Auvik Network Monitoring

Attack Surface Analysis Guide

Attack Surface Analysis Guide

Scott Pickard

Learn what it takes to map your attack surface, and what methods are available to keep you protected.

As your business expands, and your number of assets increases, the number of ways that you can be attacked also increases. It is therefore important for you to expand your walls of defense to cover your entire network—but how exactly do you do that? And how exactly do you keep track of every possible vulnerability on your network?

This article answers your questions by explaining how you can analyze and secure your attack surface, which is your external surface that is open to attack.

What is an Attack Surface?

An attack surface encompasses all points on your network that are capable of being attacked. It represents a lot, and effectively refers to every open port, every web-connected asset, and everything on your network that could be breached either physically or digitally. It is your entire externally facing surface.

While this scope sounds too large to handle, you will have barriers in place that reduce your attack surface. For example, a firewall protects all devices that sit behind it—reducing your attack surface from any number of devices to a single firewall. You might require a key to enter your server room—reducing your attack surface from a gargantuan number of physical ports to a single door. This is how you can visualize, and by extension support and reduce, your attack surface. Virtual assets and cloud-hosted assets all count towards your potential attack surface.

Analyzing your entire attack surface can still be extremely difficult, depending on the scale of your business. Since every asset can potentially be an attack surface, this also means forgotten or abandoned assets that haven’t been properly dealt with. It’s why cataloging and tracking all assets within your business is incredibly important and is the first step towards mapping and reducing your attack surface.

Each asset also has multiple facets to its attack surface—what do we mean by this? Well, to give an example, a single asset might have the following points of attack:

  • Some physical unprotected USB ports
  • An untested and unsecured piece of third-party software
  • A handful of open ports that can bypass firewall traffic
  • An unpatched piece of critical software
  • A user—who could fall for any number of phishing/malware scams

This means that your attack surface isn’t exactly a flat record of every asset; each asset could provide more, or less, means of attack. Grouping devices properly helps to alleviate this kind of confusion, so long as each asset in a group is kept to the same standards. Group policies, team briefings, monitored hardware, etc. are all strategies that can simplify your attack surface by delineating the vectors of attack into easily understood groups.

What is ASM?

ASM stands for Attack Surface Management.

This all-purpose term covers several actions that your business should be undergoing to better manage your attack surface.

The most important part of ASM is discovery. This means progressively monitoring your network for any changes in your potential attack surface. Keep up-to-date records of your assets, both physical and virtual—and when an old asset is removed or replaced, take the time to ensure it can no longer pose a threat to your network inventory. As your business progressively grows and changes, discovery becomes exponentially important, and slacking on this will undoubtedly lead to security breaches.

The other half of ASM is mitigation. This means going through the steps to not only monitor your network infrastructure but put in place restrictions and policies to reduce your attack surface. Devices that connect to your network need to be properly classified, and they need to be grouped and assigned policy-based restrictions. New staff needs to be properly trained in basic network security rules. New software needs to be checked and kept up to date.

If your business is working on DevSecOps projects, where security is a key part of your development, then ASM is even more important to your pipeline. In this case, integration is also a deeply vital step for you to take. This means properly integrating the necessary steps to check the external-facing surface of your projects and mitigate the attack surface, as part of regular development. As we’ll discuss later, several ASM services can be smoothly integrated into your CI/CD pipeline.

ASM Made Simple

As your business expands, whether, through additional staff, new projects, or new digital/physical assets, you should now understand why ASM is critical. However, going about starting ASM can be a monstrous task, depending on how large your business infrastructure is already.

There are three ways that you can ultimately go about ASM—secure businesses should consider performing a mix of all three methods.

  • Manual ASM which means going about ASM the hard way by doing it yourselves. This is easier for smaller businesses, or businesses that are just getting started, but gets exponentially harder the later you get started. Regardless of what method you choose, you should always be doing at least a little bit of this. Properly categorizing your assets, keeping your staff knowledgeable about network security risks, and keeping some physical assets behind closed doors—all of these manual steps are a part of fundamental ASM.
  • Automated ASM through software platforms. This means paying for a third-party product that perpetually scans and catalogs your entire attack surface. This option is excellent for regular and consistent security as your company changes and expands. We discuss this in more detail below.
  • Human-Driven ASM by teaming up with a third-party company that provides ASM services. This differs from automated ASM by keeping the work strictly human-oriented. You’ll be teamed up with experts who do all the hard work of categorizing and pen-testing your network assets. We also discuss this in more detail below.

Automated ASM Platforms

Relying on the assistance of software and services can massively increase your attack surface analysis capabilities. There is a variety of attack surface monitoring tools on the market, but generally, they each perform the same functions:

  • Scan the web for potential threats that might interact with your assets
  • Build a map of your attack surface
  • Non-intrusively scan your third-party connections for vulnerabilities

These three main features are the core of most of these automated software solutions. The difference between them depends on the scalability of the platform, the means of deployment, and the information you get back. The best solutions also come with CI/CD integration capabilities that are crucial for DevSecops projects—this typically means an API, but also several pre-built integrations for things like Jenkins.

We’ve covered three different products below that come highly recommended when performing automated attack surface monitoring and threat remediation.

1. Rapid7 InsightVM

Rapid7 InsightVM

Rapid7 InsightVM is one of the best surface attack monitoring solutions on the market, owing to the extensive security research and testing conducted across Rapid7's inventory of security-focused products. For full security monitoring, the system uses a lightweight distributed agent that can be expanded to span cloud and virtual environments. Customizable dashboards may provide you with essential data on the fly, while insight metrics can help you manage vulnerabilities and improve responsiveness.

Key Features:

  • Cloud/virtual support
  • Customizable dashboards with deep insights
  • Policy assessment and risk prioritization
  • Goals and SLAs
  • RESTful API

Building the greatest security tools necessitates a rich source of security data, one that is regularly updated to keep ahead of the curve, and InsightVM excels in this regard. InsightVM stands out for the sheer number of integrations it offers, in addition to the large amount of security data it collects. It comes pre-integrated with over 40 key technological platforms. For optimal security coverage, you may also leverage the built-in open RESTful API to increase your integration choices.

If you’re looking for a tool that serves as a good all-rounded, with decent associated costs combined with excellent features, then you might want to try the Rapid7 InsightVM’s free trial.

2. ImmuniWeb Discovery

ImmuniWeb Discovery

Immuniweb Discovery is a comprehensive threat analysis and surface monitoring solution that focuses on data breach prevention and web monitoring. Immuniweb was designed from the ground up to be an enterprise-scale solution with a global reach—while this means the solution is more expensive, it also ensures consistent quality and scalability.

Key Features:

  • AI-driven OSINT surface monitoring
  • Cloud and on-prem analysis
  • Instant alerting
  • Deep/dark web vulnerability scanning
  • Third-party scanning

It monitors your attack surface through the deep and dark web using OSINT and its AI-driven detection algorithms. The program can search for assets that have been abandoned or forgotten, and it provides real-time alerts when vulnerabilities are discovered. The system does not require an agent deployment or on-premise support because it is based on OSINT and is focused on external online threat analysis.

This solution is perfect if you’re looking for an enterprise-scale solution that can compete with security threats on the global front; while having excellent web discovery and asset detection. While there’s no free trial, there is a demo available on the company website.

3. CoalFire Attack Surface Management

CoalFire Attack Surface Management

CoalFire Attack Surface Management uses automation and guidance-based support to solve the problem of attack surface monitoring. The program can continuously scan the internet to monitor your external attack surface, creating vulnerability maps and relevant dashboard data that you can use to plan for your DevSecops projects or your personal network infrastructure.

Key Features:

  • Comprehensive discovery features
  • In-depth automation
  • External attack surface monitoring
  • Actionable data testing
  • Remediation support and reporting

Through risk exposure and pen-testing tools, the solution gives actionable security feedback that is translated into usable information with goals and estimates on how your DevSec team can address the detected issues.

This third solution is best if you’re analyzing the attack surface of a DevSecOps project, especially since it helps to create remediation goals that speed up development fixes by removing the need to spend time parsing the data.

Human-driven ASM Services

While automated software platforms like those listed above are excellent for perpetual and thorough attack surface monitoring, sometimes you need a human touch. There are several services available online that put you in contact with expert analyzers who do all the hard work for you. More importantly, they don’t just rely on software and automation.

Sometimes, threats take advantage of the blind spots of technology to exploit your vulnerabilities, and a human analyzer can find these blind spots where an automated system wouldn’t be able to identify them. What’s more, you know that you can trust the data that is reported to you, since it has already been read-through and thoroughly checked.

1. Bugcrowd

Bugcrowd

One such service is Bugcrowd, which is a crowd-sourced solution that puts you in contact with expert analyzers for you to map and remediate your attack surface. The service was built first for crowd-sourced bug fixing (hence the name) but has branched out into other areas—including attack surface analysis.

The company's experts are hailed as expert ‘hackers,' capable of turning the tide on vulnerability threats with a personal touch that software cannot match. The experts provide complete attack surface maps to find neglected or abandoned assets. They produce detailed risk reports that outline exactly what has been discovered and what can be done to resolve any vulnerabilities. The solution places a premium on asset discovery and management.

This service is best used for occasional, human-focused analysis, possibly in conjunction with an automated software solution. Since Bugcrowd can provide other services like bug fixing, you can feasibly pipeline your projects alongside Bugcrowd and get them involved in other aspects of your DevSecOps projects.

Auvik Network Monitoring