Skip to content

How To Evaluate An Attack Surface Management Tool – The Bigger Picture.

Every CISO wants to understand how a security solution will move the overall security needle in the “greater scheme of things”. Although everyone understands that solving specific issues (like malware, user errors, unmanaged assets, unpatched vulnerabilities, mis-deployed controls or remote access etc.) are important, they also want to see the bigger picture – they want to know how the solution is going to improve the overall security posture in a meaningful way.

And this brings us to the question of how to evaluate an Attack Surface Management Tool when it comes to the “bigger” picture.

To set the context, let’s first try to understand what exactly is Attack Surface Discovery and why people need them.

An attack surface is the sum of all of the different points that can be leveraged as an “attack vector” for any attacker who wants to do something against your environment. It really is that simple. If there is something someone can learn about you that they can use against you, well that is technically part of your attack surface. That is a lot of stuff. So let us tighten up the definition.

Since there are very specific products out there to address various aspects of an attack surface, for the purpose of this discussion, let us focus on External Attack Surface Management or EASM. This is a tool or set of tools that specifically focuses on the part of your attack surface that is publicly visible or accessible via the internet. These are the common threat vectors that can be used remotely by an attacker – the low-hanging fruit of the threat vector tree.

So what is the big picture you need to consider when looking at EASM solutions and then what is the bigger picture or how much will it affect your overall security? Will it really move the needle?

The big picture of External Attack Surface Management (EASM) involves several important benefits:

  • Identify all the potential vectors so you can address them before someone else finds them
  • Offers the ability to protect what you don’t know about. In many cases identifying your attack surface will start with identifying all your assets, even those currently unknown to you.
  • With an accurate accounting of your attack surface you can take steps to reduce unnecessary exposures.
  • You can improve the outcomes of other security tools that depend on an accurate asset inventory (e.g. vulnerability scans)

When evaluating an External Attack Surface Management Solution you should view it through the lens of its ability to achieve those objectives. So let’s drill down into how these solutions work.

Mimic The Attacker:

External Attack Surface Management (EASM) tools should operate in a way similar to the way attackers do their own discovery of your attack surface. Or as security professionals call it “reconnaissance”. Good recon will involve a combination of both passive and active data-gathering methods as well as good data sciences to help weed through the vast amount of data generated during the process.

Data Sourcing & Intelligence:

Most EASM solutions purely rely on passive data gathering. This means pulling information from 3rd party data sources and not actually scanning anything. There are many potential data sources available that range in quality, completeness and how current the data is.

Using poor data sources, such as solutions that only rely on open-source data, may provide an attack surface picture that inherits the poor quality of the data it is based on. This means your understanding of your attack surface can be incomplete and out of date and quite possibly have wrong data (can someone say false-positive).

Good data will make everything better so make sure your EASM solution also uses purchased data as well as data sources that include data that may exist in more obscure places such as the deep and dark web. Remember, the goal of EASM is to identify all the threat vectors that can cause you problems. Sometimes those vectors are only identified by going into some unusual places.

Data Mapping:

The next thing you need to consider is whether or not the solution uses active data-gathering techniques. These are the things that will directly try and map out your network using network scanners, port mappers, vulnerability scanners and more.

Active scanning layered on top of passive data gathering will add a few important benefits to the equation;

  • Active scans produce a wealth of truly actionable information that may not exist in the 3rd party data sets.
  • Data generated by active scans can help rule out bad data that may have surfaced in the passive scan (cleaning up those false positives)
  • Active scans can be run more often and provide the most current information vs data that may be several months old.

So, when it comes down to it, EASM will help you gain some much-needed visibility into your attack surface and help you manage and secure it. But what is the BIGGER picture? Will EASM move that overall security needle? Will you be appreciably more secure if you invest in an EASM solution?

To answer this, let’s talk about the concept of security testing and assurance.

There are solutions like the FireCompass Continuous Automated Red Teaming (CART) platform that perform all the functionality of an EASM solution but as part of an overall goal of testing your security infrastructure and providing assurances that you are protected against known attack vectors.

These solutions address all of the things you are looking for in an EASM solution because they are built from the ground up to view everything from an attacker’s point of view.

They start by doing a proper reconnaissance using both passive and active methods. The platform applies advanced data science techniques to help work through the vast amount of information to provide high-confidence results and then layer in data generated by active target scanning. This is what you should expect from an EASM product but since the product was designed to do more, you actually get more.

As an example, one of the things that a Red Team solution will look for when doing the reconnaissance is to identify things that can be leveraged in a subsequent security testing phase. Things such as a list of stolen credentials, while not really part of an attack surface, can be very valuable when performing a penetration test or red team exercise.

Another thing to consider with regard to your desire for learning about your attack surface is what are you planning on doing once you have the list. In most cases, the next step is to prioritize the list of things according to the associated risk. The greater the risk the quicker you should remediate. But how do you prioritize those risks? This is another benefit of a solution built for testing. The discovered attack surface can now be tested and the results can help you prioritize your remediation efforts.

When it comes to assessing not only the EASM functionality of a solution but also the testing capabilities of the CART functionality is the ability to stay current. Both an attack surface and the threat landscape are constantly evolving. New threat vectors as well as new attacker methods are coming out all the time and whatever solution you evaluate should have ways of doing ongoing discovery as well as ways to pivot to test for emerging threats.

One way that a solution can pivot is by using a playbook-based model. FireCompass Playbooks are built such that they can handle many of the steps involved in both the recon/discovery but also the testing. The advantage of this approach is that a single platform offers the flexibility to quickly pivot to new challenges as well as the ability to set things on repeat.

So when it comes to evaluating an EASM solution and you look to answer the real question of how it will affect your overall security posture make sure you understand the real goals of the product.

If the platform was just built for discovery, it sure offers some value but if it was also built to test, well that can truly move the security needle.

About FireCompass:

FireCompass is a SaaS platform for Continuous Automated Red Teaming (CART) and Attack Surface Management (ASM). FireCompass continuously indexes and monitors the deep, dark and surface webs using nation-state grade reconnaissance techniques. The platform automatically discovers an organization’s digital attack surface and launches multi-stage safe attacks, mimicking a real attacker, to help identify breach and attack paths that are otherwise missed out by conventional tools.

Feel free to get in touch with us to get a better view of your attack surface.