Security teams know, bug bounty hunters, and ethical hackers know it: Large attack surfaces are hard to manage.
In this day and age, if you’re a medium-large organization without a comprehensive External Attack Surface Management (EASM) program in place, there’s a pretty good chance that you have some hosts on the Internet that you’re not aware of. Despite this, the concept of EASM is still new to many.
In this article, we’ll be covering four different fundamental questions that can be answered by a comprehensive EASM program. For those new to EASM, this will introduce you to the core concepts of EASM and easily allow you to take action on them.
The four fundamental questions we’ll be covering are as follows:
- What Internet-facing assets do I have?
- What vulnerabilities or anomalies do I have?
- Where should I focus my attention?
- How do I fix any existing vulnerabilities or risks?
Let’s jump in.
What Internet-facing assets do I have?
During the past decade, the following series of events has become all too familiar to many organizations:
- Servers were roughly 100% on-premises
- The organization moved to a cloud or hybrid approach
- Various people in the business required access to spin up different cloud assets (e.g. developers spinning up dev environments)
- Permissions were granted for convenience over security
- Various cloud assets were created for temporary uses but were never removed (plus, security/IT staff were unaware of these assets)
- The person originally responsible for spinning up the asset(s) has since left the organization, so nobody knows what it does
Because these assets are unknown or forgotten, they don’t undergo any scrutiny from the security team at any point in time. That’s why the first step to your EASM program is always the discovery of assets.
Stay one (big) step ahead of malicious hackers with asset discovery
Malicious hackers are already running their own automated tools to continuously discover and monitor your organization’s attack surface. This process could include many different techniques, such as monitoring your domains and purchasing them when they expire, constantly scanning for new subdomains and scanning them for vulnerabilities, or constantly port scanning your assets to uncover new services as they become available.
EASM solutions are continuously looking for assets associated with your domains and presenting them to you in a consumable way. Detectify uncovers your digital assets at a DNS level and enriches all discovered targets with open ports, DNS records, and so on.
Essentially, Detectify performs the same reconnaissance tasks that a malicious attacker would if they were attacking your company — the big difference is that the results of Detectify’s reconnaissance are presented to you in an actionable format, instead of a malicious attacker.
What vulnerabilities or anomalies do I have?
Once your digital assets have been discovered, your EASM solution will get to work scanning the discovered assets to uncover vulnerabilities and anomalies.
Today’s security teams are typically bombarded with vulnerability information from multiple sources including bug bounty programs, pentests, and internal scans. A good EASM solution like Detectify will provide rigorous automated testing to ensure that the results are highly accurate with minimal noise. This is important because it ensures that the vulnerability alerts don’t weigh already-strapped security teams down with additional notification fatigue.
Detectify first performs fingerprinting on each asset to determine which technologies are in use. This information is then combined with vulnerability scanning data, which allows Detectify to ensure a 99.7% accuracy rating on vulnerability findings.
Where should I focus my attention?
Once your EASM solution has discovered assets and scanned them for vulnerabilities, the next logical step is to remediate them. So how should you get started?
Enter prioritization.
On top of discovering vulnerabilities, effective EASM solutions will also prioritize them from most to least critical. Naturally, the criticality of a vulnerability will determine where a security team should focus their efforts. A lack of effective prioritization may leave critical vulnerabilities missed or unresolved for too long.
Detectify takes this step one step further, as it also makes it easy for security teams to group assets based on whichever criteria they see as critical. For example, assets may be grouped based on a specific product team that would be accountable for resolving any vulnerabilities in that group of assets.
How do I fix any existing vulnerabilities or risks?
Anyone who works in security knows this inconvenient truth: You’re expected to know about everything, including technologies that you have little to no experience with. For this reason, the remediation of vulnerabilities is often delegated to people with specialist knowledge of the technology, such as developers. The kicker? Developers often don’t have the security expertise to effectively resolve these vulnerabilities. It’s a catch-22.
Lending security teams a helping hand
A good EASM solution won’t stop at detecting and prioritizing vulnerabilities, it will also provide actionable advice on how to resolve them. In this regard, Detectify speaks both languages: Cyberlingo and devlingo. Its solution provides AppSec and ProdSec teams with all the necessary information, such as the request URL, payload used to identify the vulnerability, code snippets, and screenshots whenever they’re available.
Hopefully, this article has given you a well-rounded understanding of what EASM is and why it’s important. Furthermore, chances are that your organization can greatly benefit from implementing a solid EASM solution today. If you’d like to get to know EASM more closely, you can instantly try a two-week free trial or book a demo of Detectify’s comprehensive solution.
Written by:
Luke Stephens
Based on the Sunshine Coast in Australia, Luke is an experienced computer hacker, life hacker, and growth fanatic who heads up his own consultancy, Haksec, and creates content for hackers. Check out his YouTube channel.