Guide to Picking an Attack Surface Management Solution

Introduction

Attack Surface Management (ASM) a.k.a External Attack Surface Management (EASM) is a fast-growing trend in cybersecurity, and with good reason. The trend is born out of necessity.

In recent years, a popular tactic for threat actors wishing to gain access to their victim's internal network has been using deep OSINT techniques combined with continuous monitoring to discover forgotten assets that may be exploitable. The best way to defend against this tactic is to outperform threat actors by performing your own reconnaissance and vulnerability scanning. In other words, your best defense is a good ASM program. ASM is also a natural extension of Infrastructure Monitoring, which has been common practice for many years.

So, you decide that it's time to implement a good ASM program at your organization, and you start taking a look at the solutions that are available today. It won't take long before you realize there are hundreds of options out there, and deciphering the differences is a daunting task. By the end of this article - you'll be armed with the knowledge you need to pick the best solution for your needs.

Breadth: The 4 Phases of Attack Surface Management

A good ASM program can be split into 4 phases. Discovery, assessment, prioritization, and remediation.

There are many tools out there claiming to be full ASM solutions, but they do not all cover all 4 phases here. For example, you may find some solutions that perform asset discovery, but never perform the assessment phase, where vulnerabilities are discovered. Whichever solution you choose, it's important that it will help you to achieve all 4 phases.

What About Depth? 🕳️

We can determine the effectiveness of an ASM program by looking at the breadth and depth that it is capable of achieving.

• The breadth of the program is determined by how many phases of the 4 phases are covered, as covered in the previous section.
• The depth of the program is determined by how well each of these phases is performed.

Let's take a look at the discovery phase as an example. In this phase, the goal is to discover as much of the attack surface as possible. It would be tempting to stop at subdomain enumeration - but the discovery phase can go far deeper than that. We could also discover:

• IP spaces
• Subsidiaries
• Tech stacks
• URLs (through spidering)
• Code repositories
• Email addresses
• Historical data

All of these are part of an organization's attack surface, but only an extremely deep ASM solution would discover them. When comparing ASM solutions, it is important to take depth into account. The deeper an ASM solution goes on each phase, the better your results will be. Keep in mind that you are competing with motivated hackers.

Self-Hosted vs. Managed

Some ASM solution vendors only offer self-hosted, others only offer managed, and some offer a choice. No matter which you choose, there are pros and cons. Ultimately the decision will come down to your specific use case. It's good to keep in mind the following points:

• If you're monitoring a large attack surface, scale is going to be an issue. Are you willing/able to manage your own scalable infrastructure?
• If you're actively scanning systems that are not your own, you will likely receive abuse complaints. Are you equipped to deal with these?
• What is the cost/benefit of hosting your own infrastructure vs. just paying for a managed solution?

In most cases, I think you will find that a managed solution will make more financial sense, and just generally be less hassle.

Off-The-Shelf vs. Custom-Made

Custom-made solutions will afford you infinite flexibility and extensibility, which may be necessary for monitoring specific, unusual attack surfaces. For example, you may wish to monitor some custom devices over a specific protocol that is not supported by the existing ASM solution. In this case, building a custom solution may be the only option.

There are many open-source tools available today that can be melded together to create a reasonably effective ASM solution at a very low cost, in a short amount of time. Compared to a purpose-built OTS solution, it will most likely always feel less polished, but this may be an option for you - especially if you are constrained by budget.

For most enterprise customers, off-the-shelf solutions will be the most logical choice. While they do not allow the same flexibility - the functionality that they offer will typically surpass anything that could be built internally in a reasonable budget and timeframe.

Integrations

The best Attack Surface Management programs will integrate with your existing systems. Do you currently use Jira to manage security issues? Make sure your ASM solution integrates with Jira. Does your security team use Slack for real-time alerts? Make sure your ASM solution integrates with Slack.

You don't want your ASM solution to be another dashboard that requires monitoring for an already-overworked security team. Rather, your ASM solution should make your life easier by automating tasks that would otherwise require manual effort. You don't want to spend an hour every day manually duplicating issues from an ASM solution dashboard to your ticketing system.

Customer Support

Despite what the vendor salesman will tell you - an ASM Solution will likely not be a one-click setup. It's always good to have someone you can contact to help you with setup, integrations, or to answer any general questions. A responsive, highly skilled support team will be invaluable.

Trickest

Trickest is a tool for creating custom automated security workflows. It is unique in that it is both infinitely flexible and serverless. The functionality of Trickest can extend way beyond Attack Surface Management, but it is an excellent option for building custom ASM workflows for your organization. For an example of the power of Trickest, see our "Asset Inventory" GitHub repo, where we use Trickest to constantly perform reconnaissance on public bug bounty platforms, and publish the results.

If you'd like to give Trickest a go - Register by filling out the form.