Three Approaches to External Attack Surface Management

Attack surfaces today are incredibly large and complex. According to our research team, the size of a company’s attack surface fluctuates up and down by as much as 10 percent a month.

Only two decades ago, a typical company had a single server connected to the Internet. Today, they have thousands of networks connected to the internet—filled with unknown and unmanaged assets and subsidiaries—that an attacker can use to exfiltrate IP and/or breach into their network and systems. 

In short, attack surfaces are moving targets rife with security gaps ready to be exploited. How can CISOs effectively secure these dynamic environments?

The answer: External Attack Surface Management (EASM). But there are various approaches to carrying out an EASM strategy—some less effective than others.

An effective External Attack Surface Management approach requires a solution that can:

• Discover all exposed assets and blind spots. 
• Attribute Assets to the correct owner in the organization.
• Contextualize assets to understand what the asset is and its purpose
• Prioritize the threat based on that context. 
• Prioritize the threat so the security team always knows the critical attack paths into their networks.

With this in mind, let’s dive into three common approaches. 

Approach One: Scan what you already know

Most legacy EASM tools—still commonplace today—operate on a foundation that requires explicit input, such as IP ranges or domain names, or hinges on integrations designed to supply such information. This traditional method inherently limits their scope to scanning assets that are already identified or directly connected to them—for instance, a specific domain name that is associated with a known IP range.

It’s important to understand the characteristics and limitations of these vendors when considering this approach. These include:

• Over-dependence on Inputs: The solution requires the security team to supply foundational data such as IP ranges and domain names, or to establish integrations with existing databases like a Configuration Management Database (CMDB). 
• Inability to Discover Severe Blind Spots: The vendor lacks a clear method for uncovering unknown networks—those not visibly connected or related to your acknowledged networks, such as those of subsidiaries. Since risk accumulates where you’re not looking—this beats the purpose of such tools.
• Inability to Provide Evidence and Context: The vendor lacks a probabilistic methodology. The assets discovered are either owned/related to your organization, or not. It’s binary. There’s no nuance or evidence to back it up.
• Inability to Attribute Assets to Owners: The vendor doesn’t provide a model (like a graph data model) that maps the interconnections between the organization, its environments, and its assets. Generally these solutions’ de facto methodology is to simply scan known / easy-to-find IP ranges (just like Nmap since the 90’s). If you can’t tell who owns the asset – how can remediation ever take place? 

Approach Two: Layer In Human Reconnaissance

Approach One relies on technology-driven scans based on specified datasets, such as known IP ranges and domains. 

The second approach has the same limitations but integrates analysts who engage in active reconnaissance to uncover additional networks and assets. Pentesting companies and small startups tend to fold this into their offerings.

Analysts can enhance the discovery process by employing manual tactics, such as scouring RIPE NCC (Réseaux IP Européens Network Coordination Centre) for IP range allocations, conducting Google searches for subsidiary web applications, and delving into SSL certificate databases. 

However, this approach is extremely resource- and cost-intensive, taking weeks, if not months, for a single assessment. 

A solution that is overly reliant on analyst work will lack a comprehensive model, such as a graph data model, to visualize connections between an organization and its environments. It will solely focus on IP addresses and domains, and only scan predetermined targets. 

Ultimately, for an unwary buyer, this approach can be misleading because what is presented as automated and scalable might actually hinge on unsustainable manual processes.

Approach Three: Automated Reconnaissance EASM

The holy grail. A unified platform like CyCognito that can continuously meticulously map the entire attack surface beyond the corporate core to encompass subsidiaries, acquisitions, joint ventures, and brand operations—and attribute each to its rightful owner. 

CyCognito EASM platform:

• Operates without the need for input or ‘seeds,’ thus emulating the tactics used by attackers themselves. This offers the most authentic perspective of an organization’s vulnerabilities, which is essential for mitigating cyber risk.
• Leverages Natural Language Processing (NLP) and heuristic algorithms to accelerate asset classification.  Given the cost and resource implications of manual classification and the insufficient data in existing databases like CMDBs—where a mere 5%-30% of assets are properly categorized and attributed—this technology becomes indispensable.
• Provides the business context necessary to prioritize risks effectively. Even if a vulnerability affects a thousand machines, CyCognito can identify the most critical one by providing insight into exposure level, business significance, and exploitability.

An EASM approach transcends the trap of treating all critical issues with equal urgency, allowing for the recognition that, realistically, there may only be a handful of truly critical vectors that could lead to an immediate breach.