Attack surface sprawl is a growing challenge with 76% of organizations experiencing some type of cyberattack that started through the exploit of an unknown, unmanaged, or poorly managed internet-facing asset.¹ The constant expansion of attack surfaces has made the need for visibility into potentially unknown attack surfaces more important than ever.  

Pairing vulnerability scanners with attack surface management (ASM) gives security teams high-fidelity analysis and prioritization of assets and exposures, while limiting noise and false positives commonly associated with technology-only platforms.

Why vulnerability scanners aren’t enough 

The issue lies in the fact that vulnerability scanners can only scan entities you tell them to. Vulnerability assessments operate on a tactical level, often treated as commodities where you acquire a scanner and direct it toward known targets.  

Vulnerability scanners rely on a policy that defines the scope and dictates where the scanner should focus its efforts, whether that’s on targets, networks, or assets. Without this essential step, the scanner lacks the intelligence to identify assets, as its sole purpose is to scan what it’s told to. Vulnerability scanning on its own is an output of potential issues; the tool can’t go out and find assets you haven’t explicitly told it to find. That’s where NetSPI ASM comes in. 

How NetSPI Attack Surface Management covers gaps

The beauty of ASM is its ability to uncover what’s unknown. This aspect is crucial as it offers a more strategic approach compared to traditional vulnerability assessments. When transitioning to ASM, security experts conduct specific operations to identify elements such as subsidiaries and various IPs associated with the organization. Through these efforts, previously undiscovered assets come to light that had been omitted from scanning and thus excluded entirely from a vulnerability assessment program. 

Vulnerability scanners paired with NetSPI ASM enrich the assets, ensuring the scope of your scan is comprehensive.  

Leveraging technology, intelligence, and expertise for Proactive Security 

The advanced technology behind NetSPI ASM combines with our security experts to deliver the most comprehensive view of external attack surfaces. Our deep visibility helps you understand specific risks to your business so your team can spend less time sifting through alerts or responding to false positives. With the full force of NetSPI in your corner, you can navigate rapid innovation with confidence, while protecting the trust you’ve worked so hard to build. 

How do we go about enriching asset discovery?  

We research multiple data sources to identify external-facing assets, utilizing a combination of human intelligence and third-party services in our research, a task that a vulnerability scanner could never accomplish on its own. 

For example, we use a blend of various OSINT, proprietary and commercial sources, and techniques to continuously search the internet to identify your entire attack surface. This process is a collection of items including, but not limited to business and legal structures, domains, and IP addresses.  

Our team performs exposure identification by:  

• Port scanning  
• Certificate scanning  
• DNS scanning / querying  
• Sub-domain brute forcing  
• Web application scanning  
• SNMP queries  
• UDP scanning  
• TCP scanning  
• Taking screenshots, grabbing banners  
• API-queries of cloud configured could environments 

We utilize active and passive techniques to continuously identify the existence of exposures on assets. Active discovery is performed on all identified assets for ports, technologies, certificates, vulnerabilities, DNS records, etc., while passive discovery is performed through integrations with data feeds that allow us to enrich data found through active discovery.  

This detailed information gathering leads to high-quality findings, allowing us to report only on true positives, with highly documented verification steps and remediation instructions. We provide detailed validation and evidence verification, so you only receive the true positives that matter the most to accelerate remediation and eliminate constant alerts and manual correlation from multiple sources. This is the “secret sauce” behind The NetSPI Advantage. Machine intelligence plus human intelligence is compound intelligence that benefits our customers. To put it simply, we go beyond for our customers so they can go beyond for theirs.

Vulnerability scanning vs penetration testing 

Both vulnerability scanners and penetration testing have their time and place to enhance the overall security of systems. The biggest difference is the depth of results from each measure. Vulnerability scanning is an automated process that identifies and reports potential vulnerabilities in a system, focusing on known weaknesses.  

Penetration testing, on the other hand, involves simulating real-world attacks by skilled professionals, a la The NetSPI Agents, to actively exploit vulnerabilities and assess the system’s security posture. While vulnerability scanning provides a broad overview of potential issues, penetration testing goes deeper, uncovering weaknesses that may not be apparent through automated scans. See if you’re getting the most value from your penetration testing reports. 

Empower your security posture with NetSPI 

The most helpful lesson we can share with anyone working to advance your security posture is don’t go it alone. The shared learning from experts who have worked through the same challenges you face is invaluable to bring clarity, speed, and scale to your security programs.  

Reach out to connect with our security experts or keep learning about NetSPI ASM by watching our demo.  

The post From Scanners to Strategies: How Attack Surface Management Enhances Vulnerability Scanning  appeared first on NetSPI.

• What is External Attack Surface Management?
• Beyond Asset Discovery: How External Attack Surface Management
  Prioritizes Vulnerability Remediation
  • Why Asset Discovery Isn’t Enough
  • Using an EASM Platform for Prioritized Vulnerability Remediation
• The Role of EASM in Continuous Threat Exposure Management (CTEM)
  • According to Gartner, there are 5 Phases of Continuous Threat
    Exposure Management
  • External Attack Surface Management Supports Scoping,
    Discovery, and Prioritization
• How External Asset Surface Management Relates to Penetration Testing
• Manage Your Growing Attack Surface with NetSPI ASM

External Attack Surface Management (EASM) accelerated to the frontline of proactive security — and for good reason. The technology creates a comprehensive view of a company’s external assets by mapping the internet-facing attack surface to provide better insight into changes and where to focus the attention of security teams. Gartner wrote a report that explains EASM in-depth, including why asset discovery is the tip of the EASM iceberg, and how EASM support Continuous Threat Exposure Management.¹ 

What is External Attack Surface Management? 

External Attack Surface Management provides an outside-in view across a company’s attack surface to reveal assets and potential exposures. Focusing on external attack surfaces brings the greatest security value to organizations because of the sprawling growth of external attack surfaces. In fact, 67% of organizations have seen their attack surfaces expand in the last two years.² 

EASM is useful in identifying unknown assets and providing information about the organization’s systems, cloud services and applications that are available and visible in the public domain and therefore could be exploited by an adversary. 

According to Gartner, “Common EASM capabilities include:  

• Performing external asset discovery of a variety of environments (on-premises and cloud).  
• Continuously discovering public-facing assets as soon as they surface on the internet and attribute those assets to the organization (commonly using proprietary algorithms) for a real-time inventory of assets. Examples of public-facing assets are IP, domains, certificates and services.  
• Evaluating if the assets discovered are risky and/or behaving anomalously to prioritize mitigation/remediation actions.” 

Beyond Asset Discovery: How External Attack Surface Management Prioritizes Vulnerability Remediation 

Given the inevitable sprawl of attack surfaces, many companies are embracing External Attack Surface Management solutions to discover their full scope of assets and prioritize critical remediations. 

Asset discovery is an important capability to have, and one that’s helping to drive the adoption of external attack surface management. That said, asset discovery is only one aspect of effective EASM.  

Why Asset Discovery Isn’t Enough 

While asset discovery is an important and complex step, by itself, it’s not a comprehensive measure to advance security posture. 

According to the Gartner report: 

“In order to be more actionable, EASM needs to support data integration and deduplication of findings across systems, automation of assigning the asset/issues to the owner of the remediation process and tighter integration with third party systems. These include ticketing systems, security information and event management (SIEM), security orchestration, automation and response (SOAR), configuration management database (CMDB), and vulnerability assessment tools. Some EASM provides remediation steps and guidance on prioritized issues, a dashboard to track the remediation progress, or the creation of playbooks.” 

For attack surface management to effectively improve an organization’s offensive security program, it must incorporate vulnerability prioritization and remediation tracking as well, such as with NetSPI ASM. 

See what NetSPI ASM can do for your security by watching an on-demand demo of NetSPI’s solution.

Using an EASM Platform for Prioritized Vulnerability Remediation 

Taking a penetration testing engagement from start to finish requires many phases, including steps for remediation. Tests often result in a lengthy list of vulnerabilities that are ranked by severity. At NetSPI, our differentiator is the people behind our platform. Our human team of proactive security agents has deep cross-domain experience with manual analysis of vulnerability findings to validate their potential risk to a business. This context limits false positives, reducing noise and helping security teams respond more effectively. 

Automation is a vital capability, both for asset discovery and vulnerability remediation. But when human-driven noise reduction is involved, it creates the strongest attack surface possible. 

The Role of EASM in Continuous Threat Exposure Management (CTEM)

Gartner states:  

“CTEM is defined as a set of processes and capabilities that allows enterprises to continually and consistently evaluate the accessibility, exposure and exploitability of an enterprise’s digital and physical assets. It is composed of phases — scoping, discovery, prioritization, validation and mobilization — and underpinned by a set of technologies and capabilities, of which EASM is one. CTEM is different from risk-based vulnerability management (RBVM) in that the latter is an evolution of traditional vulnerability management, while CTEM is the wider process around operating and governing overall exposure. It includes solving the identified vulnerabilities as well as optimizing processes in the future so that the vulnerabilities do not resurface. 

EASM is foundational to CTEM for two reasons. First, it provides continuous and improved visibility into assets that organizations have less control over, such as SaaS applications and data held by supply chain partners and suppliers. Second, it assesses and prioritizes resources in mitigating/remediating issues that attackers are most likely to exploit and therefore benefits organizations during the first three phases of CTEM: scoping, discovery and prioritization.”

According to Gartner, there are 5 Phases of Continuous Threat Exposure Management: 

1. Scoping 
2. Discovery 
3. Prioritization 
4. Validation 
5. Mobilization 

External Attack Surface Management Supports Scoping, Discovery, and Prioritization 

External Attack Surface Management assists in the first three phases of CTEM: scoping, discovery, and prioritization by supporting businesses through the inventory of known digital assets, continuous discovery of unknown assets, and human intelligence to prioritize severe exposures for timely remediation.  

Let’s look deeper at the first three phases in CTEM: 

• Scoping: Identifies known and unknown exposures by mapping an organization’s attack surface. 
• Discovery: Uncovers misconfigurations or vulnerabilities within the attack surface. 
• Prioritization: Evaluates the likelihood of an exposure being exploited. NetSPI ASM combines technology innovation with human ingenuity to verify alerts and add the necessary context to prioritize remediation efforts. 

In some cases, such as with NetSPI, proactive security companies take this a step further by also performing penetration testing on the identified vulnerabilities to validate they are vulnerable and to prove exploitation.

How External Asset Surface Management Relates to Penetration Testing 

The Gartner report explains: 

“EASM can complement penetration testing during the information gathering phase about the target (finding exploitable points of entry). The convergence between penetration testing and EASM will become more prominent as automated penetration testing solutions continue to emerge. 

Most penetration testing performed today is human-driven, outsourced and conducted annually (making it a point-in-time view), which is why the automated penetration testing market has emerged. Although automated penetration testing is an emerging market on its own, some vendors have already added EASM and vice versa. This is because vendors that started in the automated penetration testing market were initially only doing automated network penetration testing and not external testing. Technologies such as EASM, DRPS, BAS and automated penetration testing can collectively provide organizations with a realistic view of the full attack surface within their environment. This lets organizations test what they can or cannot prevent and detect, as well as determine how they would respond in the event of an attack. Therefore, the convergence of these technologies can better support organizations in their CTEM program.”

Manage Your Growing Attack Surface with NetSPI ASM 

NetSPI is recognized as a Sample Vendor in the Security Testing category offering EASM. We believe NetSPI Attack Surface Management solution combines cutting-edge technology with extensive proactive security expertise to provide the richest insight into the attack surface. Our team and tools empower security staff to protect an ever-expanding number of assets and address vulnerabilities with prioritized remediation actions. By making the external attack surface as difficult to penetrate as possible, companies prevent more attacks before they even start, further improving the effectiveness of security teams. 

Ready to bring proactive insights to your attack surface? Learn more about advancing your security program by talking with our team.

Gartner Objectivity Disclaimer

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

The post NetSPI’s View on the 2023 Gartner® Competitive Landscape: External Attack Surface Management Report  appeared first on NetSPI.

What to Look for When Evaluating External Attack Surface Management Providers  

To simplify the process of evaluating attack surface management vendors, we’ve identified five important criteria to look for when comparing different companies.  

1. Proven Reputation and Third-Party Validation 

Vendors new to the attack surface management space may not have enough experience tailoring their platform for greater business needs. Selecting a tenured vendor with a history in ASM can offer benefits such as streamlined processes, quick access to support teams, and proven methods to improve security. 

Look for attack surface management providers that have received recognition from trusted third parties such as Gartner® or Forrester. Expert analysts at these and other research and advisory firms perform a factual review of information from technology providers to recognize solutions that demonstrate innovation.

As part of this research, Forrester included NetSPI in its External Attack Surface Management Landscape Report featuring top EASM vendors, and Gartner featured NetSPI in its EASM Competitive Landscape Report.

Gartner shared the following about NetSPI in the report:

NetSPI differentiates by combining its ASM capability with its human pentesting expertise. This is achieved via the attack surface operations team, who manually test and validate the exposures found. As a result, it reduces alert fatigue and false positives, while providing customers only the critical and high exposures relative to their organization, as well as the support on how to remediate said exposures.

2. Critical Functionality 

Depending on your business needs and use cases for choosing an ASM platform, some functionalities may be more important than others. 

In The External Attack Surface Management Landscape, Q1 2023, Forrester listed several core functionalities to look for in attack surface management platforms, including:

• External/internet-facing asset discovery 
• Asset identification 
• Asset and business relationship mapping 
• Active and passive vulnerability scanning 
• Open ports and services monitoring 
• URL and IP range tracking 
• Certificate monitoring 
• Exposure/risk prioritization 
• Custom dashboarding and reporting  

3. Screenshots and Software Demos of the Platform  

Trusted attack surface management providers have screenshots of the platform readily available so prospective customers can see what the platform and key functionalities look like firsthand.

In addition to screenshots, having the option to take an ASM platform for a test drive through a guided demo or webinar is an important step before selecting an ASM vendor. This option can enable your team to experience the platform, ask specific questions about capabilities, and better understand feature differentiators between tools.

4. Human Analysis and Guidance  

In addition to advanced functionality, human analysis and expertise is essential to take into consideration when evaluating attack surface management companies. With human analysis, the vendor’s ASM operations team manually reviews and validates findings to reduce false positive alerts and minimize disruptions to business operations as a result. The team also helps by answering any questions that come up related to findings and providing guidance for remediation. 

One challenge businesses often face is that security or IT teams need to hire a dedicated employee to manage an ASM solution on top of investing in the solution itself, which drives up costs including hiring, training, and salary. In fact, our 2023 Offensive Security Vision Report found that one of the greatest barriers to improved offensive security is a lack of resources.  

With a user-friendly ASM platform powered by human expertise, an entire team is available to triage alerts, so you don’t need to add additional responsibilities or headcount to your team.

5. Simple Onboarding  

Some attack surface management companies require time-intensive setup and onboarding, which can take several hours of your team’s time and can push back the timeline of full platform implementation by weeks.

As you consider different ASM platforms, look for one with a streamlined or automated onboarding process, on-demand training materials, a user-friendly design, easy to digest dashboards, and human support as-needed during the onboarding process. Seamless onboarding can help ensure you start off on the right foot with an ASM vendor and accelerate time to value.

Types of Attack Surface Management Vendors 

A few different types of ASM vendors are available:

Human-Based

With this type of ASM vendor, expert human pentesters conduct penetration testing and vulnerability assessments to test the external network, typically on a quarterly basis. 

Pure Technology-Driven

Technology-driven ASM solutions involve tools or scanners that review the full attack surface (aka the assets a business has on the Internet) and use scores to prioritize and remediate impactful findings.  

Hybrid

A hybrid approach involves combining both human intuition and analysis with advanced, automated technology to more effectively identify vulnerabilities and filter prioritized alerts. 

Partnering with a hybrid ASM vendor is the most impactful option because it enables verified prioritization of results to ensure only the most relevant alerts are delivered, resulting in the best ROI on your cybersecurity investment.

Questions to Ask Attack Surface Management Vendors 

To effectively evaluate an ASM solution and select the right partner that aligns with your business requirements, develop a standardized list of questions to ask each vendor before making a decision.

Questions to consider asking include: 

• Do you offer a human-based, technology-driven, or hybrid approach to attack surface management? 
• How often are tests conducted? 
• Do you offer continuous pentesting? If so, how do you approach it? 
• How broad and up-to-date is the data?  
• How soon do new assets appear and get recognized by the ASM tool? 
• Do you support exposure remediation once vulnerabilities are discovered? How? 
• Do I have access to all of my scan data if needed?  
• What does the onboarding process look like? How much time is required of my team?  
• What’s your process for managing and prioritizing alerts? 
• How will you help me understand the most critical assets or vulnerabilities on my attack surface? 
• What are the critical risk factors most likely to impact the business?  
• Who are the potential attackers threatening my business?  
• Which vulnerabilities are the most important to prioritize with remediation?  
• Which exposures are threat actors most likely to exploit? 

Partner with NetSPI for the Most Comprehensive ASM Capabilities  

The right attack surface management provider can help your organization more effectively manage your attack surfaces and quickly identify and remediate vulnerabilities.
If you’re looking for an ASM platform that includes all the criteria listed above – and more – NetSPI has you covered. We created our attack surface management platform based on three essential pillars of ASM—human expertise, always-on, continuous pentesting, and risk prioritization.

Some of the benefits of selecting NetSPI as your attack surface management provider include:  

• Simple setup and onboarding  
• Comprehensive asset discovery  
• Manual triaging of exposures  
• Prioritized alerts 

Learn more about how we can improve your offensive security together by watching a demo of our ASM platform. Also take our free attack surface management tool for a test drive and search more than 800 million public records for potential attack surface exposures.

The post 5 Criteria for Evaluating External Attack Surface Management Vendors appeared first on NetSPI.

Explain It to Me Like I’m 5 (ELI5)

If your website or application uses HTTP/2, an attacker could completely restrict access by flooding your network with an overwhelming amount of traffic.  

For additional insights, we connected with our Attack Surface Management (ASM) team to get their take on the CVE and learn more about their quick response to help security leaders with identification and remediation.

Who’s Impacted?

Anyone who uses HTTP/2 services may be impacted. According to Web Technology Surveys, the services are used by 35.6% of all websites. That’s over 400 million websites vulnerable to this CVE.

What Could Happen If Exploited

The industry is seeing large-scale DDoS attacks stemming from exploitation of HTTP/2 Rapid Reset. The goal of a DDoS attack is to overwhelm a particular business, service, or application and keep it from being accessible to legitimate access requests from the intended users/customers.  

This is extremely challenging to manage since the attacks come from compromised machines or ‘bots’ in a very distributed fashion, which makes blocking those requests using simple filtering techniques unrealistic. In other words, significant friction or inability to deliver services. We’re already seeing the exploit in action, with Google reporting that it had mitigated the largest ever DDoS attack to date.

Best Practices for Remediation

First, it is important to understand if and where you are using HTTP/2 to determine if you are affected. Mapping out a full view of the attack surface is often a challenge for teams because of attack surface sprawl and changes that can happen overnight. 

As NetSPI’s Field CISO Nabil Hannan put it, 

This is where technology like Attack Surface Management is extremely helpful because it provides continuous asset discovery and monitoring. 

The first step to take when addressing HTTP/2 Rapid Reset is to perform internal checks for HTTP/2 and all potentially vulnerable hosts or verify with your web server vendors. Patches and updates for common web servers and programming languages are available to apply now or will be coming soon.  

In the words of NetSPI’s Research Engineer Isaac Clayton,

NetSPI’s Rapid Response to HTTP/2 Rapid Reset

For NetSPI’s ASM users, our team swiftly added capabilities to the platform to detect HTTP/2 and allow our clients to get a full inventory of all potentially vulnerable hosts.   

Once a zero-day vulnerability was discovered, our Attack Surface Management team responded quickly to create automation for NetSPI’s ASM platform. This automation allowed our clients to establish an accurate inventory of their assets using HTTP/2.0 and focus their efforts on mitigation and remediation.  

Our approach involved a fast response through active collaboration between our teams. We utilized our ASM operations team, a group of security professionals who proactively address vulnerabilities and verify risks for clients, as well as our software engineers and front-end developers.  

We moved incredibly quickly to implement the solution and make it available for NetSPI’s ASM clients. This rapid response demonstrates how beneficial it is to have a full team supporting our clients and the ASM technology that helps them maintain security. One listener on our LinkedIn Live commented, “Wow!!! That’s fast given today’s response climate. From Rapid Reset to Rapid Response!” (Kudos to the ASM operations team for their fast response!) 

Get a deeper look at CVE-2023-44487 – HTTP/2 Rapid Reset by watching our LinkedIn Live with NetSPI’s Field CISO Nabil Hannan and myself, Security Research Engineer Isaac Clayton. Learn more about our ASM solution including how to use it to run the check for HTTP/2 by contacting our team.

The post NetSPI’s Analysis of HTTP/2 Rapid Reset  appeared first on NetSPI.

What is External Network Penetration Testing?  

External Network Penetration Testing provides a point-in-time test that dives deep into a defined scope. External Network Testing means an offensive security consultant is dedicated to analyzing selected assets for a specific amount of time. Think of this focused analysis for 40 hours a week for two weeks. That’s a lot of time to dig into findings!  

This amount of research typically results in a high number of results that are vetted into prioritized actions. The outcome can strain security teams because of the need to triage remediation efforts in a short period of time. External Network testing is a thorough method of evaluating vulnerabilities and reporting on whether they’re publicly exploitable. 

A limitation with External Network Testing is that it’s only focused on what’s in scope. The scope of the test is limited to the assets a client defines, and the scope of assets a client defines is limited to what a client knows is out there. If clients misunderstand their attack surface, it can lead to gaps in the scope of an External Network Penetration Test. Ensuring a strong and holistic understanding of your attack surface allows you to get more return on your investment for penetration testing. 

In addition, External Network Penetration Testing provides thorough research, but only for a specific point-in-time. Unfortunately, threat actors aren’t limited to scope or timelines like External Network Testing is, making Attack Surface Management a smart supplement to External Network Testing.

When to Use External Network Penetration Testing 

If you have proper asset mapping and a solid understanding of your attack surface, then External Network Penetration Testing is an ideal offensive security measure to test the security of your assets. 

What is Attack Surface Management?  

Attack Surface Management provides continuous discovery, inventory, testing, and prioritization of known and unknown assets and exposures on global external attack surfaces. While it doesn’t go as deep as External Network Penetration Testing, it does look at attack surfaces broadly and through a continuous lens. It provides an always-on view of high-impact, high-priority findings. 

One of the most common scenarios we face with clients is finding unknown assets. This is also one of the biggest benefits of ASM. Not only can many different assets exist on an external attack surface, but also these assets change over time, making point-in-time pentesting good, but continuous analysis better.  

First and foremost, ASM is focused on discovering what’s out there so we can bring better visibility into the entire external attack surface. Once we have that visibility and know the assets that exist, we look at exposures including vulnerabilities. ASM goes deeper by showing the products and certificates that exist on those assets, if those certificates are expiring soon, the DNS records, and the open ports on those assets. 

Typical ASM platforms result in alert overload, which is why NetSPI focuses on noise reduction with our technology. We take the results from our Attack Surface Management platform a step further by adding the human component. Our ASM operations team uses automated and manual methods to discover assets, monitor exposures, and determine the level of risk they may pose. This information is relayed to a security team for remediation, and then passed along to a pentester to validate the remediated exposure. 

When to Use Attack Surface Management 

Attack Surface Management is ideal for teams who need insight into their external attack surface and enhance the process for mapping their attack surface on a continual basis. 

Better Together: Attack Surface Management and External Network Penetration Testing  

Salt and pepper, Peanut butter and jelly, ASM and External Network Testing.  

Attack Surface Management shines with its always-on nature that regularly updates scan results with the latest changes. When we tie ASM to our External Network Testing, we’re more closely simulating the activity that attackers are taking throughout the year. ASM provides coverage in-between External Network Testing, which allows security teams to be more proactive with their approach, instead of waiting three, six or 12 months before performing a regular External Network Test. 

A common scenario in which ASM and External Network Testing benefit each other is when companies make recurring changes to their attack surfaces during the holidays. For example, many retailers will stand up new infrastructure for holiday specials. When the special ends and they take down that infrastructure, does it all get commissioned and decommissioned properly? This insight can be automated with ASM. 

The best mix of these offensive security strategies is to use ASM for constant monitoring, and then use the insights to perform an External Network Testing periodically, such as once per quarter. This strategy also has the potential to validate that security enhancements are resulting in continued improvements, which can help security leaders when it comes to resourcing modern security measures. 

The post Attack Surface Management vs. External Network Penetration Testing appeared first on NetSPI.

Teams looking to improve their offensive security efforts have many attack surface management tools to choose from, but most only provide standard asset discovery – such as the use of off-the-shelf scanners – and lack prioritization of actionable remediation efforts, resulting in alert overload. 

We asked our team of attack surface management experts for their thoughts on which features security leaders should look for in ASM platforms to ensure they’re getting the best value and highest level of protection. The most effective attack surface management tools go beyond asset discovery by adding expert human analysis to prioritize alerts and remediation.

6 Must-Have Features in an Attack Surface Management Platform 

As you weigh the pros and cons of various attack surface management platforms and tools, consider the following must-have features. 

1. Ability to Comprehensively Discover the Unknown  

Many attack surface management tools may only have the capabilities to discover known assets, such as IP addresses, domains, software, and other assets that the security team actively manages. However, finding and securing both known and unknown internet-facing assets  is an essential capability for attack surface management tools.  

Unknown assets may include those that lack awareness from the IT security team, unauthorized and unmanaged assets. There are a variety of causes for these gaps in known assets including shadow IT, misconfigurations, failed decommissions, and more. These gaps ultimately result in ineffective scan coverage and scopes for pentests, thus leaving your attack surface unmonitored and presenting a risk to your organization. 

When you leverage an attack surface management platform like NetSPI, ASM engagements start with a list of known domains and IPs. Next, the search expands to related entities to uncover all assets tied to a company – including unknown assets. The Dynamic FAQs feature in NetSPI’s attack surface management platform shows how many IPs were initially provided, compared to how many public-facing assets were found.  

2. Inclusion of Human Analysis to Prioritize Alerts  

Our 2023 Offensive Security Vision Report showed that a lack of resources and prioritization are two of the top barriers to greater offensive security. Helping security teams with data-driven prioritization of remediation efforts eases the burden of decision-making. 

Expert human analysis delivers the strongest cybersecurity results because pentesters provide context into alerts, which results in only alerting on high-impact vulnerabilities. Attack surface management tools that incorporate human analysis can leverage the team’s expertise to vet vulnerabilities before they’re added as alerts. 

Manual pentesters review every exposure to contextualize it and determine whether they’re exploitable. This helps eliminate alert fatigue, drastically reduces the amount of work teams need to do, and enables teams to focus on meaningful remediation efforts.  

As an example of this approach in practice, NetSPI addresses this with a Signal Dashboard to distill signal from noise. This dashboard highlights all the activities of the ASM Operations Team, so clients can understand what’s happening behind the scenes even if they haven’t been alerted to new vulnerabilities in a while.

3. Ability to Track Attack Surface Changes Over Time 

A key benefit of attack surface management is discovering attack surfaces that were previously unknown. A traditional approach to tracking attack surfaces has been manually tracking externally facing assets. However, because attack surfaces and threats can evolve and expand overnight, this approach isn’t enough to track changes and secure new attack surfaces that emerge throughout the year. 

Rather than only performing annual pentesting, relying on a combination of external network penetration testing and comprehensive, continuous attack surface management enables organizations to track expanding attack surfaces and find vulnerabilities as they arise. 

With the right attack surface management platform, once the initial report is complete and critical vulnerabilities have been addressed, the attack surface management platform performs regular evaluations of a company’s entire attack surface on an ongoing basis.  

This inventories new attack surfaces as they arise and shows all data in one user-friendly platform. 

4. Expertise to Develop New Features In-House Based on Customer Priorities 

As cyber threats evolve and persist, security solutions also need to adapt to protect against the latest attacks and align with customers’ business needs. Working with customers is a two-way street for ASM vendors to advance technology capabilities.

The best attack surface management platform provider will listen to customers to help drive feature development and platform enhancements. Based on input from customers, a team of software engineers has the capability to update and build new features in-house.

When you work with NetSPI, you get incredible value through our technology and expert team, but one of the greatest benefits is that we are continually improving our platform to add more value every time you log in. Interested in learning more about our latest updates? Read our release notes.

5. A Clean, Easy-to-Use UX 

As is the case with any product, software, or platform, attack surface management end users won’t settle for poor user experience (UX) or a clunky product with too many clicks to get to a destination. User-friendly design, easy to digest dashboards, and training materials at the ready are essential for the best attack surface management tools. Some platforms even have dark mode to meet anyone’s preferences.   

6. Capabilities Beyond ASM into Related Market Categories 

Features and capabilities that go beyond attack surface management and into related market categories are beneficial for organizations to continue evolving and advancing their offensive security strategies.  

Additional capabilities to look for in an attack surface management platform include but aren’t limited to:  

• Breach and Attack Simulation 
• Penetration Testing as a Service 
• Application Security Testing 

Partnering with a vendor like NetSPI that offers services such as these can help ensure you’re backed with the right mix of offensive security methods for your business.

Access the Most Important Attack Surface Management Features with NetSPI   

Asset discovery with attack surface management is table stakes and the right vendors go far beyond this approach to provide the best possible offensive security solutions.

NetSPI’s attack surface management platform and solutions include human analysis to prioritize alerts, the ability to discover the unknown and track attack surfaces changes over time, capabilities to develop new features in-house, a user-friendly experience, and additional security services that go beyond ASM. 

Want to hear about ASM from a third party? Gartner® provides recommendations on vendor capabilities in the report, Competitive Landscape: External Attack Surface Management. Take a look and then try our free Attack Surface Management Tool to search more than 800 million public records for potential attack surface exposures. 

The post How to Select the Best Attack Surface Management Platform  appeared first on NetSPI.

Attack surface management (ASM) results in attack surface reduction because it identifies unknown or vulnerable parts of an attack surface allowing security teams to address these risks. Attack surface reduction, when aligned with business needs, decreases opportunities for threat actors to find and exploit an unmanaged or weak asset while enabling the business to grow securely. 

Gain a Shared Understanding of Assets versus Exposures 

According to Forrester, attack surface management is defined as, “the process of continuously discovering, identifying, inventorying, and assessing the exposures of an entity’s IT asset estate.” Recognizing the difference between assets and exposures is an important part of ASM security.

Assets include IP addresses, domains, ASNs, and cloud accounts. When assets are unmanaged or unknown, they are a more susceptible target and at a higher risk for vulnerabilities.  

Exposures are risks that exist on assets and can also pose a cybersecurity risk for organizations. Exposures include open ports, SSL certificates, and vulnerabilities. 

The Difference Between Known versus Unknown Assets  

As businesses grow and adapt to change, their attack surface grows as well. Without proper asset tracking, this can increase the number of unknown external assets. 

Understanding the difference between known versus unknown assets, also sometimes referred to as managed versus unmanaged assets, can improve attack surface reduction. Known assets include IP addresses, domains, cloud accounts, ASNs, and other assets that the IT security team is aware of and actively manages. 

On the other hand, unknown assets include those that are unauthorized or unmanaged by the IT department, and thus can pose a significant risk to the business. Some challenges related to unknown assets include:  

1. Shadow IT: Access to or use of technology, hardware, or software that is outside an organization’s security governance processes and unknown by the IT department—known as shadow IT—can lead to vulnerabilities and exposures. Examples of shadow IT include sharing work files to personal drives, email addresses, or cloud storage accounts.  
2. Misconfigurations: Security teams are unable to accurately detect misconfigurations and other weaknesses present in unknown assets, which increases the risk of breaches and other attacks.  
3. Ineffective scan coverage: When assets are unknown, organizations can’t effectively prioritize scan results to detect and remediate vulnerabilities.  

3 Tactics to Support Attack Surface Reduction with ASM Security 

1. Prioritize attack surface mapping  

Attack surface mapping is part of any strong ASM security strategy and refers to identifying all assets and the total scope of an organization’s attack surface, as well as potential exposures, and a plan to prioritize and remediate risks. Mapping involves continuous attack surface discovery, which inventories all existing attack surfaces including both known and unknown assets.

With a full understanding of the total attack surface scope, an organization can perform an attack surface assessment, which scans known business domains and IP addresses to identify threats and vulnerabilities. The key to effective attack surface assessments is pairing data analysis with expert human evaluation to ensure alerts are prioritized based on the overall risk to an organization.  

2. Continuously manage attack surfaces 

With traditional approaches to cybersecurity, many organizations complete manual penetration testing once or a few times a year to keep up with compliance regulations. However, new external assets can come into ownership overnight, and threat actors are increasingly sophisticated in their methods of attack, meaning an annual pentest, while valuable, isn’t enough to protect against emerging threats.  

Instead, ASM security that includes continuous monitoring and evaluation keeps attack surface sprawl in check and helps organizations avoid giving adversaries the opportunity to find new attack surfaces and risky exposures. Assessing and managing your attack surface, including new cloud assets, on a consistent basis using a combination of external network penetration testing and an attack surface management platform, can help your team stay ahead of the latest threats. 

3. Deactivate unused assets or attack surfaces 

Unused assets unnecessarily expand attack surface sprawl, increasing the number of assets that can fall victim to vulnerabilities. Examples of unused assets may include infrastructure that was scheduled for decommission but never was decommissions, untracked asset remnants from mergers and acquisitions, and assets that are no longer actively used for example.

To achieve attack surface reduction, partner closely with a cybersecurity team or attack surface management vendor to evaluate assets or attack surfaces that can be deactivated.  

Improve ASM Security with NetSPI’s Free Attack Surface Management Tool  

Comprehensive ASM security can help your business identify and manage attack surfaces to improve attack surface reduction. To ensure your ASM security is as effective as possible, leverage an attack surface management platform like NetSPI, which pairs human expertise with advanced software and data analysis. This helps your business prioritize the results of attack surface management analysis for the highest level of protection and best ROI on cybersecurity investments. 

Test drive NetSPI’s free attack surface management tool to detect and protect both known and unknown assets. After all, you can’t manage assets you don’t know about. Test NetSPI’s ASM tool for free!  

The post Discover the Unknown with ASM Security for Attack Surface Reduction appeared first on NetSPI.

While attack surface management (ASM) doesn’t replace pentesting, a combination of external network penetration testing and ASM can help organizations enable continuous attack surface testing and more effectively focus cybersecurity resources on the most valuable remediation efforts.

What is Exposure Management?

From a broad perspective, exposure management is the practice of identifying and analyzing possible exposures and taking steps to minimize the impact of associated risks. While the term exposure management is used broadly in other industries, for the purpose of this article, we’re focusing on exposure management from a cybersecurity lens — also referred to as threat exposure management (TEM) or continuous threat exposure management (CTEM).   

Exposure management in cybersecurity involves seeing the complete, accurate picture of an organization’s attack surface and being prepared to make the right decisions to prioritize remediation and effectively reduce overall cyber risk. The full attack surface includes all points of entry and external-facing assets that a cybercriminal could exploit to gain access to your company data—such as hardware, software, web applications, certificates, unsecured APIs, cloud assets, and much more. 

The Growing Need for Exposure Management 

Attack surfaces continue to expand in today’s connected environment, even overnight. The broader the scope of an attack surface and an organization’s digital footprint, the higher the risk of external assets facing vulnerabilities and exposures.  

Another challenge with exposure management is that organizations often have unknown attack surfaces or assets. As highlighted by Forrester in its report, The External Attack Surface Management Landscape, Q1 2023, “You can’t secure what you can’t see.”

With a proactive approach to exposure management and the right attack surface management tools, organizations can identify previously unknown assets and attack vectors—before attackers do—to avoid exposures.

Top reasons exposure management is important include:  

1. Attack surface sprawl is increasing
2. Unknown assets pose greater risks
3. Threat actors are becoming more sophisticated  

Why Companies are Prioritizing Continuous Attack Surface Testing 

As both known and unknown attack surfaces expand, companies are increasingly using attack surface management tools to bridge the gap between vulnerability management solutions and manual penetration testing.

Traditionally, a common approach has been for organizations to perform penetration testing annually or a few times a year to meet compliance regulations. Following standard pentesting, at times little to no action is taken on the findings for months because security teams lack research-backed prioritization of which vulnerabilities to fix first. This trend is backed with research in NetSPI’s Offensive Security Vision Report, which concluded a lack of resources, aka people, is the number one barrier to timely and effective remediation. 

Attack surfaces and threats can expand and change overnight. Completing only one pentest per year isn’t enough to secure your attack surfaces and protect against new exposures that emerge over the course of a year.  

Instead of relying on periodic pentesting, leverage a combination of external network penetration testing and attack surface management tools to enable continuous, always-on pentesting. Keep pace with expanding attack surfaces and find vulnerabilities as they arise. As a result, organizations are better prepared to prioritize and focus their cybersecurity efforts.

How Continuous Attack Surface Testing Works 

Here’s a step-by-step overview of NetSPI’s process: 

1. NetSPI’s attack surface management platform identifies known and unknown assets to provide visibility of attack surfaces. 
2. Our human pentesters combined with our advanced scanning capabilities triage and prioritize exposures. 
3. For each vulnerability, our ASM operations team provides descriptions, remediation steps and verification steps. 
4. This prioritization reduces the number of false positives reported and creates actionable results for your security team. 

How to Achieve Always-On Security with Continuous Pentesting  

An always-on approach to pentesting is the gold standard for cybersecurity today. Attack surface management doesn’t replace external network penetration testing, but rather pairing the two together works in harmony to enable continuous coverage. This helps organizations achieve higher levels of security in today’s evolving threat landscape.  

As an added benefit, from an operational standpoint, this approach also helps organizations with vendor consolidation. Providers such as NetSPI offer both attack surface management tools and external network penetration testing in-house. Businesses that partner with NetSPI have access to an expert team of manual pentesters who complete more than 250,000 hours of pentesting each year. 

Enable Continuous Attack Surface Testing with NetSPI 

Rather than replacing pentesting, attack surface management paired with manual external penetration testing is an advanced method for continuous attack surface testing. We created our attack surface management platform based on three key pillars of ASM—human expertise, always-on, continuous pentesting, and risk prioritization.  

Leverage NetSPI’s attack surface management tool for expert human analysis to prioritize the most important exposures, bring alignment between security and IT teams, and focus vulnerability remediation efforts to create a better overall security posture. Try NetSPI’s ASM tool for free!

The post Harnessing Exposure Management with Continuous Attack Surface Testing  appeared first on NetSPI.

According to research from Enterprise Strategy Group (ESG), more than half of businesses surveyed (52 percent) say that security operations are more difficult today than they were two years ago. The top reasons respondents indicated for increased challenges include an evolving threat landscape and a changing attack surface.  

Given the sophistication of threats today, a comprehensive attack surface management strategy can help proactively identify gaps and vulnerabilities while strengthening security controls.  

Let’s start by breaking down what an attack surface is. 

What is an Attack Surface? 

An attack surface is an accumulation of all the different points of entry on the internet that a threat actor could exploit to access your external-facing assets, such as hardware, software, and cloud assets. 

An enterprise attack surface may include digital attack surfaces, such as:  

1. Application attack surface 
2. Internet of Things (IoT) attack surface 
3. Kubernetes attack surface 
4. Network attack surface 
5. Software attack surface 
6. Cloud attack surface 

Other types of enterprise attack surfaces include human attack surfaces and physical attack surfaces. 
 
In our connected environment, a company’s total number of attack surfaces and overall digital footprint continues to expand, which puts external-facing assets at risk for exposures and vulnerabilities. 
 
Cloud storage adoption and hybrid work environments that rely on cloud solutions are some of the top reasons for expanded attack surfaces. Another factor is that an uptick in mergers and acquisitions can lead to acquiring assets that may be unknown, resulting in unmanaged attack surfaces. 

How Are Attack Vectors and Attack Surfaces Related?  

Attack vectors and attack surfaces are related because attack surfaces comprise all of the attack vectors, which include any method a threat actor can use to gain unauthorized access to an environment. Examples of attack vectors include ransomware, malware, phishing, internal threats, misconfiguration, and compromised credentials, among many others – vectors can also exist as a combination of these examples listed.  

As attack vectors become more complex, security teams need to identify and implement new, more effective solutions to secure attack surfaces and stay ahead of sophisticated threat actors.  

Monitoring and protecting against evolving attack vectors becomes more critical as an attack surface grows. For the purpose of this article, we’re focusing on how to effectively manage external attack surfaces since this is a common challenge many businesses face. The external attack surface remains a priority for remediation because it presents a higher risk due to its exposure to the internet. 

What is Attack Surface Management? 

Many businesses struggle to keep up with their ever-evolving attack surface. The good news is that ASM vendors equip internal teams with data-driven decisions to methodically tackle remediation efforts. 
 
Attack surface management provides continuous observability and risk assessment of your organization’s entire attack surface. When coupled effectively with continuous penetration testing, attack surface management helps companies improve their attack surface visibility, asset inventory, and understanding of their critical exposures. 

More specifically, external attack surface management (EASM) is the process of identifying and managing your organization’s attack surface, specifically from the outside-in view. The goal is to identify external assets that attackers could potentially leverage and discover exposures before malicious actors do.

Attack Surface Management Use-Cases 

Through the attack surface, adversaries can exploit exposures to identify vulnerabilities that will give them access to your organization. If threat actors are successful, then outcomes will vary depending on the attack surface and other factors—but they will undoubtedly be negative.  

Common outcomes include: 

1. Deployment of malware on your network for the purposes of ransomware, or worse, killware. 
2. Extraction of employee data such as social security numbers, healthcare data, and personal contact information. 

Effective asset management and change control processes are challenging, and even the most well-intentioned companies often see this as an area for improvement. The right attack surface management solution should include a combination of three core pillars: human expertise, continuous penetration testing, and prioritized exposures based on risk. 
 
Common reasons to invest in attack surface management include: 

1. Continuous observability and risk management 
2. Identification of external gaps in visibility 
3. Discovery of known and unknown assets and Shadow IT 
4. Risk-based vulnerability prioritization 
5. Assessment of M&A and subsidiary risk 

Manage Growing Attack Surfaces with NetSPI 

NetSPI’s Attack Surface Management (ASM) platform helps security teams quickly discover and address vulnerabilities across growing attack surfaces before adversaries do.   
 
Four of the top five leading global cloud providers trust NetSPI for continuous threat and exposure management, leveraging our team, technology, and comprehensive methodology to detect known, unknown, and potentially vulnerable public-facing assets. 

Learn more about NetSPI’s attack surface management solutions or request a demo. Also check out our free Attack Surface Management Tool to search more than 800 million public records for potential attack surface exposures. 

The post Protect Your Growing Attack Surface in a Modern Environment appeared first on NetSPI.

We recently had the pleasure of interviewing our guest Erik Nost, Senior Analyst at Forrester, during a webinar that explored external attack surface management in detail. Learn the key takeaways from the webinar and what to look for if you’re in the process of evaluating EASM vendors.   

How EASM complements external penetration testing 

Penetration testing is a mature cybersecurity solution and is more widely known than EASM today. However, many organizations still largely use penetration tests for compliance, essentially checking boxes because they have to. 

Threat actors thrive on this mentality.  

When penetration testing is approached with a compliance-first mindset for regulatory bodies and organization standards, tests are only completed a few times per year or less. Often no action is taken on the findings for months because of building the context and prioritizing which vulnerabilities need to be fixed first. 

On the other hand, organizations that are strategic about looking at penetration tests, red teams, and other control validation exercises to formally piece together a remediation puzzle achieve a stronger end state of security. EASM solutions help security teams keep pace with the rate of change in organizations today by offering continuous coverage of attack surfaces to find vulnerabilities as they arise. 

Pentesting is a priority that’s complemented by EASM with continuous discovery and prioritization of known and unknown assets and exposures. 

Evaluating EASM vendors to make continuous pentesting a reality 

The responsibility of EASM often falls under security operations groups and vulnerability management teams rather than having team members solely responsible for EASM, such as an attack surface management analyst.   

These teams often have years of experience inventorying assets and identifying vulnerabilities, so they have a strong use case and the right experience to bring in an attack surface management solution. Vulnerability risk management (VRM) analysts, managers, and directors are the people who use ASM the most.  

Red teams and penetration testing teams are other groups involved in selecting and partnering with ASM vendors and can help develop plans to more rapidly discover assets to test and validate for any weaknesses or controls. If an organization has a threat intelligence team, an ASM vendor can also help build different types of threat modeling that they might want to look at to determine where the most risky exposures could be.

When evaluating and selecting an external attack surface management provider, organizations need to understand what the vendor brings to the table, including how they’re prioritizing risk and whether the approach matches their specific prioritization and remediation strategy. It’s also important to talk to potential ASM providers about how they can help supportcompliance and best practice frameworks. 

Looking ahead in EASM security 

The external attack surface management market has experienced a lot of mergers and acquisitions in recent years, with larger platforms that don’t have their own solutions buying up EASM providers. EASM may follow a similar path to vulnerability risk management (VRM), which has become a feature or solution as part of a larger platform offerings.  

Some standalone external attack surface management vendors may remain, but they will likely also include complementary features and capabilities to improve how organizations identify and protect against cyber threats. For the most part, as we see increased convergence of ASM, VRM, cloud security posture management (CSPM), continuous threat exposure management (CTEM), and other security solutions, EASM is likely to be one component in broader platform offerings in coming years.  

NetSPI’s approach to EASM 

Taking the time to evaluate and select an external attack surface management vendor is critical to finding a solution provider that aligns with your goals and brings proven experience. External attack surface management is gaining adoption because of its complementary role to pentesting. Think of EASM as continuous, always-on penetration testing with the ability to discover assets and monitor them at scale for real-time exposure alerts. All of this information is presented in prioritized order within a centralized EASM platform.  

Global organizations trust NetSPI’s Attack Surface Management (ASM) solution to monitor their external attack surfaces. Through a combination of our powerful ASM platform, global penetration testing experts, 20+ years of pentesting expertise, and comprehensive methodology, we can help your organization discover and address vulnerabilities before adversaries do.  

Learn more about NetSPI’s attack surface management solutions or request a demo.  

For more insights on external attack surface management, watch the full on-demand external attack surface management webinar with featured guest Forrester analyst Erik Nost.

The post The Ins and Outs of External Attack Surface Management: What You Need to Know appeared first on NetSPI.