Attack surface management (ASM) is the process of identifying, analyzing, prioritizing and mitigating weaknesses in an organization's attack surface — the various physical, digital and human assets that an adversary could exploit to gain unauthorized access to a system or network.
The twin goals of ASM are to reduce the likelihood of suffering a successful cyberattack in the first place, and to mitigate the severity of any attacks that do succeed. ASM helps organizations achieve these goals by empowering them to understand their current security posture and implement effective security policies, processes and controls to strengthen it.
Note that ASM is not limited to external attack surface management (EASM), which focuses on weaknesses in external-facing systems that adversaries could exploit to gain a foothold in the network. Rather, a robust attack surface management must also help prevent intruders and malicious users who are already inside the network from reaching valuable internal systems and data.
Attack surface management is a core component of any cybersecurity strategy. By proactively identifying and mitigating vulnerabilities, organizations can dramatically reduce the risk that an adversary will be able to access their critical digital assets.
However, it is vital to understand that attack surface management is not a one-time event. IT environments are highly dynamic, with old hardware, systems and applications being replaced by different ones, and entirely new software and services being deployed. Meanwhile, threat actors are constantly developing new tools and techniques, and the workforce is adopting new technologies and methodologies. Accordingly, to truly strengthen security, ASM needs to be a continuous process.
Organizations today have to comply with a wide variety of strict industry regulations and national and local mandates, including modern data protection and data privacy laws. These security standards obviously vary in their focus and specific requirements, such as which sectors they cover and what types of information they are focused on securing.
Nevertheless, all of them share some core principles. One of the most fundamental is that organizations have a responsibility to implement appropriate controls to reduce risk to critical systems and regulated information.
An effective attack surface management will help organizations understand their vulnerabilities and implement effective controls to mitigate them — controls they can demonstrate during security audits. Moreover, it helps organizations prevent breaches of the personal health information (PHI), financial transactions, personally identifiable information (PII) or other regulated data they store and process, which in turn enables them to avoid steep fines and increased oversight from regulators.
Not long ago, cyber risk insurance was readily available to any organization that wanted it. But the growing number of costly cyberattacks, especially ransomware, meant that insurance companies ended up having to pay out on huge claims.
As a result, insurers now often require organizations to have specific types of security controls in place in order to qualify for a cyber risk insurance policy. And the controls that organizations implement as part of their ASM strategy will often tick a lot of those boxes.
What’s more, while certain basic controls may be required to qualify for any policy at all, taking attack surface management seriously can enable you to exceed those minimums and demonstrate a more mature security posture. As a result, you might be able to reduce your premiums and qualify for better policies that provide more coverage.
Organizations have been dealing with a global shortage of IT professionals for some time. In recent years, that problem is being compounded by the retirement of large numbers of skilled security pros, especially in critical areas like Active Directory management.
Attack surface management can help. Reducing and managing your attack surface means fewer alerts for your security operations center to prioritize and investigate. Stable, reliable ASM processes, especially with proper automation, further reduce the burden on your limited IT resources. Moreover, IT professionals relish getting out of fire-fighting mode and will be more interested in joining and staying with your organization when proper security controls are in place to make their lives easier.
An attack surface includes any weaknesses or gaps in an organization’s defenses that could be exploited by an adversary to gain unauthorized access or do damage. In the early days of computing, the attack surface was fairly limited because the IT footprint was largely on premises, with limited options for remote access.
Then came rapid digital transformation, an explosion of new technologies, increasingly sophisticated cyber threats, and the widespread adoption of remote and hybrid work. As a result, the attack surface has expanded dramatically. Today, it includes not just on-prem data centers and company-owned workstations, but cloud applications, web browsers, software-as-a-service (SaaS) platforms, user-owned devices and much more.
At a high level, the modern attack surface comprises the three following core components:
The physical attack surface includes all of your organization’s hardware assets that might be exploited by external adversaries or malicious insiders. Obviously, that includes all the computers that are on your network, such as servers, desktops, laptops and smartphones. But it also includes physical data storage devices like USB tokens, as well as IoT devices and even the fobs used for multifactor authentication. It also includes the physical systems of your subsidiaries, service providers and supply chain partners that could affect your cybersecurity posture.
The digital attack includes the software and services that run on the hardware comprising the physical attack surface. Examples include operating systems, business software applications, web browsers, databases, and core platforms like Active Directory and Entra ID.
The physical and digital attack surfaces are so closely linked that there is an umbrella term for managing them: cyber asset attack surface management (CAASM). When inventorying your physical and digital attack surfaces, be sure to pay attention to all of the following:
Attack surface management strategies often focus on the physical and digital attack surfaces. But the people who access and control your cyber assets are equally important, including employees, contractors, partners, service providers and customers. Indeed, the human element has been found responsible for 74–95 percent data breaches, depending on the specific research study.
One of the most obvious examples of hackers exploiting the human attack surface is social engineering attacks. Phishing and spear-phishing campaigns are commonplace, and users at any level are sometimes lured into giving up their credentials at a fake website or directly unleashing malware by opening an infected email attachment.
The human attack surface is closely entwined with the other two types of attack surfaces. For example, an employee might be given a USB device at a trade show and insert it into their corporate workstation, instantly expanding your physical attack surface. Or a poorly trained or overburdened administrator might misconfigure a system such as a web application, creating a vulnerability in your digital attack surface.
In addition, a substantial number of people admit to using unapproved communication and collaboration software tools, a security issue exacerbated by remote work and bring-your-own-device (BYOD) policies. They can also fail to lock their screens when they step away, or fail to be diligent about preventing shoulder-surfing. Or they might use social media or an app like BeReal to post photos taken at work, which might show their laptop screen with their current Microsoft Teams meeting or chat, or even sensitive data like patient records or intellectual property.
A vulnerability is a weakness in a system or network that could be exploited by an attacker. It is just one component of the attack surface. Accordingly, vulnerability management is a subset of a comprehensive attack surface management strategy.
One of the most common examples of a vulnerability is a flaw in a piece of software, such as an operating system or browser. These vulnerabilities are often mitigated by applying software patches supplied by the software vendor. However, there is also the zero-day vulnerability, which is a flaw in an IT system that is first discovered by an adversary — leaving the vendor scrambling to quickly develop and publish a patch or other mitigation measures as the zero-day vulnerability is being exploited in the wild.
Other vulnerabilities that attackers often try to exploit include:
An attack vector is a method or technique that an adversary uses to compromise an organization’s attack surface. For example, a cybercriminal looking to infect a network with ransomware may use the attack vector of a phishing campaign to exploit the vulnerabilities of weak spam protection and poor user training. Another common attack vector is exploiting an unpatched software vulnerability.
Cyberattacks often involve a combination of attack vectors. For example, an initial attack vector might be a phishing email that includes a link to a malicious website where the victim is enticed into providing their credentials. That action enables the adversary to then execute a second attack vector: using the compromised credentials to access network resources.
Other attack vectors include:
Attack surface management has long been vital for security, cyber resilience and compliance. It is also important for qualifying for cyber insurance and reducing the burden on your hard-to-find IT professionals.
But comprehensive ASM is more necessary than ever, for two key reasons.
First, the attack surface you need to manage is expanding. Key factors behind this expansion include digital transformation, migration to cloud technologies, and the explosion of remote and hybrid work. Organizations today simply have a much larger physical and digital footprint than ever before. In fact, even small organizations can have a large attack surface.
Second, your attack surface is rapidly changing. Modern IT ecosystems are highly distributed and highly dynamic; new technologies are constantly being introduced and new assets are connecting to the network every day. It is amazingly easy for IT teams and business users alike to deploy new SaaS platforms or even spin up new cloud instances.
It’s no wonder that Gartner names attack surface expansion as the #1 cybersecurity trend for 2022, and the closely related trend “threat exposure management” tops its list of top trends in cybersecurity for 2023.
The core five functions in attack surface management are:
An enterprise-quality Active Directory security tool can help you implement all five of these core functions effectively and efficiently.
The larger your attack surface, the more opportunities malicious actors have to launch successful cyberattacks. Effective attack surface management empowers you to proactively implement security measures to identify and mitigate your vulnerabilities, thwarting cyberattacks aimed at reaching your valuable data and critical systems.
For example, one vital process is ensuring that all your software and hardware assets are current on patches and remain supported by their vendors. Adversaries looking to exploit known CVEs (common vulnerabilities and exposures) to enter your network will find the door firmly shut.
Similarly, training all of your users on cybersecurity best practices will help prevent attackers from being able to plant ransomware or steal credentials to gain a foothold inside your network.
A great way to approach attack surface management — like virtually any area of cybersecurity — is to leverage a cyber resilience framework like the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
For years, organizations around the world have structured their cybersecurity strategies around the five functions (pillars) of the NIST CSF: Identify, Protect, Detect, Respond and Recover. NIST CSF 2.0 adds a sixth pillar, Govern, which is foundational function that informs and supports all the other five pillars.
These six functions provide an excellent framework for building a robust attack surface management strategy:
The foundation of attack surface management is attack surface analysis and attack surface reduction. These strategies map closely to the Identify and Protect functions of the NIST CSF.
The goal here is to thoroughly understand your attack surface and implement controls to minimize it. In other words, you want to block attackers from breaching your network in the first place, as well as prevent malicious insiders or other adversaries inside your network from accessing sensitive data and systems.
Achieving these goals requires a defense-in-depth approach. Key best practices to implement include the following:
A comprehensive attack surface management solution must also continuously monitor the attack surface for changes that could increase risk or introduce new risks. Organizations also need to be prepared for the likelihood that some attacks will get through by building robust response and recovery strategies.
Important best practices in this area include the following:
NIST 2.0 highlights the need for strong governance. This foundational function helps organization establish and monitor their security risk management strategy, expectations and policies. It is also a core element of a modern Zero Trust security model.
Governance informs and supports the other five pillars of the NIST CSF. Key areas to focus on include the following:
The key to improving attack surface management is to approach it as part of a comprehensive cybersecurity risk management strategy that covers all the pillars of the NIST CSF.
Indeed, many organizations today are choosing to work with a select set of vendors to establish a cybersecurity mesh architecture (CSMA) — an ecosystem of integrated tools and controls that enables a strong and consistent security posture across their complex, distributed IT environments. For Microsoft-based environments, a CSMA must include a robust Active Directory security tool in its identity fabric.
Quest offers a broad, integrated Active Directory security portfolio that empowers organizations to build a comprehensive defense-in-depth strategy while reducing complexity and simplifying operations. For learning more, please visit our cybersecurity risk management solutions.