If you were at Black Hat this year, or you have been doing your homework online on the Internet at all, you’ve probably seen EASM, ASM, Exposure Management, Attack Surface, and the many other variations that seem to be coming out of the woodwork. Is thisIt this a tool? A capability? Or just the latest marketing buzzword that nobody actually understands? The answer is yes. Security vendors have done an absolutely bang up job of making this new category as clear as mud which is going to make it that much harder for you, the SOC Manager, Cloud Security Engineer, IT Admin, Incident responder, etc. to actually understand what it is you are getting yourselves into. But fear not! One of the easiest ways to clear up confusion is having concrete terminology and definitions so everyone is speaking the same language. Take a look at our glossary and understand how we talk about cybersecurity and attack surface management inside Censys, one of the pioneers in this industry. And if we missed anything, please let us know.
The process of identifying Internet assets that are part of an attack surface. Connections between the assets and the attack surface should be determined in an automated fashion, prioritizing only high-confidence findings to reduce false positives. Asset discovery is a foundational capability of attack surface management, and should be conducted as frequently as possible. Also referred to as Asset Attribution.
The set of Internet assets relevant to an organization’s cybersecurity posture in which an attacker can attempt to gain access to or compromise. Both internal and external assets will make up the attack surface and will live on-premise, in the cloud, with shared hosting providers, and other 3rd party dependencies. An attack surface includes all assets whether they are known, and protected by an IT and security team or not.
Attack Surface Management
The continuous discovery, inventory, and monitoring of an organization’s IT infrastructure, both known and unknown. This is an on-going process involving both inside-out and outside-in visibility of assets. Attack surface management presents a new approach for security programs to understand and share context across teams to become proactive in building secure solutions and protecting the business. External attack surface management (EASM) is a function within the larger attack surface management process focused specifically on the external attack surface.
How a Security Team Automated Attack Surface Management
Automatic Protocol Detection
A method during port scanning of analyzing every server response to identify its underlying service, even if the service is non-standard for the port number (i.e. SSH on port 1234). This accounts for the fact that any service can be running on any port. Around 60% of all services observed on the internet are found on a non-standard port.
Learn more about automatic protocol detection
An integration with cloud accounts that is used for Shadow Cloud discovery, exposure monitoring, and cloud asset inventory. Information from all Internet-facing assets in a given cloud account (Amazon S3, Azure Blob, Google Cloud Storage, virtual instances, databases, etc.) is continuously fed into an ASM platform, ideally as frequently as possible, enriching the asset discovery process and providing total cloud visibility.
Censys Cloud Connectors
Command and Control (C2) Infrastructure
Software that is used to control the servers on which they appear over the Internet. Like any software, they have uniquely identifiable default settings and configurations. This can provide security professionals with tools to test their defenses, but they can also be leveraged for malicious actions
Command and Control Blog
All potential ingress points on a given asset that can be seen from an outside-in perspective (is Internet-facing). Exposures in themselves do not determine the overall risk to an organization, but present opportunities that can be exploited by attackers, and should be monitored or addressed.
An Internet-facing entity that an organization controls in order to conduct business on the Internet, including IP addresses, netblocks (CIDRs), autonomous systems (ASNs), certificates, domains and subdomains, websites, and storage objects. A collection of External Assets represents an organization’s external attack surface.
External Attack Surface
The set of external assets relevant to an organization’s cybersecurity posture. The External Attack Surface includes both known and unknown assets, and has become the number one entry point of security incidents and breaches.
External Attack Surface Management
A tool or process that continually discovers, inventories, and monitors the exposure of known and unknown external assets. External attack surface management is part of a larger attack surface management process or program, and should prioritize the outside-in visibility of external assets – these will be the most accessible to attackers.
Triggering a port scan of any host within an attack surface to rescan all known services, refreshing host data with its most current configuration from an outside-in perspective. This is often used as a “trust, but verify” mechanism as the final step of any exposure remediation efforts.
The potential for an exposure to negatively impact an organization if exploited or acted upon by an attacker. The overall severity of a risk is determined by a combination of the exposure itself and the underlying data, business context, or importance to an IT ecosystem. Risk severity may be different on a case by case basis.
Cloud-hosted, Internet-facing assets that live outside of any environments protected by an organization’s security program. Shadow Cloud is the result of managed and unmanaged cloud adoption within an organization, and most commonly occurs as parts of the organization outside of IT create cloud services, often circumventing any formal IT process.
Attack Surface Management: The Problem with Cloud
Internet-facing assets that are not cohesively maintained, managed, and protected by an organization. Shadow IT presents easy to exploit attack vectors due to these assets being outside the scope of security tooling, and thus having minimal protection in place. Common sources of Shadow IT are legacy infrastructure, newly inherited assets through a merger or acquisition, non IT-managed assets being created by other parts of the organization, and the adoption of cloud services.