASM solution using the ethical hacker community to collaborate on research and methodology. The EASM scope follows a similar approach as a hacker would by moving through the discovery (aka recon), assessment, and prioritizing phases.

Where many attack surface management tools stop at discovering assets, next-generation tools like Detectify combine them with vulnerability scanning, giving organizations an idea of what entry points exist and how far the exploitation chain will go. It's constructive to explore whether seemingly low severity or informational bugs could lead to something more creative for malicious hackers and ultimately dangerous for organizations.

A growing attack surface leads to new challenges for you and your organization

Detectify Discovery light bulb graphic
Discover

What internet-facing assets do I have?

In the discovery phase, you want to map out all the assets belonging to your DNS records. An adversary or malicious hacker would be most interested in knowing what is public-facing and whether that is intentional or not, so they deploy scripts and other tools to gather as much information as possible.

Attackers often refer to this as their reconnaissance or doing OSINT. Some tactics include crawling the DNS, checking SSL certificates, brute-force attacks, port scanning, and fuzzing.

Grammarly, a Detectify customer, had the difficult task of creating an inventory of its product offerings and applications. They were about to build their own and then discovered Detectify, which has provided Grammarly with an effortless discovery and alerting system for vulnerabilities in their system.

Detectify Assess magnifier graphic
Assess

What vulnerabilities or anomalies do I have?

Once you have detected any vulnerabilities, the next step is to assess the exploitable vulnerabilities and investigate any potential risks. Having access to security tests that are automatically kept up to date is a massive help to security teams that need to effectively manage their resources. This includes vulnerability assessment of source code and third-party applications like JIRA or a CMS.

The assessment itself can be a complex stage. It can involve anything from investigating log changes or data or working with developers on code reviews (which is why as an organization, Detectify has four product, engineering, and design teams working on this part of our product internally!). If you are working with ethical hackers, this is where their expertise can really make a difference, as they can provide testing that looks for unique vulnerabilities in software and technologies companies rely on every day, like AWS and other cloud technologies. Hiring all the top security experts to conduct such testing is not possible; this is why getting ahold of relevant research and hacker payloads via crowdsourcing options can give you timely access to actionable insights.

Photobox is one customer that benefits from using Detectify Crowdsource ethical hackers. The organization understood that crowdsourced ethical hacking research could far outpace open source tools. The combination of new research and automation from Detectify is a vital part of Photobox's security setup.

Detectify Prioritize clipboard graphic
Prioritize

Where should I focus my attention?

When vulnerabilities are assessed and identified, the next step is to prioritize them. This can be done with internal risk assessments based on CVSS scoring or other frameworks. Security teams can use Detectify to prioritize their findings, such as vulnerabilities in critical systems.

Not all vulnerabilities are considered business-critical risks, and collaboration between developers and security teams is encouraged to prioritize vulnerability management.

Detectify Remediate tools graphic
Remediate

How do I fix vulnerabilities or risks?

It's not enough to just find and prioritize vulnerabilities; action needs to be taken to prevent the most harmful and risky ones from causing too much damage.

Remediation can also refer to improving practices to make sure regression doesn't occur. Visma, a customer of Detectify, started to enumerate subdomains, and they were able to reduce the amount vulnerable to takeovers and successfully reduced their organizational attack surface. Their number of reported vulnerabilities dropped, verifying that they were indicative of improved security practices.

Patrick Zimmermann, Information Security Manager, Bühler Group
We picked Detectify because it continuously monitors our entire external attack surface, discovers new subdomains, and automates scans and security tests sourced by the 400 ethical hackers of Crowdsource.
Patrick Zimmermann, Information Security Manager, Bühler Group
Chapter 6

External Attack Surface Management recommendations

6.

The only way to protect your attack surface is to hack it

This complete guide to EASM has offered insights into the what, how, and why of attack surface management. Although the threat of subdomain takeovers and vulnerabilities in third-party services make complete coverage difficult, organizations and security teams need to focus on getting the most accurate information about their growing attack surfaces, especially as things change.

The only way to secure your attack surface is to hack it, and that's why we have built a product that relies on ethical hackers around the globe who are constantly discovering new vulnerabilities in places you didn't even know were possible. We rely on the magic of human ingenuity and automation to build a product that gives you the most accurate information about your attack surface as things change, so you can take action where it matters most.

Detectify recommendations:

Are you wondering if you need an External Attack Surface Management solution?

We would always recommend every organization to equip themselves with an External Attack Surface Management solution. EASM solutions like Detectify are great for any organization struggling with their unknown, such as shadow IT and unknown subdomains.

Is your organization going through any kind of digital transformation?

Many enterprise organizations are increasingly integrating digital technology into all areas of their business. With that comes many cybersecurity challenges, including an ever-growing external attack surface. An EASM tool will help you stop on top of any vulnerabilities that may become existent in your attack surface.

Is your organization experiencing rapid growth and acquiring new companies?

Each merger & acquisition increases your attack surface. Detectify’s solution does a great job at solving this issue by giving you more visibility and control of your inherited attack surface.

Start vulnerability testing to find exploitable anomalies across your attack surface with Surface Monitoring and Application Scanning.

Surface Monitoring

Continuously monitor and secure known and unknown internet-facing assets.
View product details.

Application Scanning

Run in-depth and unlimited scans against web apps with targeted scan profiles.
View product details.