printer friendly version

Want effective Attack Surface Management? Think like an attacker.

While there is a lot of talk around attack surface management (ASM), it does not always clarify how businesses should approach this crucial matter. Firstly, it is essential to emphasise that ASM is not a technical process; you should rather view it as a mindset.

What I mean by that is that effective ASM requires companies to think like attackers, anticipate risks, and act decisively to reduce exposure. You can only do this if you know your environment, deploy a structured ASM approach, leverage capable tools, and address both internal and external risks. Only in this way can organisations stay one step ahead in today’s relentless threat landscape.

Christo Coetzer.

You may be standing back and asking, 'What is the attack surface?'. The answer is that it is the sum of all possible vulnerabilities and entry points that an attacker could potentially exploit to gain unauthorised access to your systems or network. Once they are in, they can extract sensitive data. In a nutshell, the attack surface encompasses every potential point of entry, including digital assets such as software and hardware, as well as physical access points and human-related vulnerabilities like social engineering attacks.

The key to a successful ASM strategy lies in combining technology with human expertise and a commitment to continuous improvement, as businesses in the cybersecurity defence world that stand still often get left behind.

ASM requires alignment between security teams, IT, and business units to ensure remediation is practical and sustainable. This is why, in the context of ASM, knowing your environment is crucial – you simply must have visibility into all assets that could be exposed to potential attackers. This includes everything: servers, applications, cloud services, forgotten subdomains, misconfigured APIs, and even employee credentials leaked on the dark web. It is not just about cataloguing what is out there; it is about understanding how an adversary might see and exploit these assets.

Knowing your environment means maintaining a dynamic inventory of your internet-facing infrastructure and services, enriched with context about their purpose, configuration, and vulnerabilities. You need to identify risks in the same way your attackers are viewing your landscape for vulnerabilities. For example, unpatched systems or exposed databases are a recipe for disaster. Without this visibility, you are navigating a minefield, blindfolded.

Internal and external ASM?

Both are interconnected. External ASM focuses on assets exposed to the public internet, such as web servers, APIs, or cloud storage buckets, accessible from outside your network. It is about seeing your business through an attacker’s eyes, identifying entry points they could exploit during reconnaissance or initial compromise. External ASM often leverages offensive security techniques, such as scanning for open ports or misconfigured services, and integrates open-source intelligence (OSINT) to uncover risks, including exposed credentials or leaked data.

Internal ASM, on the other hand, deals with assets and vulnerabilities within your network perimeter. This includes internal servers, employee devices, or misconfigured databases that may not be internet-facing, but could be exploited by an attacker who has gained a foothold, such as through phishing or a compromised endpoint. Internal ASM requires deep integration with endpoint detection, network monitoring, and identity management to map and secure the internal attack surface.

The key difference lies in scope and perspective. External ASM is about preventing initial access; internal ASM is about limiting lateral movement and damage after a breach has occurred. Both are essential, as a single weak link, whether a public-facing misconfiguration or an internal unpatched system, can compromise the entire organisation. A mature ASM programme bridges these two, ensuring comprehensive visibility and defence across the entire attack surface.

Now you can see it all, what is next in your ASM strategy?

Deploying ASM effectively requires a structured, adaptable approach. To build a robust ASM programme, you will need to start by identifying all external-facing assets, including domains, subdomains, IP ranges, cloud services, and third-party integrations. Automated tools can help with this, but manual validation is often necessary to uncover shadow IT or forgotten assets.

Once you have mapped your assets, you must assess them for vulnerabilities and misconfigurations. This is not just about running a scanner; it is about prioritising findings based on exploitability and business impact. You need to incorporate threat intelligence, such as OSINT to identify exposed credentials, leaked data, or emerging threats targeting similar organisations.

The bottom line

Remember, the attack surface is a moving target. New assets, configurations, or vulnerabilities can appear overnight. Continuous monitoring will prevent you from being caught off guard by changes in your environment. It is important to understand that not all risks are equal. Use a risk-based approach to prioritise fixes, focusing on high-impact vulnerabilities or assets critical to business operations. Regular iteration of these steps ensures that your ASM programme evolves in tandem with your organisation’s infrastructure and the broader threat landscape.

Share this article:

Further reading: