external attack surface management (EASM)

min read

What is an external attack surface?

An attack surface is the sum total of all possible paths that can be used to exploit a computer system or network.  

The external attack surface is the part of attack surface which is on an organization’s perimeter: all services and systems which can be accessed from the internet.

What is external attack surface management (EASM)?

External attack surface management (EASM) is a continuous process of detection, evaluation, and mitigation of attack vectors which are accessible from the internet.

The EASM cycle is performed in three main parts, each of which need to run continuously to keep up with your organization’s changing digital landscape:

  1. Discover & detect:
    Discover assets that need protecting (including unknown assets), then run automated scans to detect which services, applications and software they expose to the internet. Learn more about asset discovery tools.
  2. Evaluate:
    Evaluate the exposed systems and services in your scan results from step 1. Figure out how they are used by your organization or your customers, and how they could be protected, hardened, or layered behind security controls to reduce your risk.
  3. Mitigate:
    Take active steps to reduce your attack surface. Identify services which are only used by internal staff and layer behind VPNs, remove deprecated or unused software, and harden service configurations to make attacking them harder (e.g. by turning off unused features or enforcing 2FA).

External attack surface examples

Some examples of external attack surface are:

  1. VPNs and gateways:
    used to provide remote access to employees
  1. Applications:
    including applications for your internal staff, marketing applications, and applications for customers.
  1. APIs:
    including APIs for applications, APIs used for automation, and cloud APIs such as AWS lambda or Azure Functions.
  1. Other servers and services:
    such as file transfer services, DNS servers, network-attached storage, database servers, bastion hosts… the list is endless. Any server which opens a port to the internet, on premises or in the cloud, is a target.
  1. IoT devices:
    such as IP cameras, smart lighting, programmable logic controllers, and a surprising number of IoT products which expose services to the internet if you’re not careful!
  1. 3rd party applications:
    data you store with 3rd parties on their internet facing applications is part of your external attack surface too. Important examples here are code repositories, such as Github’s or Gitlab’s SaaS offering.

This isn’t an exhaustive list, but it hopefully helps build up an idea. Anything which an attacker can readily access (including services protected by an authentication layer and 2FA) is external attack surface.

Sign up for your free 14-day trial

7 days free trial

What are the risks associated with poor attack surface management?

The point of attack surface management can be boiled down to taking actions to reduce your risk of attack. The less you expose, and the more hardened the services you must expose are, the harder it is for an attacker to exploit a weakness.

Some types of attacker, such as groups mass-deploying ransomware variants like LockBit, are indiscriminate with who they attack. It’s common for these groups to exploit the latest 0-days in a ‘shotgun-style’ attack - where they simply attack exposed targets across the entire internet and fire the exploit at every exposed target.

What’s more, they won’t even need to run discovery scans, because they can use readily available results from Censys, Shodan, or FOFA to allow them to move fast. Therefore, it follows that the more you expose on your perimeter, the higher the risk of a successful exploit.

Poor attack surface management means that an organization is either not discovering and detecting their exposed servers, or they aren’t taking sufficient action based on the results.

These organizations have more targets to attack, or targets which are easier pickings where attackers are more likely to be successful. An organization that has already secured their newly-vulnerable service behind a VPN (thereby reducing their attack surface) will not be caught out by opportunistic attackers.

Features of an external attack surface management platform

Attack surface management is covered by a wide set of tooling and platforms, each of which differ in what they offer. We go into more depth in our blog article on attack surface management, but below is a brief summary of the features you should look for in an external attack surface management platform:

  1. Asset discovery:
    You can’t manage an asset if you don’t know it exists. Look for a platform with some asset discovery capabilities. Can it find targets for you by pulling targets from your DNS providers, by integrating with your cloud accounts, and/or by actively discovering them? This type of feature will help ensure the number of unknown assets you have out there is minimized. The worst time to find out a system even existed is after it’s been compromised.  
  1. Context:
    Look for platforms which add context to your results (e.g. pointing out admin panels that are internet-exposed, but shouldn't be). Legacy scanners don’t provide this context and neglect reporting on attack surface without immediate vulnerabilities. There may not be a weakness in that exposed panel today, but if you leave it exposed, you can be sure it'll get popped fast when one crops up!
  1. Scanning:
    Scanning your attack surface is an ongoing requirement. Your external attack surface constantly grows and changes as you add new systems and services. Your process needs to be automated, so you can keep up and prevent your understanding from becoming outdated. Look for platforms which scan continuously, and scan proactively or reactively - e.g. by scanning a newly opened port on a known target, or automatically scanning cloud assets as they get created.

Protect your external attack surface with Intruder

With our attack surface monitoring capabilities, Intruder is solving one of the most fundamental problems in cybersecurity: the need to understand how attackers see your organization, where they are likely to break in, and how you can identify, prioritize and eliminate risk. Ready to get started with your 14-day trial? Or get in touch for more information.

Sign up for your free 14-day trial

7 days free trial