In today's digital landscape, managing an organization's external attack surface is paramount for cybersecurity. External Attack Surface Management (ASM) involves understanding and securing all assets, including those beyond the traditional network perimeter. This capability is crucial for identifying vulnerabilities, mitigating risks, and enhancing overall cybersecurity posture. To effectively establish an ASM capability, organizations need to leverage appropriate tools, techniques, and procedures.
Here is the verbatim discussion:
sure sure thanks Paul so let me take this up into two parts Paul I recall you also asked this question on use cases which I mentioned that let's first discuss on what is the ASM we come back to the use cases so let's divide this into two parts one is the use cases and the second part is the tools techniques and procedures so when it comes to the use cases there are a few key use cases which esm tool solves so one is uh the asset inventory and today asset inventory has become a major challenge uh of course esm cannot do the internal assets it can only do the external asset inventory and for internal asset inventory you have other set of tools um so asset inventory is one use case Second Use case is Shadow it Discovery discovering those unknown unknowns in your asset inventory now when it comes to Shadow it there are multiple tools which can help you in Shadow it one is like the casby kind of tools the casby tools can find out Shadow it in terms of what kind of applications are being used by the employees of an organization which is not known to the IT team but the Shadow the casby tools cannot find out a shadow it of the kind where marketing created a new database somewhere while working with a third party vendor because that needs scanning the internet whereas casby only scans the traffic which is coming out of your network casby does not scan all the internet assets right whereas ES scans all internet assets so Shadow it but of a different flavor not of the flavor of casby so casby and ASM solves this in a very complimentary manner what casby does ASM doesn't do what esm does casby doesn't do so Shad is the other the third use case is sock augmentation so you have um today imagine um like so many kind of alerts which are coming up and we all know that sock has the challenge in terms of which one should I act upon that's a very hard challenge right so if esm can feed this information to you here is a new database that has gone online which is misconfigured or runs a old version of a database then any ping or port scan that comes there you take it at a high priority whereas a normal ping you don't take it at a high priority right so the Intelligence coming from esm could help this sock the fourth use case could also be where esm augments threat intelligence threat intelligence is more about actors and their TTP is for the broad industry level how can you make it pinpointed to a specific uh like how that uh threat intelligence that actor pose a risk for your organization if you can correlate that with your attack surface and the risk then you can make it more actionable so augmenting TI will be another augmenting vulnerability Management program is another use case because um if you don't know the assets you can't put them in under the vulnerability Management program right uh if you don't know that here is a pre-production system which is out there online and has got critical data obviously you can't take any step related to that so it also augments the vulnerability Management program it also augments red and blue teaming because esm does the first part which is the reconnaissance and then also the other set of tools esm are also coming up which which are like the continuous automated Red timming Tools Etc so that also augments red teaming capability so red teaming blue timing or purple teaming augmenting that as a capability control Effectiveness testing as a part of that that's another so these are some six seven key use cases so Paul this is kind of in continuation to your previous question so let me next move to the the um second question which you mentioned which is about the tools techniques and procedures so suppose you have to or you want to build ASM capability how do you get started with that I mean obviously there are multiple tools out there in the industry and it is maturing um red teaming is getting combined Etc all those things but let me give you a kind of um share some of those options which are out there uh which could also be part of suppose picking up open source tools so let me start with open source tools what you you can do with open- Source tools and uh I'll will also talk about later on the other Technologies which are out there available so if you look at esm the primary capability is nothing but reconnaissance right and if you find out or if you try to find out the reconnaissance tools which are out there if you just try out do a Google search you will find more than five 500 such kind of reconnaissance tools which are out there which can help you to uh discover various types of assets which can help you to do subdomain Discovery etc etc so there are I'm not naming all these tools largely these are various small small tools which you can tie together string it together and use it or or somebody a consultant could use it so you can use these reconnaissance tools but these tools are not good enough along with the reconnaissance tools you also need a lot of data like for example uh you need the IP who is information of the entire globe then you'll be able to pinpoint your assets in a more accurate in a accurate manner so you also need to find out all get all these who is information the domain registration details now these data are unfortunately you can't get everything for free so some of these data you have to buy you need uh dark wave uh information uh which could also be utilized as a part of reconnaissance so there are all this data which is out there which you need now the next part is using this tools and this data you may initially just focus on open source intelligence don't buy any uh kind of data which is um proprietary or which companies are selling so I think there's a good start where you can start with all these open- Source tools and open- Source intelligence data or publicly available data and build a initial reconnaissance capability and using that capability you can then do it a few times um depending on how big your organization is you can do it monthly or quarterly etc etc so I would say that's the level one maturity which you can get there using open- Source tools and open source intelligence the next part is where you move to something which is um Enterprise grade automated tools which are out there Etc where and there are this set of companies which has invested in terms of buying this data buying I mean creating their own uh tools doing that automation which can now help you to do it on a regular basis so if you look at these tools you can start with open source tools then gradually move to these Enterprise grid tools you can start with your internal team if you could you can go to consultants and ask them to do or you can rely on the software aser service options so there are right now various types of options and a good way to kind of find out this information and knowledge would be the keyword is reconnaissance rather than external attack surface management so esm is more of the market name but but if you want to find out the technical tools and all this stuff I mean go with the word Recon and and interestingly um um interestingly Defcon used to do this Recon Village for quite a few years they did it now obviously due to pandemic Etc I don't know what's the state this year so you'll find a lot of interesting talks at uh Defcon on reconnaissance techniques check out what all things happened at Recon Village check out uh the talks Etc so that's a good start and then uh whenever you want to scale the program Etc go for these tools which are out there available and these tools also does the internet wide scanning of every single IP address collect those data index it and stuff like that so these are some tools and techniques and procedures which I would highlight Tejas and Ed if you guys anything want to add anything more on top of it.
Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.
https://twitter.com/bikashbarai1
https://www.linkedin.com/in/bikashbarai/
Ed Adams, a seasoned software quality and security expert with over two decades of industry experience. As CEO of Security Innovation and a Ponemon Institute Research Fellow, Ed is renowned for his contributions to advancing cybersecurity practices. With a diverse background spanning from engineering for the US Army to senior management positions in leading tech companies, Ed brings a wealth of expertise to the table.
https://www.linkedin.com/in/edadamsboston
Paul Dibello, based in Duxbury, MA, US, is currently a Senior Vice President Global Business Development at ShadowDragon, bringing experience from previous roles at FireCompass, R9B, Virtru Corporation and iSIGHT Partners - A FireEye Company. Paul DiBello holds a 1986 - 1990 Bachelor of Arts (BA) in Economics @ Princeton University. With a robust skill set that includes Software, Sales, Project Management, Development, Operations and more, Paul DiBello contributes valuable insights to the industry.
https://www.linkedin.com/in/pauldibello11
Tejas Shroff based in Boston, MA, US, is currently a Software Engineer at Tangle, bringing experience from previous roles at Aperion Studios, XPO Logistics, Inc., Oculus VR and Beach Day Studios. Tejas Shroff holds a 2019 - 2019 UX Design Immersive in Design & User Experience @ General Assembly. With a robust skill set that includes Leadership, Social Networking, Start Ups, Social Media, Teamwork and more, Tejas Shroff contributes valuable insights to the industry.
https://www.linkedin.com/in/tejasshroff
Comments