In a recent report from Gartner, External Attack Surface Management (EASM) has been highlighted as a major category in cybersecurity. According to Gartner, EASM is an emerging product set that supports organizations in identifying risks coming from internet-facing assets and systems that they may be unaware of threats such as shadow IT, exposure management and, expanding attack surfaces. 

In our latest panel discussion with CISO Platform, our speakers - Paul Dibellow, SVP, FireCompass, Tejas Shroff, Director, NTT Data, Ed Adams, CEO, Security Innovation and Bikash Barai, CoFounder FireCompass go over “Why Gartner Is Talking About External Attack Surface Management?”. In this discussion, our panel discussed the critical capabilities of EASM, common use cases, and the MITRE ATT&CK framework. 

Bikash talks about the tools that one can use based on the maturity level of the organization. He mentions, one can start with open source tools and build a recon base, and start with point-in-time testing, while gradually then move towards enterprise solutions to do this more continuously. 

 

What is EASM?

 

Bikash takes the panel down the memory lane through his analogy when for two decades vulnerability testing and Penetration testing were something that kept the organization safe. Security was mostly concerned at the network level. However, he mentions, in the last 6-7years threat vectors have increased. Sharing about a data breach he talks about a large enterprise that faced a massive data breach that happened because one of their databases was left online without a password. The security landscape has massively changed over the last 4-5years. Earlier whatever went online went through the central IT team but in the recent past, almost everyone in the organization put up data on the cloud, and all departments are not trained on the security aspects of these assets. 

This creates invisibility for the security team. Currently, the organizations have no central control on which assets go online and how protected they are.

So these are the “unknown unknowns” and most of the breaches are happening because of these assets. 

Managing the external attack surface has become critical because of these shadow IT assets. Because of these issues, the EASM acronym got coined by Gartner, as a concept it means knowing what your attack surface includes, which assets are exposed and how protected one is external. 

While we already had the term Attack Surface Management in the industry, EASM focuses only on the external attack surface. 

Ed mentions that the external attack surface is a sum of all potential digital doorways into an enterprise, which includes, third-party suppliers, partners, cloud services, work from home setups, and more.

The first step is the discovery of this attack surface, and once it discovers,  the next step would be to categorize the risk and mitigate the high risk. However, Ed stresses the fact that external attack surface management needs to be ongoing and persistent.

 

 

Real Life Examples of Attacks on External Attack Surface

Solarwinds Attack: In December 2020, hackers exploited a vulnerability in SolarWinds' Orion software update to gain unauthorized access to government and SolarWinds systems. In February 2021, Detectify added the zero-day vulnerability, CVE-2020-10148 SolarWinds Orion Authentication Bypass, to its scanner to help organizations identify and mitigate the risk.

Equifax's data breach was partly due to the company's inability to identify vulnerable versions of Apache Struts. A report by the U.S. Federal Trade Commission revealed that Equifax did not maintain an accurate inventory of its public-facing applications, leading to the oversight.

Kaseya Ramsomware: In July 2021, a ransomware attack targeted Kaseya software, affecting up to 1,500 organizations. The attack leveraged a vulnerability in Kaseya's VSA software, which allowed malicious actors to carry out a supply chain ransomware attack against multiple managed service providers (MSP) and their customers.

The Log4Shell vulnerability has proven to be difficult to remediate, as detecting or discovering log4j libraries has proved challenging. The vulnerability is particularly challenging to mitigate since Java files may be deeply embedded within applications and source code.

Kubernetes clusters: A recent discovery by researchers revealed that over 240,000 Kubernetes clusters were publicly exposed on the internet, with open kubelet ports, making them easy targets for threat actors to exploit. 

 

Use Cases - External Attack Surface Management

 

  1. Asset Inventory - Keeping a track of external assets has become a major challenge for organizations. EASM as a concept covers the management of external assets. 
  2. Shadow It discovery - Shadow It is assets that are basically the unknown unknowns in an organization. There are multiple tools to discover these hidden vulnerable assets. Tools like CASB, help you identify the applications used by the employees of an organization to put up the assets in the cloud but they cannot identify the asset itself. Because it only scans the network and not the whole internet. Whereas EASM tools scan all internet assets. So CASB and EASM solve the issues in a complimentary way.
  3. SOC augmentation - Since the challenges today are multiplying by the hour, EASM can work in tandem with SOC, where EASM can feed the information of misconfigured assets to SOC, which then can be taken at a high priority. So basically the intelligence coming from EASM would help SOC. 
  4. EASM augments threat intelligence - Where EASM can feed data to threat management tools. 
  5. Augmenting Vulnerability Management - This one is simple, if one is not aware of the assets, one can’t put them under a vulnerability management program. 
  6. Augmenting red, blue, and purple teaming capabilities by doing the initial reconnaissance and feeding the data to conduct these attacks. 

 

External attack surfaces can exist in various forms and are unique to each organization, depending on their IT infrastructure, services, and applications. Here are some real-life external attack surface examples:

  1. Web Applications: Web applications are one of the most common external attack surfaces for organizations. They are accessible over the internet and can be accessed by anyone with a web connection. Attackers can exploit vulnerabilities in web applications to gain access to sensitive data or execute malicious code.

  2. Cloud Infrastructure: With more organizations moving their IT infrastructure to the cloud, cloud-based services such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) have become a significant external attack surface. Attackers can target misconfigured cloud resources or exploit vulnerabilities in cloud-based applications to gain unauthorized access.

  3. Third-Party Vendors: Organizations often rely on third-party vendors to provide various services, such as payment processing, customer support, or data storage. These vendors can become an external attack surface if they have access to the organization's network or sensitive data. Attackers can exploit vulnerabilities in third-party vendor systems to gain unauthorized access to the organization's network.

  4. Internet of Things (IoT) Devices: The growing number of IoT devices such as smart home devices, wearables, and industrial control systems have become an external attack surface for organizations. Attackers can exploit vulnerabilities in IoT devices to gain access to an organization's network or launch attacks against connected systems.

  5. Remote Access: With more employees working remotely, remote access systems such as Virtual Private Networks (VPNs) have become an external attack surface. Attackers can exploit vulnerabilities in remote access systems to gain unauthorized access to an organization's network and sensitive data.

Overall, any system or service that is accessible over the internet can become an external attack surface for organizations. It is essential to identify, assess, and mitigate these risks to protect the organization from cyber threats.

 
E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform