How to Identify Your Organisation’s Attack Surface
Our glossary page on attack surfaces defined the terms associated with the concept. This post provides information that'll help your organization identify its attack surface.
Much like your lawn after a good rain, your attack surface will grow rapidly if left unchecked. Along with increases in attack surface size comes an increase in cybersecurity risk. That risk can’t be eliminated as attack surfaces are always evolving, but it must be carefully managed.
How do I identify my organisation’s attack surface?
Managing that risk begins with identifying your organization’s attack surface. More specifically, you must identify what lurks below the surface — the endpoints, vulnerabilities and other attack vectors that expose your environment.
To quote CIS Critical Security Controls (CIS Controls) v8: “Enterprises cannot defend what they do not know they have.” But how does one figure out what they have? If you or anyone from your team has ever wondered the same, you’ve come to the right place.
By the end of this post, you’ll discover the answers to these questions and better understand how to identify your organization’s attack surface using modern best practices:
- How do I identify my organization’s digital attack surface?
- What is attack surface management (ASM)?
- What is cyber asset attack surface management (CAASM)?
- What is external attack surface management (EASM)?
- What are digital risk protection services (DRPS)?
- What’s the difference between CAASM, EASM and DRPS?
- Are there any options beyond ASM offerings for identifying digital attack surfaces?
- How do I identify my organization’s physical attack surface?
- How do I identify my organization’s human attack surface?
How do I identify my organisation’s digital attack surface?
Identifying your digital attack surface can be difficult with traditional tools and practices, especially as that surface seems to expand exponentially every year. Fortunately, technology and service providers are mobilizing to meet this moment with attack surface management (ASM) offerings.
Attack surface management (ASM)
Gaining visibility into the IT assets deployed across your organization — plus their exposure and associated risk — is essential to achieving a strong cybersecurity posture. Leading security frameworks corroborate this stance. For instance, the first Function of the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) Version 1.1 is Identify, and NIST states, “The activities in the Identify Function are foundational for effective use of the Framework.” Similarly, CIS Controls v8 contains the following Controls:
- Control 1: Inventory and Control of Enterprise Assets
- Control 2: Inventory and Control of Software Assets
- Control 7: Continuous Vulnerability Management
Such visibility is also the key to defining your digital attack surface. Unfortunately, organizations have long struggled to attain high levels of visibility.
Research from Randori and Enterprise Strategy Group (ESG) reveals that, on average, organizations have 30% more exposed assets than traditional asset management programs indicate. That figure stands to grow if companies fail to act as Gartner predicts 75% of employees will acquire, modify or create technology outside IT’s visibility by 2027.
Companies need to close the gap between the number of assets exposed to attackers and the number they know about. They must eliminate those blind spots and unmanaged technology from their environments. ASM does just that. According to Gartner, ASM aims to answer the question: “What does my organization look like from an attacker’s point of view, and how should it find and prioritize the issues attackers will see first?”
What is attack surface management (ASM)?
By taking an attacker’s perspective, ASM enables security teams to gain visibility into assets over which IT lacks governance and control, such as shadow IT, third-party systems and line-of-business applications.
It works by combining people, processes, technologies and services to continuously discover, inventory and manage an organization’s internal and external assets. By doing so, ASM ensures any newly identified exposures are addressed before they can be exploited by malicious actors.
ASM is comprised of three areas: cyber asset attack surface management (CAASM), external asset surface management (EASM) and digital risk protection services (DRPS). Each area focuses on a specific use case: CAASM for assets and vulnerabilities, EASM for external assets and DRPS for digital assets.
When combined, their capabilities can greatly help the 47% of security professionals surveyed for Ivanti’s Government Cybersecurity Status Report that lack visibility into all the users, devices, applications and services residing on their networks.
What is cyber asset attack surface management (CAASM)?
CAASM provides a complete, current and consolidated view of an organization’s internal and external assets, such as endpoints, servers, devices and applications. CAASM products enable this visibility by collecting data from existing internal sources such as asset discovery, IT asset management, endpoint security, vulnerability management and patch management tools as well as ticketing systems via API integrations.
Collected data is automatically aggregated, normalized and deduplicated, then presented in a single user interface, eliminating the need for IT and security teams to manually gather and reconcile asset data. CAASM products also let those teams query against collected data, identify security vulnerabilities, spot gaps in security controls and remediate issues.
Gartner states less than 1% of companies had CAASM functionality implemented in 2022 but anticipates 20% will by 2026. Adoption is thought to be slow as CAASM relies on existing technologies but doesn't replace any of them. It can also likely be attributed to the fact that there are currently limited vendors in the CAASM space
What is external attack surface management (EASM)?
As its full name implies, EASM focuses on an organization’s external attack surface by employing processes, technology and managed services to discover internet-facing assets and systems plus related vulnerabilities.
Examples of external assets and systems EASM discovers include web applications, Internet Protocols (IPs), domain names, Secure Sockets Layer (SSL) certificates and cloud services. Additionally, examples of vulnerabilities discovered by EASM include — but aren't limited to — exposed servers, credentials, public cloud service misconfigurations, deep web and dark web disclosures and vulnerabilities in third-party partner software code.
In addition to asset discovery, EASM products commonly offer other capabilities, including:
- Active external scanning of cloud, IT, IoT and OT environments.
- Analysis of assets to determine if they are risky, vulnerable or behaving in an anomalous manner.
- Prioritization of assets based on business impact, likelihood of exploitation by a malicious actor and other factors.
- Remediation workflow and third-party integrations with ticketing systems, security orchestration, automation and response (SOAR) solutions and other tools.
The main benefits of EASM are its ability to provide visibility of unknown digital assets and an outside-in view of an organization’s external attack surface. These benefits have helped 31% of companies with an EASM solution to find unknowingly exposed sensitive data, 30% to discover unknown or third-party hosted web assets, and 29% to discover unknown misconfigurations and vulnerable systems.
EASM’s benefits have also driven 34% of organizations to deploy a dedicated EASM offering. Like CAASM products, EASM products don't replace any existing technologies — meaning they require net-new spending — and there aren't currently very many of them on the market. However, unlike CAASM, EASM products aren't dependent on any existing technologies to operate, making them easier to adopt.
What are digital risk protection services (DRPS)?
DRPS blends technology and services to protect digital assets and data from external threats. It does so by extending detection and monitoring outside the enterprise perimeter — to the open web, deep web, dark web, social media and app marketplaces — to search for threats to enterprise digital resources, including IP addresses, domains and brand-related assets.
As organizations engage in more and more online activities, it's critical for security teams to adopt DRPS capabilities and look beyond threats within the enterprise network.
According to Gartner, DRPS products don't simply identify threats, but provide actionable intelligence on threat actors as well as the tools, tactics and processes they exploit to carry out malicious activities. Additionally, DRPS also enables security teams to mitigate active threats using a combination of people, process and technology;and carry out activities required to foil future threats and protect digital assets.
In its 2022 Hype Cycle for Security Operations, Gartner indicated DRPS is two to five years away from reaching the last key phase of a technology’s life cycle. That phase — deemed the Plateau of Productivity — is defined as follows:
Mainstream adoption starts to take off. Criteria for assessing provider viability are more clearly defined. The technology's broad market applicability and relevance are clearly paying off.
Delayed adoption of DRPS plus other ASM solutions like CAASM and EASM can likely be attributed to market confusion on the distinction between such solutions. We'll erase some of that confusion in the next section.
What’s the difference between CAASM, EASM and DRPS?
CAASM, EASM and DRPS are all components of ASM. Additionally, they all focus on security asset management and issue prioritization. These similarities have caused confusion in the market between these different solutions.
The following table highlights the differences between CAASM, EASM and DRPS to help you distinguish between the different solutions:
Feature / Capability | CAASM | EASM | DRPS |
Focus area | Assets and vulnerabilties | External assets | Digital risk |
Applicable assets |
|
|
|
Composition |
|
|
|
Capabilities |
|
|
|
Data sources |
Passive data collection via API integrations with existing internal tools:
|
|
Monitoring of:
|
Sample vendors |
|
|
|
In the future, the distinctions between these solutions may not matter much. Gartner predicts 70% of all CAASM, EASM and DRPS functionality will be part of broader, preexisting security platforms by 2026 and not provided by standalone vendors as it is today.
Are there any options beyond ASM offerings for identifying digital attack surfaces?
Organizations have had a need to identify and manage their digital attack surfaces since before ASM solutions have been available. Instead of ASM solutions, many organizations have leveraged — and continue to leverage — other approaches to do so:
Approach used in place of ASM solution | Description | Pro | Con |
Asset discovery tools | Find and inventory hardware and software assets connecting to your network. | Already deployed at most organizations. Better than spreadsheets. |
Often has blind spots such as shadow IT, third-party systems and line-of-business applications. |
Breach and attack simulation (BAS) | Automatically test threat vectors to gain a deeper understanding of security posture vulnerabilities and validate security controls. | Generates reports on security gaps and prioritizes remediation based on risk. | Only focuses on known attacks. Doesn't provide remediation. |
Cloud security posture management (CSPM) |
Understand changes in cloud configurations. |
Ability to understand cloud configuration changes. |
Doesn't reveal when configurations drift out of compliance or potential impact of emerging threats. |
Configuration management database (CMDB) | Track changes made to systems. | Already deployed at most organizations. Know when configuration changes are made. | Doesn't reveal when configurations drift out of compliance or potential impact of emerging threats. |
Homegrown approach | Combine spreadsheets, scripts and manual processes to manage attack surface. | Inexpensive or free from a pure cost perspective (overlooking analyst hours). |
Time-consuming and error-prone. Not scalable or real-time. |
IT asset management (ITAM) | Track and monitor assets through their full lifecycle. | Already deployed at most organizations. Better than spreadsheets. | Only covers known and managed assets while overlooking unknown or unmanaged facets of attack surface. |
Penetration testing (e.g., automated penetration testing tools and penetration testing as a service) | Identify vulnerabilities within your network and applications by simulating a cyberattack. | Provides examples of security posture and associated budget priorities. | Only focuses on the first phase of the cyber kill chain: reconnaissance. Also, results are typically point-in-time and only as good as the penetration testers carrying out the simulation. |
Red teaming |
Provides a comprehensive picture of an organization’s cybersecurity posture by staging a cyberattack simulation against networks, applications, physical safeguards and employees. |
Goes beyond penetration testing by focusing on other phases of the cyber kill chain. Also goes beyond digital attack surface and touches on physical and human attack surfaces. | Results are typically point-in-time and only as good as the penetration testers carrying out the simulation. |
Threat intelligence | Access information on threats and other cybersecurity issues. | Arms security experts with intelligence on threats and vulnerabilities. | Geared toward organizations with highly mature security operations consisting of skilled personnel and extensive resources. |
Vulnerability management tools (e.g., scanners) | Identify and manage vulnerabilities within your infrastructure and applications. | Already deployed at most organizations. | No visibility into unknown assets. Overwhelming amounts of data. |
While these technologies, services and other approaches don't offer all the capabilities and benefits that purpose-built CAASM, EASM and DRPS solutions deliver, most still have their place in an organization’s IT and security practices. In fact, CAASM tools can't function without data from asset discovery, ITAM, vulnerability management and/or patch management tools.
Similarly, according to Gartner, EASM complements a few of the technologies and services listed above. These include threat intelligence and various types of security testing, including breach and attack simulation, penetration testing as a service and automated penetration testing and red teaming tools.
How do I identify my organization’s physical attack surface?
The first major component of an organization’s physical attack surface is what may be referred to as its endpoint attack surface as it’s composed primarily of all the endpoints that connect to the organization’s network: desktop computers, laptops, mobile devices and IoT devices.
Fortunately, this component of the digital attack surface can be identified via any CAASM tool used to identify the same elements of the digital attack surface, eliminating the need to purchase another new technology. Asset discovery and ITAM tools are other, if less capable, options.
The second major component of an organization's physical attack surface is its offices, data centers and other facilities. Again, fortunately, techniques already used in the identification of the digital attack surface overlap with those that can be used to identify the physical attack surface. In this case, that'd be the physical penetration testing component of red teaming.
How do I identify my organization’s human attack surface?
Identifying your human attack surface begins by looking at your organizational chart. Anyone associated with your organization that possesses the ability to access your organization’s sensitive information — or to prevent others from accessing that information — can contribute to your human attack surface.
That includes not just full-time employees but part-time employees, board members, contractors, partners, vendors, suppliers, temps and others as well.
On top of that, it includes both the people currently in those roles and anyone that's held those roles in the past. Press Reset: A 2023 Cybersecurity Status Report shows nearly half of security professionals believe or know the login credentials for some former employees and contractors are still active, allowing those individuals access to company systems and data.
The tricky part is that it’s not humans themselves but their actions — or inactions — that make up a human attack surface. Those actions and inactions are hard to spot as they often happen in the moment and out of sight of others, especially with more and more people working remotely.
Red teaming, a practice used to identify elements of both the digital and physical attack surfaces, can also be used to identify a major component of the human attack surface: employee susceptibility to social engineering. Red teamers accomplish this by attempting to manipulate employees into offering up sensitive information such as access credentials via phishing, smishing, vishing and other tactics.
Improper assignment of user privileges is another major contributor to human attack surfaces. Reviewing the systems and data the people that contribute to your human attack surface have access to, plus the levels of access they possess, is another way to identify parts of that surface.
Identifying most other elements of human attack surfaces requires employees to be vigilant for issues and to hold others accountable. For example, say one employee sees that another has written their password on a post-it note and stuck it to their monitor or that an HVAC vendor propped the back door to an office building open.
That employee should politely inform the others they are in violation of security best practices — and likely company policy as well — and ask them to correct their actions. When necessary, they should also involve the organization’s security team.
You’ve identified your organization’s attack surface … now what?
With the information in this post, you should be well on your way to identifying your organization’s digital, physical and human attack surfaces. Once you achieve that visibility, it’s time to take the next step: minimizing your attack surface.
Read The 8 Best Practices for Reducing Your Organization’s Attack Surface to uncover the technologies and tactics your organization can employ to shrink its attack surface.