Attack surface management (ASM) seeks to analyze and reduce the potential entry points that threat actors could exploit. In short, it’s a fancy way of conceptualizing something you’re probably already doing — even if you don’t think of it as ASM. We’ll break down the concept.
Not sure how you feel about the term “attack surface”? Neither are we. To be honest, some of our internal sysadmins aren’t big fans, but the phrase is used widely enough that we thought it was worth addressing. So don’t take this article as support for the concept itself but rather as a way to make sense of attack surface management when your leadership team wants an update.
What is an attack surface?
An attack surface is the combined total of all the potential entry points that a hacker could exploit to gain access to your environment.
A physical attack surface includes the hardware itself, such as desktops, laptops, mobile devices, hard drives, servers, and routers. But the main focus of ASM is digital attack surfaces, which consist of anything with internet access, including software, operating systems, applications, email systems, databases, network services, APIs, cloud-based platforms, and network-connected hardware.
Basically, the physical attack surface is why you have building security. The digital attack surface is why you follow cybersecurity best practices. While virtually all attack surfaces fall into one of these two categories, some experts propose additional possible attack surfaces:
Human attack surface
Network attack surface
Software attack surface
Wireless attack surface
Web attack surface
Cloud attack surface
Third-party attack surface
To be honest, a lot of these additional attack surface categories might just make the whole concept more confusing. There’s a lot of overlap between them, and several seem more like attack vectors (more on that later) than attack surfaces.
The concept of attack surfaces is still evolving, so feel free to look at the potential categories however they make the most sense to you. But for me, I’m just going to go on believing in two broad attack surfaces: physical and digital. I live a simple life.
Why is attack surface management important?
Carefully coordinated attack surface management can provide several advantages:
Enhanced visibility
Improved cybersecurity asset management
Fortified security posture
Compliance support
Risk reduction
Improved security resource allocation
More timely threat detection
Enhanced incident response
Reduced business disruptions
And if those potential benefits don’t appeal to you, don’t forget that you’ll also get the added bonus of throwing around the term “attack surface management” to simultaneously impress and confuse higher-ups.
Attack surface management functions
Now that we’ve bravely done our darndest to define what attack surfaces are, we can discuss how to manage them. Technically, a bunch of things that are just general best practices fall into attack surface management. That means you might be an expert in ASM even if you have a long-standing beef with the term itself.
Discovery
You know the drill: To protect your environment, you need to know what’s in it. And that means performing regular asset discovery to maintain an up-to-date asset inventory.
Discovery should look to identify not only known assets but also unknown assets. Here's how some of those assets may break down.
Known assets
Internal IT infrastructure: Internal IT infrastructure consists of assets you already know about, approve of, and oversee.
Third-party assets: Third-party assets are those owned by external vendors that you allow in your infrastructure, such as apps and APIs.
Unknown assets
Shadow IT: Shadow IT includes any hardware or software used in your environment without administrative oversight.
Orphaned IT: Orphaned IT refers to assets that your company doesn’t use but also hasn’t retired.
Malicious IT: Sometimes called rogue IT, malicious IT consists of assets planted by threat actors.
Mapping
The importance of asset mapping grows as your fleet of physical and digital assets expands. Your collection of IT infrastructure maps may include the following:
Logical map: A logical map focuses on network behavior and the movement of data, tracking how system components process and relay information. This map may include IP addresses, subnets, VLAN IDs, WAN links, and traffic flows.
Functional map: A functional map tracks the behavior of functional elements, such as applications, services, and networks. It helps show the interactions and dependencies between network services and applications.
Physical map: A physical map details the locations and technical details of assets. This map is critical for planning physical security, troubleshooting hardware issues, and performing network maintenance.
Testing
Testing is one of the best ways to get insights into potential vulnerabilities. The full range of cybersecurity tests could technically fall under attack surface management, but vulnerability scanning and penetration testing are particularly important.
Vulnerability scanning consists of automatically searching for and reporting on security vulnerabilities so that you can proactively close those gaps. Meanwhile, penetration testing relies on attack simulation to see how threat actors might gain access to your environment — and generally includes vulnerability scanning.
While performing these tests can help you spot flaws before hackers do, it is also essential to security control validation.
Contextualization
Let’s face the facts: There’s no way you can patch every possible vulnerability. And depending on your environment, some vulnerabilities just aren’t worth addressing. That’s why context is so important to attack surface management.
Understanding the business context, risk, and compliance requirements makes it easier to focus on the vulnerabilities that matter most to your environment, improving prioritization and resource allocation.
Prioritization
Prioritization is essential for attack surface risk management. Combining your knowledge of your environment and cyber threat intelligence, you need to decide which risks to mitigate, which to remediate, and which to accept.
This often involves assigning security ratings to vulnerabilities based on the following factors:
Severity of the vulnerability
Ease of exploitation
Likelihood of exploitation
Value of the exposed asset
Public exposure
Regulatory requirements
Cost of remediation
Complexity of remediation
Time and staff availability required to patch
Remediation & mitigation
Once you’ve gotten through all your discovery, mapping, testing, contextualization, and prioritization, then attack surface reduction can begin.
Remediation
Remediation involves patching or fixing the vulnerability. Some automated tools can do this without human help. Alternatively, your IT team, security team, and development team may have a hand in the process.
Mitigation
In some cases, remediation may not be feasible. This may occur in the following scenarios:
A patch is not yet available
You use outdated IT that is no longer supported
The fix is too time consuming or expensive
A third party controls the asset
Addressing the vulnerability would disrupt business operations
In these instances, mitigation is often the next best option to protect sensitive information. Mitigation efforts aim to manage risks effectively to reduce the threat level and minimize the potential impact. Common mitigation strategies include the following:
Up-to-date security software
Network segmentation
System hardening
Encryption of sensitive data
Attack surface management FAQs
What’s the difference between an attack surface and an attack vector?
While an attack surface refers to the space that could be breached, the attack vector is the method a threat actor uses. We’re talking social engineering, malware, encryption issues, compromised credentials, unpatched software, insider threats, open ports, and all those other horrifying things that make you wake up in a cold sweat in the middle of the night.
Attack surfaces and attack vectors go hand in hand, so it’s easy to mistake the two. But while they may be related, they’re two distinct concepts.
What’s the difference between attack surface management, exposure management, and vulnerability management?
Attack surface management, exposure management, and vulnerability management are related concepts that differ slightly in their focus and scope.
Attack surface management: This discipline focuses on discovering, mapping, and testing assets — then contextualizing, prioritizing, and remediating gaps that an attacker could exploit. The purpose of attack surface management is to help security teams reduce the attack surface by protecting the highest-priority assets.
Vulnerability management: This process aims to inventory, assess, prioritize, remediate, and monitor vulnerabilities, reducing the risk of potential exploitation.
Exposure management: This broader, holistic approach looks at both technical aspects (like the those addressed in attack surface and vulnerability management) and nontechnical factors to consider all potential sources of cyber risk, including human factors, regulatory compliance, third-party risks, and more.
What is continuous attack surface management?
Continuous attack surface management (CASM) is an advanced approach that relies on automation to streamline processes and reduce human effort, ideally accomplishing all the main components of conventional attack surface management with less manual work.
What is external attack surface management?
External attack surface management (EASM) focuses exclusively on external assets hosted beyond the company firewall, such as resources hosted in the public cloud or at a third-party partner’s office. IT teams often have limited visibility over these resources, making them an appealing target for malicious actors.
PDQ Deploy & Inventory and PDQ Connect assist with the discovery and remediation aspects of attack surface management. You need visibility into your environment and software patching capabilities to reduce your attack surface, and those just happen to be two of our three main passions in life. (The third is obviously floppy disk golf.)
Sign up for a free 14-day trial to simplify your ASM with real-time device information, automated patch management, custom reports, and other powerful features.
But wait — there’s more! PDQ Detect makes your life even easier by offering unparalleled attack surface visibility while prioritizing vulnerabilities contextually so that you don’t have to do so much manual work. And obviously, that means more time for perfecting your floppy disk golf form.