What is External Attack Surface Management and Its Challenges

As business processes become increasingly digital, there is a growing demand for IT infrastructure. To keep up with that demand, many services and applications have been built to facilitate the creation of this infrastructure. 

While such tools are convenient and reduce friction for digital transformation, there are some issues:

• Businesses need a comprehensive policy to manage the lifecycle of their IT assets, but this policy might not exist or be too recent, which means older systems were covered.
• Even when policies do exist, employees or contractors might be unaware of them and provision new systems or change existing ones in substantial ways, invalidating previous risk assessments and creating shadow IT.
• Attackers are very hostile and persistent. Larger organizations have reported that they face billions of hacking attempts every day.

While internal systems are often shielded from all the malicious activity on the internet, accepting data from the internet is a requirement for some IT services to be useful. As these are easily reachable by attackers, this external attack surface is a significant concern for every organization – and managing it has proven to be a tough challenge for several reasons.

What is the external attack surface?

An organization's external attack surface is composed of all internet-facing digital assets, such as applications, websites, and API endpoints, as well as the IT infrastructure (network devices, servers, and cloud solutions) they require.

The external attack surface does not include computers or devices that cannot be accessed externally, even if these devices have internet connectivity. However, when a device becomes accessible from the outside – even if that happens due to a configuration error – it is part of the external attack surface.

There are many instances where small-scale systems or dashboards are made available externally. Some organizations set aside computing resources that employees can use for these projects, or employees find that they can leverage the cloud. These assets often slip under the radar, creating an unmanaged and unknown infrastructure, or shadow IT.

This means an organization's external attack surface is usually larger than expected. There is also a dynamic flux of assets being made available temporarily or for specific tasks, meaning that the external attack surface is not static. While the degree of change will vary, the external attack surface will always shift over time.

The risks of an unmanaged external attack surface

When an asset is listening to data coming from the internet, it's always at risk of being targeted by attackers. Even when these attempts fail, attackers often keep trying to send malicious requests. Threat actors can also scan these assets to find vulnerabilities and obtain unauthorized access or cause crashes that disrupt the business.

An attack on an external-facing asset usually does not require any interaction with an employee (as would be the case in a phishing attack). Every vulnerability needs to be patched or mitigated before an attacker exploits it. When attackers find an entry point to the corporate network, they can attempt to reach critical systems and steal sensitive data or deploy ransomware. 

When assets are made available by mistake, they often do not impose any barrier to access. There have been numerous documented incidents where an attacker simply pulled data from an exposed database or publicly accessible data storage solutions. Because these systems were not made for external access, cybersecurity and IT teams are often unaware of their existence.

When we make a list of these risks, we have:

• Unpatched vulnerabilities — In some scenarios, attackers will begin to exploit a vulnerability just hours after it has been patched by the developer. Businesses must be aware of these vulnerabilities to mitigate them swiftly.
• Outdated software — Systems that have reached end-of-life (EOL) pose a risk even when no vulnerability is known. When a vulnerability is eventually found, the business could find that there's no solution outside of migrating to a newer version or perhaps to a different software or hardware platform. Migrations can be challenging and require additional steps, which will create downtime or disrupt the business.
• Broken configurations — When software libraries or other dependencies are updated, old configurations might not work as intended, leaving the system unstable or behaving erratically. For example, a firewall could stop working properly and suddenly expose hundreds of workstations to the internet. Domain certificates are another example, as these prevent the website from working correctly if they are not replaced after they expire.
• Exposed data or internal assets — VPN services, data-sharing platforms, and many other assets can expose internal data if not managed and protected correctly.
• Legacy systems — There are situations where old systems are just not decommissioned after they are no longer needed, or they are reactivated by mistake. 
  

Managing the external attack surface is a challenge 

In theory, all you need to keep your external attack surface in check is a policy that only allows assets to accept incoming connections from the internet after going through a validation process. In practice, this doesn't address the complexities of external attack surface management (EASM).

Company teams often need to act and react quickly. Imposing too many hurdles to validate systems before they can be used might be feasible, but the catch is that systems will change after they are provisioned. Software will be added or removed, patches will be applied, and workarounds for bugs or other issues will be implemented. It's usually not possible to validate every single change.

Research and development teams will intentionally run testing environments or beta systems that must change constantly to perform their functions.

When companies start managing their external attack surface, there is a backlog of systems that were provisioned before any policy existed. It's unheard of that security teams will find a complete inventory of every single system that the organization uses, so they have to seek every department to compile a list – only to find that it's still incomplete or quickly becoming out of date.

And, as mentioned previously, many systems become part of the external attack surface by mistake – due to human error, software bugs, or outright disregard for company policy. If the organization has no visibility over its external attack surface, it cannot detect policy violations.

Thinking outside the box

The smartest way to map the external attack surface is from the outside – using some of the same ideas that an attacker would, but in a way that is completely non-disruptive, fast, and automated. The information gathered by an EASM platform is used by cybersecurity teams to quickly detect vulnerable systems, apply patches, and fix broken configurations.

This external monitoring must also be constant, ensuring that vulnerabilities will be detected early and that cybersecurity teams have an up-to-date map of all systems that are added or removed from the external attack surface. This can identify policy violations or attackers trying to exfiltrate data.

The Axur Platform can collaborate with your cybersecurity team to detect risks on your network from the outside and give you the information and the confidence you need to protect your external assets and your digital footprint. If you want to know more, we're ready to help.