How to DIY an Attack Surface Management Solution

Recently, major companies such as Industrial and Commercial Bank of China, Boeing, and Dubai Ports World have suffered ransomware attacks due to their failure to promptly fix high-risk vulnerabilities or misconfigurations of exposed assets, highlighting the importance of Attack Surface Management (ASM).

According to Sevco’s latest “2023 Enterprise Attack Surface Survey Report”, 11% of enterprise IT assets lack endpoint protection, 15% of IT assets are not covered by enterprise patch management solutions, and 31% of IT assets are not covered by enterprise vulnerability management systems. The situation is even worse for small and medium-sized enterprises (SMEs), where 21% of IT assets lack endpoint protection among those not using managed security services.

Attack surface management is key to enhancing proactive defense capabilities, but for most enterprises (especially SMEs), as digitalization and cloud computing applications deepen, the growth, migration, and changes of assets make it increasingly challenging to improve attack surface visibility. Compounding the issue, many enterprise security teams often lack sufficient talent and budget to implement mature commercial attack surface management solutions.

To assist resource-constrained enterprises in improving their attack surface management capabilities, this article will introduce tools and methods for a “DIY” attack surface management solution.

Today, the scale of enterprise assets is continuously expanding, extending beyond operational entities to include cloud and third-party managed facilities. The number of assets for enterprises of different sizes, such as domain names, subdomains, and enterprise IP address ranges, can easily reach thousands, tens of thousands, or even millions.

Temporary misconfigurations or exposures can occur at any time; while they can be quickly fixed, detection is very difficult. Therefore, attack surface management tools must have extremely high scalability and speed to balance acceptable levels of accuracy loss and shorten the time to locate assets and detect transient risks. For attack surfaces with millions of assets, traditional slow scanning methods are outdated.

Attack surface management can be viewed as a recursive discovery exercise, continuously identifying more assets and organizational environments based on new knowledge (information). Typically, only an initial domain name or “seed data point” is needed to start.

Many data sources used for asset discovery can operate completely passively without interacting with the target organization’s infrastructure.

When performing basic asset discovery tasks, enterprise security teams need to answer some initial questions:

How do external attackers observe my enterprise? For example, historical acquisitions, vertical industries, historical events, etc., as well as:

• How many domain names does my enterprise control?

• How many subdomains does my enterprise have?

• How many network segments does my enterprise have?

• Which cloud providers are the assets distributed across?

• Of the discovered assets, how many have active DNS records?

• Of the discovered assets, how many have open ports/locatable services?

• How many of these assets are registered in the asset inventory?

Security teams can obtain information about the enterprise’s attack surface through countless avenues, which means that enterprises can completely DIY their attack surface management use case.

Attack surface management has rapidly grown from a “niche” cybersecurity market to a “must-have” and important component of most enterprise security strategies. The surge in user market attention has driven innovation and research in attack surface identification methods and technologies. A plethora of open-source toolkits have been developed to provide attack surface management services through SaaS platforms or even third-party professionals.

Enterprises can use open-source command-line tools to quickly gain a comprehensive understanding of their attack surface; these tools can be used to build simple, repeatable, and scalable attack surface management workflows to help identify changes in asset boundaries.

If enterprises cannot obtain support from commercial attack surface management vendors, they can still leverage open-source tools to build these workflows and solutions, which can support many security use cases, often matching or even surpassing some paid tools in effectiveness and competitiveness.

Here are some security use cases that enterprises can easily create using popular open-source tools:

• Discover Subdomains Associated with the Enterprise’s Main Domain: Using open-source tools (e.g., subfinder from Project Discovery), information can be gathered from various passive data sources (e.g., certificate transparency) to identify historical and current subdomains associated with the domain.

• Identify All Assets of the Enterprise through Active DNS Records: Using open-source tools (e.g., dnsx from Project Discovery or zdns from ZMap Project), enterprises can gain insights into assets with current DNS records across various query types. Moreover, identifying assets through current A/AAAA/CNAME records can help organizations prioritize assets for further review and enrichment.

• Identify All Active Web Applications of the Enterprise: Open-source tools like httpx from Project Discovery or zgrab2 from ZMap Project can be used to identify web applications and their associated web frameworks and fingerprint them. Additionally, creating easily readable CSV/JSON files containing common header information (e.g., HTTP server, HTTP headers, icon hash values) and storing web application responses can help easily identify certain attack techniques in response to newly disclosed vulnerabilities.

• Identify Common File Leaks and Misconfigurations: Using open-source tools like nuclei from Project Discovery, enterprises can quickly assess whether their publicly facing web applications have common misconfigurations and high-risk file leaks (e.g., configuration files). Ensure that vulnerability templates are reviewed appropriately according to acceptable risk levels. Some exploits can be intrusive and may leave traces.

The above use cases may not be the most comprehensive or effective methods for identifying specific types of assets, but they are sufficient to help enterprises easily establish an initial repeatable mechanism to discover blind spots in their asset boundaries and identify areas for improvement.

Finally, many enterprises often store important assets on third-party websites and code hosting platforms (e.g., GitHub), which may inadvertently expose sensitive information. If confidential information scanners do not timely detect and flag this sensitive information, it can lead to prolonged exposure of credentials and sensitive data.

Enterprises can use GitHub Events API open-source tools to monitor public GitHub commits attributable to their main domain in real-time, allowing them to stay one step ahead. While this is not a complete method for detecting corporate confidential information leaks, when combined with GitHub pre-commit hooks and broader security strategies, it can significantly reduce the time to remediate information leaks and improve overall security posture.

In summary, the extensive collection of information related to enterprise assets is just the starting point. Enterprises should establish continuous monitoring and evaluation mechanisms, monitor network activities in real-time, detect and respond to security incidents promptly, regularly assess the effectiveness of security strategies, and adjust and optimize based on evaluation results.