What makes a good ASM solution stand out

In this Help Net Security interview, Patrice Auffret, CTO at Onyphe, explains how the traditional perimeter-based security view is becoming obsolete. He suggests that organizations should redefine their attack surface concept and discusses proactive measures they can take to strengthen their attack surface management (ASM) solution.

How does ASM help answer essential questions about the nature and vulnerabilities of an organization’s attack surface? Can you provide some insights into the key questions organizations should be asking?

First, let’s define ASM. The term was coined by Gartner somewhere in 2020. It is a new tool in the defensive cybersecurity arsenal for organizations. ASM should help organizations have a better view of their internet-exposed assets, as well as help them identify the unknown ones. Many solutions have appeared since then under the ASM category, but they are not all made equal. A good ASM solution must incorporate Attack Surface Discovery (ASD), which is the ability to find unknown assets. We have been active in both ASD & ASM categories for 6 years now, before these terms were even a thing.

In 2023, organizations can’t patch everything quickly, all the time. ASM should allow IT teams to focus on the most important threats: the ones exploited by cybercriminals to penetrate networks and deploy ransomware. We know, thanks to threat intelligence reports, that the vast majority of intrusions occur because of Internet-exposed Remote Desktop Protocol (RDP) services, VPN appliances, and critical vulnerabilities (CVEs). A Palo Alto Unit 42 report from 2022 highlights that these three initial access vectors account for 46% of Internet-based network intrusions.

From an external attack surface management perspective, at the very least, companies should focus on those 3 vectors.

Given that the traditional perimeter-based view of security is becoming obsolete, how should organizations redefine their concept of an attack surface in today’s cloud-centric world?

An organization’s attack surface can include all the technology underpinning its business processes and data, including outsourced infrastructure and applications. That’s why ASD is so essential and a prerequisite for effective ASM. Furthermore, we argue that, for many organizations, ASM is the easy part, and the challenge is to have a full inventory of their exposed assets. That’s where an ASD solution comes in.

Another key benefit of ASD is that it can feed a traditional vulnerability scanner with a list of IP addresses or Fully Qualified Domain Names (FQDNs) as a complement to ASM solutions.

In addition, the obsolete IP-based approach to asset inventory should be banned. Today, you have to adopt a domain-based approach for asset inventory. Why so? Simply because with ephemeral cloud-based infrastructure, IP addresses are subject to change, whereas domain names should remain consistent over time, with new domains constantly added. How can we follow changes and new domains? A good ASD solution has to collect data from multiple sources, like DNS, Certificate Transparency Logs (CTL), Internet-wide IP-based scanning, and, even more importantly, URL-based scanning. The last one is crucial because more and more companies protect their Web sites with CDN solutions, such as Cloudflare. If you only scan Clouflare’s IP addresses, you won’t be able to get visibility on your actual web hosts, which may have hidden security issues.

By leveraging all these sources of information, an organization can start from a single domain name, pivot on keywords and known service providers, and then iterate to create an inventory of all exposed assets. Then, you must use the right tools to find IP addresses bound to all your domains and other pivots, like the organization field in TLS certificates or HTTP trackers, like Google Analytics & Meta Pixels, found on Web sites. This list of patterns becomes your asset inventory, and you must update it regularly to find new exposed assets.

A good ASM solution should be IP agnostic while being able to search by network blocks for organizations with their IP ranges or datacenters.

With the dynamic nature of businesses, especially those moving to the cloud, how do internal and external ASM differ in their approach and significance?

Internal ASM is simpler: you should already have the list of your IP addresses or network blocks. Scanning your ranges should be done regularly, which has been done for decades.

External ASM is harder as you have to identify your assets, as we described previously, then update the list of increasing pivots. Furthermore, for external ASM, we want to state that the IP address found is a VPN appliance, a Camera or a Ticketing system. It is important to know which kind of asset is exposed. Do you know all of your exposed VPN servers? Do you have a solution that can easily give you this list? That’s one of the goals of ASM.

The fact that an asset is hosted on the cloud or elsewhere doesn’t really matter in the end, criminals are hosting-provider agnostic when they search for targets. At the same time, an ASM solution should be able to state on which kind of hosting facility an IP address is bound to, as it may help enforce an internal security policy, for instance.

Traditional methods like red team exercises or penetration tests have generated asset inventories. Why are these methods becoming less effective, especially in cloud environments?

They are becoming less effective because, as argued previously, IP addresses are subject to change and you have to follow these updates nearly daily. Traditional penetration testing is usually strictly bound to a given scope (IP addresses and domain names, in the most common scenario) provided by the end customer. The person providing that list may not know all the relevant assets. A more realistic penetration test would be “no-scope” based, as this is how cybercriminals work. The “no-scope” based pentest should use an ASD solution before starting. Why should legitimate pentests be limited by a narrow scope from the beginning, while illegitimate “pentests” performed by criminals are not?

Also, regarding traditional vulnerability scanners organizations have been using for decades, their goal is to output a report with all vulnerabilities, critical or not, which can impose a huge load on the remediation teams. Furthermore, vulnerability scanners must find something, even when not exploitable or useless, from an attacker’s perspective. We consider this approach of “finding everything” as obsolete simply because teams cannot adequately prioritize the workload it generates, and that leads to remediation fatigue. Finally, one should not wait for an issue to be found by a vulnerability scanner to start remediation; it may already be too late.

Traditional vulnerability scanners are perfect for creating KPIs for management, while ASD/ASM solutions are useful for operational security teams which are under fire every day. They need efficient solutions to focus on today’s critical threats, not lengthy reports and colorful dashboards.

Since many organizations have experienced a cyberattack on an unknown or unmanaged asset, what proactive measures can be taken to minimize this risk?

The first proactive measure is to maintain an up-to-date asset inventory based on the correlation between multiple sources of information as we have described: DNS, CTL, IP scanning, and URL scanning. This approach allows organizations to identify what basic ASM solutions cannot.

Secondly, ASM must leverage Cyber Threat Intelligence (CTI) to focus strongly on what cybercriminals seek. We are doing in-house threat intelligence so we can focus on detecting what matters. So, ASM must be able to identify systems and services currently targeted by criminals.

Thirdly, regarding critical vulnerabilities (CVEs), organizations must understand that using the current CVSS scoring system to prioritize patching is flawed. We argue that security teams should define a binary scoring system: a CVE is exploited to penetrate networks, or it is not. That’s the approach taken by the CISA Known Exploited Vulnerability (KEV) catalog, and we are fully aligned with that excellent initiative. After decades of trying, even big organizations are unable to patch all their software and hardware. Focusing on critical vulnerabilities and RDP/VPN servers would definitely improve the security posture of most IT landscapes. At the same time, help operational security teams to focus on what matters most.

Finally, a last and critical consideration when performing ASD & ASM is to identify your suppliers and subsidiaries. Do they handle your data? If so, they should be part of the asset inventory and integrated into your ASM program. We have often seen reports of companies being compromised because of a supplier or a subsidiary. They should be considered as part of your organization.