For the best web experience, please use IE11+, Chrome, Firefox, or Safari

What is attack surface management and why is it important?

What is attack surface management?

Attack surface management (ASM) is the process of identifying, analyzing, prioritizing and mitigating weaknesses in an organization's attack surface — the various physical, digital and human assets that an adversary could exploit to gain unauthorized access to a system or network.

The twin goals of ASM are to reduce the likelihood of suffering a successful cyberattack in the first place, and to mitigate the severity of any attacks that do succeed. ASM helps organizations achieve these goals by empowering them to understand their current security posture and implement effective security policies, processes and controls to strengthen it.

Note that ASM is not limited to external attack surface management (EASM), which focuses on weaknesses in external-facing systems that adversaries could exploit to gain a foothold in the network. Rather, a robust attack surface management must also help prevent intruders and malicious users who are already inside the network from reaching valuable internal systems and data.

What are the benefits of attack surface management?

Strengthening security

Attack surface management is a core component of any cybersecurity strategy. By proactively identifying and mitigating vulnerabilities, organizations can dramatically reduce the risk that an adversary will be able to access their critical digital assets.

However, it is vital to understand that attack surface management is not a one-time event. IT environments are highly dynamic, with old hardware, systems and applications being replaced by different ones, and entirely new software and services being deployed. Meanwhile, threat actors are constantly developing new tools and techniques, and the workforce is adopting new technologies and methodologies. Accordingly, to truly strengthen security, ASM needs to be a continuous process.

Ensuring compliance

Organizations today have to comply with a wide variety of strict industry regulations and national and local mandates, including modern data protection and data privacy laws. These security standards obviously vary in their focus and specific requirements, such as which sectors they cover and what types of information they are focused on securing.

Nevertheless, all of them share some core principles. One of the most fundamental is that organizations have a responsibility to implement appropriate controls to reduce risk to critical systems and regulated information.

An effective attack surface management will help organizations understand their vulnerabilities and implement effective controls to mitigate them — controls they can demonstrate during security audits. Moreover, it helps organizations prevent breaches of the personal health information (PHI), financial transactions, personally identifiable information (PII) or other regulated data they store and process, which in turn enables them to avoid steep fines and increased oversight from regulators.

Qualifying for cyber insurance

Not long ago, cyber risk insurance was readily available to any organization that wanted it. But the growing number of costly cyberattacks, especially ransomware, meant that insurance companies ended up having to pay out on huge claims.

As a result, insurers now often require organizations to have specific types of security controls in place in order to qualify for a cyber risk insurance policy. And the controls that organizations implement as part of their ASM strategy will often tick a lot of those boxes.

What’s more, while certain basic controls may be required to qualify for any policy at all, taking attack surface management seriously can enable you to exceed those minimums and demonstrate a more mature security posture. As a result, you might be able to reduce your premiums and qualify for better policies that provide more coverage.

Reducing IT workload and costs

Organizations have been dealing with a global shortage of IT professionals for some time. In recent years, that problem is being compounded by the retirement of large numbers of skilled security pros, especially in critical areas like Active Directory management.

Attack surface management can help. Reducing and managing your attack surface means fewer alerts for your security operations center to prioritize and investigate. Stable, reliable ASM processes, especially with proper automation, further reduce the burden on your limited IT resources. Moreover, IT professionals relish getting out of fire-fighting mode and will be more interested in joining and staying with your organization when proper security controls are in place to make their lives easier.


What is a modern attack surface?

An attack surface includes any weaknesses or gaps in an organization’s defenses that could be exploited by an adversary to gain unauthorized access or do damage. In the early days of computing, the attack surface was fairly limited because the IT footprint was largely on premises, with limited options for remote access.

Then came rapid digital transformation, an explosion of new technologies, increasingly sophisticated cyber threats, and the widespread adoption of remote and hybrid work. As a result, the attack surface has expanded dramatically. Today, it includes not just on-prem data centers and company-owned workstations, but cloud applications, web browsers, software-as-a-service (SaaS) platforms, user-owned devices and much more.

At a high level, the modern attack surface comprises the three following core components:

  • Physical attack surface
  • Digital attack surface
  • Human attack surface

Physical attack surface

The physical attack surface includes all of your organization’s hardware assets that might be exploited by external adversaries or malicious insiders. Obviously, that includes all the computers that are on your network, such as servers, desktops, laptops and smartphones. But it also includes physical data storage devices like USB tokens, as well as IoT devices and even the fobs used for multifactor authentication. It also includes the physical systems of your subsidiaries, service providers and supply chain partners that could affect your cybersecurity posture.

Digital attack surface

The digital attack includes the software and services that run on the hardware comprising the physical attack surface. Examples include operating systems, business software applications, web browsers, databases, and core platforms like Active Directory and Entra ID.

The physical and digital attack surfaces are so closely linked that there is an umbrella term for managing them: cyber asset attack surface management (CAASM). When inventorying your physical and digital attack surfaces, be sure to pay attention to all of the following:

  • Known assets — Start with all the IT infrastructure components, software, services, data repositories and other resources that your organization is aware of and actively manages. This includes not just on-premises assets but cloud assets, such as websites, cloud workloads like Microsoft Teams and SharePoint, online data storage, and even code repositories such as GitHub.
  • Unknown assets — It’s also vital to look for physical and digital assets that have been deployed without the knowledge or supervision of your IT or security teams. These shadow IT assets can include everything from a server that a project team spun up for its own use to an unapproved cloud application that an employee uses to store or share data. Also look for orphaned IT assets, such as devices, software, websites or services that are no longer in use but that have not been properly decommissioned or retired.
  • Third-party assets — Both the physical and digital attack surfaces extend beyond the assets owned directly by the organization to the assets of third parties like vendors and other components of the digital supply chain. These include SaaS applications, third-party services used by your organization’s website, and external storage devices that hold your company’s data, from old-style offsite backup tapes to cloud servers.
  • Subsidiary assets If your organization has subsidiaries or similar components, their physical and digital assets are part of your attack surface. In particular, be sure to look for artifacts that often result from mergers and acquisitions, such as duplicate applications or services, orphaned accounts, and unneeded administrative rights.
  • Malicious or rogue assets — This final type of asset is often overlooked but can be significant. It includes assets that have been stolen by threat actors in a data breach, such as leaked credentials available on the dark web that could be used in password-guessing attacks to breach your network. It can also include assets created by adversaries, such as a fake website with a URL similar to the one your company uses, where customers, partners, employees or others might be tricked into revealing sensitive or personal information.

Human attack surface

Attack surface management strategies often focus on the physical and digital attack surfaces. But the people who access and control your cyber assets are equally important, including employees, contractors, partners, service providers and customers. Indeed, the human element has been found responsible for 74–95 percent data breaches, depending on the specific research study.

One of the most obvious examples of hackers exploiting the human attack surface is social engineering attacks. Phishing and spear-phishing campaigns are commonplace, and users at any level are sometimes lured into giving up their credentials at a fake website or directly unleashing malware by opening an infected email attachment.

The human attack surface is closely entwined with the other two types of attack surfaces. For example, an employee might be given a USB device at a trade show and insert it into their corporate workstation, instantly expanding your physical attack surface. Or a poorly trained or overburdened administrator might misconfigure a system such as a web application, creating a vulnerability in your digital attack surface.

In addition, a substantial number of people admit to using unapproved communication and collaboration software tools, a security issue exacerbated by remote work and bring-your-own-device (BYOD) policies. They can also fail to lock their screens when they step away, or fail to be diligent about preventing shoulder-surfing. Or they might use social media or an app like BeReal to post photos taken at work, which might show their laptop screen with their current Microsoft Teams meeting or chat, or even sensitive data like patient records or intellectual property.


How does an attack surface differ from a vulnerability or an attack vector?

What is the difference between a vulnerability and an attack surface?

A vulnerability is a weakness in a system or network that could be exploited by an attacker. It is just one component of the attack surface. Accordingly, vulnerability management is a subset of a comprehensive attack surface management strategy.

One of the most common examples of a vulnerability is a flaw in a piece of software, such as an operating system or browser. These vulnerabilities are often mitigated by applying software patches supplied by the software vendor. However, there is also the zero-day vulnerability, which is a flaw in an IT system that is first discovered by an adversary — leaving the vendor scrambling to quickly develop and publish a patch or other mitigation measures as the zero-day vulnerability is being exploited in the wild.

Other vulnerabilities that attackers often try to exploit include:

  • Open ports
  • Misconfigurations in systems and applications
  • Weak passwords
  • Weak authentication protocols
  • Trust relationships

What is the difference between an attack vector and an attack surface?

An attack vector is a method or technique that an adversary uses to compromise an organization’s attack surface. For example, a cybercriminal looking to infect a network with ransomware may use the attack vector of a phishing campaign to exploit the vulnerabilities of weak spam protection and poor user training. Another common attack vector is exploiting an unpatched software vulnerability.

Cyberattacks often involve a combination of attack vectors. For example, an initial attack vector might be a phishing email that includes a link to a malicious website where the victim is enticed into providing their credentials. That action enables the adversary to then execute a second attack vector: using the compromised credentials to access network resources.

Other attack vectors include:

Why do we need attack surface management?

Attack surface management has long been vital for security, cyber resilience and compliance. It is also important for qualifying for cyber insurance and reducing the burden on your hard-to-find IT professionals.

But comprehensive ASM is more necessary than ever, for two key reasons.

First, the attack surface you need to manage is expanding. Key factors behind this expansion include digital transformation, migration to cloud technologies, and the explosion of remote and hybrid work. Organizations today simply have a much larger physical and digital footprint than ever before. In fact, even small organizations can have a large attack surface. 

Second, your attack surface is rapidly changing. Modern IT ecosystems are highly distributed and highly dynamic; new technologies are constantly being introduced and new assets are connecting to the network every day. It is amazingly easy for IT teams and business users alike to deploy new SaaS platforms or even spin up new cloud instances.

It’s no wonder that Gartner names attack surface expansion as the #1 cybersecurity trend for 2022, and the closely related trend “threat exposure management” tops its list of top trends in cybersecurity for 2023.

What are the core functions of attack surface management?

The core five functions in attack surface management are:

  • Asset discovery — The foundation of attack surface management is gaining a comprehensive understanding of the attack surface. Indeed, inventory and control of enterprise assets tops the list of CIS Critical Controls. This function includes identifying all hardware, software and services and mapping their interdependencies. It is important to document all applicable details, such as the asset’s purpose, owner, current users, connections to other assets, IP address, vendor, version, compliance requirements and value to the organization.
  • Vulnerability assessment — A second core function is to regularly identify vulnerabilities, evaluate their potential impact on the organization's security posture and assess the likelihood of their exploitation by adversaries.
  • Risk prioritization — It’s almost always impossible to mitigate all identified vulnerabilities, but the truth is, not all components of the attack surface are equally important. Risk prioritization is the process of determining where to focus your limited budget and effort to defend against cyberattacks most effectively.
  • Mitigation or remediation — This function involves taking steps to reduce and manage your attack surface, based on your risk prioritization. Some initial actions are simple, such as closing a vulnerable port. But true mitigation involves implementing controls and solutions that address vulnerabilities in a systematic, ongoing way. For example, you don’t merely install this month’s Patch Tuesday fixes; you establish a reliable process for timely patch management into the future.
  • Monitoring — It’s also critical to monitor the attack surface for changes that could increase risk. This includes the deployment of new hardware, software and services. It also includes regular scanning of devices for outdated or unpatched software.

An enterprise-quality Active Directory security tool can help you implement all five of these core functions effectively and efficiently.


How does attack surface management protect from cyberattacks?

The larger your attack surface, the more opportunities malicious actors have to launch successful cyberattacks. Effective attack surface management empowers you to proactively implement security measures to identify and mitigate your vulnerabilities, thwarting cyberattacks aimed at reaching your valuable data and critical systems.

For example, one vital process is ensuring that all your software and hardware assets are current on patches and remain supported by their vendors. Adversaries looking to exploit known CVEs (common vulnerabilities and exposures) to enter your network will find the door firmly shut.

Similarly, training all of your users on cybersecurity best practices will help prevent attackers from being able to plant ransomware or steal credentials to gain a foothold inside your network.

How can your organization mitigate attack surface risks and cyberattacks?

A great way to approach attack surface management — like virtually any area of cybersecurity — is to leverage a cyber resilience framework like the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).

For years, organizations around the world have structured their cybersecurity strategies around the five functions (pillars) of the NIST CSF: Identify, Protect, Detect, Respond and Recover. NIST CSF 2.0  adds a sixth pillar, Govern, which is foundational function that informs and supports all the other five pillars.

These six functions provide an excellent framework for building a robust attack surface management strategy:

Identify and Protect

The foundation of attack surface management is attack surface analysis and attack surface reduction. These strategies map closely to the Identify and Protect functions of the NIST CSF.

The goal here is to thoroughly understand your attack surface and implement controls to minimize it. In other words, you want to block attackers from breaching your network in the first place, as well as prevent malicious insiders or other adversaries inside your network from accessing sensitive data and systems.

Achieving these goals requires a defense-in-depth approach. Key best practices to implement include the following:

  • Regularly inventory your IT estate, including hardware, software and user accounts, analyze the results, and remove any devices, accounts, applications and other assets that you don’t need.
  • Perform regular vulnerability assessments and penetration testing. Ethical hacking professionals can discover important weaknesses that internal security experts might miss. Analyze and mitigate discovered issues promptly.
  • Strictly enforce the principle of least privilege for all accounts. Key best practices include using role-based access control (RBAC) to make permission provisioning easier and more accurate, as well as requiring regular access review and attestation by asset owners.
  • Mandate that administrative accounts can be used only on hardened privileged access workstations (PAWs). This security policy prevents powerful credentials from ever being left in memory on less-secure endpoint devices for adversaries to harvest and abuse.
  • Ensure that applications, devices and systems are securely configured, are supported by their vendors and kept up to date on patches.
  • Use strong passwords for all accounts and regularly check for use of leaked passwords. When appropriate, require multifactor authentication (MFA). To protect service accounts, use sMSAs or gMSAs.
  • Encrypt data both at rest and in motion, so that even if unauthorized individuals manage to access it, they cannot read it.
  • Block traffic from IP addresses that are known to be malicious, and potentially even from IP addresses in regions where you do not conduct business.
  • Pay particular attention to internet-facing assets and implement controls such as web application firewalls. In addition, use network segmentation to prevent hackers who breach one zone from moving laterally into other areas.
  • Proactively identify attack paths that can enable an adversary to gain control of your environment in just a handful of steps, and then pinpoint and mitigate their choke points.
  • Provide comprehensive security awareness training to employees on a regular basis. Be sure to cover social-engineering methods and other common attack techniques, as well as explain how to both identify and report suspicious activity. Ideally, complement this security training with testing, such as sending test phishing emails and seeing who reports them and who falls for them.

Detect, Respond and Recover

A comprehensive attack surface management solution must also continuously monitor the attack surface for changes that could increase risk or introduce new risks. Organizations also need to be prepared for the likelihood that some attacks will get through by building robust response and recovery strategies.

Important best practices in this area include the following:

  • Constantly monitor for vulnerabilities. Core controls include regularly scanning devices for outdated or unpatched software and checking systems for drift away from their baseline secure configurations.
  • Leverage open-source and commercial threat intelligence feeds to stay abreast of current and emerging attack techniques, indicators of compromise (IoCs), threat actors and other factors that could impact your security posture.
  • Audit Active Directory and other key systems. In particular, closely monitor any attack paths that you have not yet mitigated, since they provide attackers with a quick route to full control of your domain.
  • Watch for suspicious activity using intrusion detection, change management and insider threat detection solutions. Pair these controls with a detailed incident response plan that you test regularly.
  • Create redundant backups and store them on a hardened, isolated server to protect the backups from ransomware and other threats. Use a dedicated Active Directory backup solution that provides multiple backup options, including backups that minimize the risk of re-infection during recovery from ransomware.
  • Establish a comprehensive disaster recovery strategy so you can get your business back up and running as quickly as possible in a worst-case scenario.


NIST 2.0 highlights the need for strong governance. This foundational function helps organization establish and monitor their security risk management strategy, expectations and policies. It is also a core element of a modern Zero Trust security model.

Governance informs and supports the other five pillars of the NIST CSF. Key areas to focus on include the following:

Where can I get help with attack surface management?

The key to improving attack surface management is to approach it as part of a comprehensive cybersecurity risk management strategy that covers all the pillars of the NIST CSF.

Indeed, many organizations today are choosing to work with a select set of vendors to establish a cybersecurity mesh architecture  (CSMA) — an ecosystem of integrated tools and controls that enables a strong and consistent security posture across their complex, distributed IT environments. For Microsoft-based environments, a CSMA must include a robust Active Directory security tool in its identity fabric.

Quest offers a broad, integrated Active Directory security portfolio that empowers organizations to build a comprehensive defense-in-depth strategy while reducing complexity and simplifying operations. For learning more, please visit our cybersecurity risk management solutions.

Schedule an identity security risk assessment

Identify — and eliminate — the attack paths putting your business at risk