Attack surface management: Knowing and reducing the external attack surface

"You can't protect what you don't know." Attack Surface Management takes this seriously. It's no longer about protecting a defined set of assets—it's about continuously identifying all the ways attackers could gain access.

What Is the Attack Surface?

Attack Surface - Definitions:

Physical Attack Surface:
  → Physical access points: offices, server rooms
  → USB ports on workstations
  → Publicly accessible terminals

Digital Attack Surface:
  External Attack Surface (Perimeter):
    → All externally accessible IPs and domains
    → Public web apps, APIs, VPN endpoints
    → Email servers, DNS servers
    → Cloud storage (S3, Azure Blobs)
    → Exposed management interfaces (RDP, SSH, Kubernetes API)

  Internal attack surface (after initial access):
    → Internal systems after breaching the perimeter
    → Lateral movement targets

  Third-party attack surface:
    → Vendors, cloud providers, MSPs with access to systems
    → &quot;Your weakest link is your supplier&quot; (SolarWinds!)

---

Why ASM is so difficult:

&quot;Shadow Assets&quot; – unknown systems:
  → Old test servers that have been forgotten
  → Developer VMs in AWS (credit card without IT knowledge)
  → Cloud resources that were not deleted after a project
  → Subdomains on old IP addresses (subdomain takeover!)
  → Acquisitions: acquired companies with unknown IT infrastructure

Asset drift:
  → Today: 150 external assets known
  → Tomorrow: Developer deploys a new internet-facing service
  → IT knows: nothing
  → ASM detects immediately: new asset discovered!

Statistics:
  → 69% of organizations have experienced a data breach due to
    unknown or forgotten assets (Mandiant 2024)
  → Average company (1,000 employees): 500–2,000 external assets
  → Large corporation: 50,000+ external assets

Asset Discovery

Discovery methods:

1. Passive OSINT (without direct contact with target systems):

  DNS/Certificate Transparency:
    # All subdomains via CT log:
    curl &quot;https://crt.sh/?q=%.firma.de&amp;output;=json&quot; | \
      jq &#x27;.[].name_value&#x27; | sort -u

    # Subfinder (active + passive enumeration):
    subfinder -d firma.de -all -silent

    # amass (very comprehensive):
    amass enum -passive -d firma.de

  Shodan.io:
    org:&quot;Company Ltd&quot;                   → all known company assets
    org:&quot;Company Ltd&quot; port:22           → SSH server
    org:&quot;Company Ltd&quot; http.title:&quot;login&quot;  → login pages
    ssl.cert.subject.CN:&quot;*.company.de&quot;   → via certificate

    Shodan API (Python):
    import shodan
    api = shodan.Shodan(&#x27;API_KEY&#x27;)
    results = api.search(&#x27;org:&quot;Company Inc.&quot;&#x27;)
    for r in results[&#x27;matches&#x27;]:
        print(f&quot;{r[&#x27;ip_str&#x27;]}:{r[&#x27;port&#x27;]} - {r.get(&#x27;http&#x27;,{}).get(&#x27;title&#x27;,&#x27;&#x27;)}&quot;)

  Censys:
    → certificates.parsed.subject.common_name: &quot;firma.de&quot;
    → Finds all certificates for the domain
    → IPv4 + IPv6 hosts
    → Pros: very extensive scan data

  WHOIS + IP ranges:
    # RIPE NCC for European IP ranges:
    whois -h whois.ripe.net &quot;Company Inc.&quot;
    → ASN, organization&#x27;s IP ranges
    # Then all IPs in the range:
    nmap -sn 185.123.0.0/24 → active hosts

2. Active Discovery (direct scan):

  Port scanning (only on your own systems!):
    # Quick external scan:
    nmap -sV -p 1-65535 --open -T4 185.123.45.0/24

    # Top 100 ports quickly:
    nmap --top-ports 100 -sV firma.de

  HTTP/HTTPS Enumeration:
    # httpx - fast HTTP probing:
    cat subdomains.txt | httpx -title -tech-detect -status-code

    # nuclei - template-based detection:
    nuclei -l targets.txt -t exposures/configs/ -severity critical,high

3. Tool combination for complete discovery:

  # Complete EASM pipeline (open source):
  # Step 1: Subdomain discovery
  subfinder -d firma.de -o subs.txt

  # Step 2: Alive check + HTTP info
  cat subs.txt | httpx -o alive.txt -title -tech-detect

  # Step 3: Vulnerability scan
  nuclei -l alive.txt -t nuclei-templates/ -severity critical,high -o vulns.txt

  # Result: Complete overview in &lt; 1 hour

Exposure Assessment and Risk Prioritization

What to check after discovery:

Critical Exposures (immediate action required):

  Exposed Management Interfaces:
  → RDP (Port 3389) public: most common ransomware entry point!
  → SSH (Port 22) without certificate
  → Kubernetes API (Port 6443) public
  → Exposed Database Ports: MySQL 3306, PostgreSQL 5432, Redis 6379
    (Redis without auth = data stolen, RCE possible)
  → Admin Panels: phpMyAdmin, Adminer, pgAdmin public
  → Jenkins, Grafana, Kibana without authentication

  Subdomain Takeover:
  → Subdomain points to a non-existent CNAME target
  → Attacker registers the target → controls the subdomain!
  # Detection:
  subzy run --targets subs.txt  # Automatic detection

  Exposed Cloud Storage:
  → S3 bucket publicly readable: customerdata.company.de.s3.amazonaws.com
  → Azure Blob publicly accessible
  → Detection: AWSBucketDump, BlobHunter
  # S3 Check:
  aws s3 ls s3://company-customerdata --no-sign-request

  Outdated/Vulnerable Versions:
  → Apache 2.4.49 (CVE-2021-41773, RCE!)
  → Outlook Web Access without the latest patch
  → Citrix ADC unpatched
  → Detection: nuclei with version-matching templates

  Expired/Weak Certificates:
  → SSL certificate expired
  → TLS 1.0/1.1 still active
  → SHA-1 certificate
  # Check:
  testssl.sh --full firma.de

---

Risk Scoring Framework:

Score = Base Severity × Exposure × Asset Criticality

  Base Severity (CVSS 0-10):
    Exposed RDP:  8.0 (High)
    SQL Injection:  9.8 (Critical)

  Exposure Multiplier:
    Internet-facing, no auth:  ×3
    Internet-facing, with auth: ×1.5
    Internal only:              ×0.5

  Asset Criticality:
    Production database:  ×3
    Test server:            ×0.5
    Marketing website:      ×1

  Prioritization: Score &gt; 8 → immediately, 6-8 → this week, 4-6 → this month

EASM Solutions

Commercial EASM platforms:

Microsoft Defender External Attack Surface Management:
  → Integrated into Microsoft 365 Defender
  → Automatic asset discovery for your organization
  → Continuous monitoring
  → Integration with Sentinel and Defender for Cloud
  Price: Part of M365 E5 Security or add-on

CrowdStrike Falcon Surface:
  → Formerly Reposify
  → Wide range of asset classes: certificates, cloud assets, code repositories
  → Risk score per asset
  → API for integration

Palo Alto Cortex Xpanse:
  → Market leader according to Gartner
  → Global scan: 6 billion+ IPs daily
  → Automatic mapping to organization
  → SaaS + certificates + cloud + IoT
  Price: Enterprise pricing

Open Source Alternative (Self-Hosted):
  OWASP Amass + Nuclei + Custom Dashboard:
  → git clone https://github.com/owasp-amass/amass
  → Daily cron job: amass enum → nuclei scan → Report
  → Simple dashboard: Python Flask + SQLite
  → Cost: 0 EUR + server time

---

Integration with Vulnerability Management:

ASM Finder → VM Scanner → Remediation:
  1. EASM detects new asset (new IP/domain)
  2. Automatic import into Tenable/Qualys
  3. Scan triggered within 24 hours
  4. Findings → Ticket system (JIRA/ServiceNow)
  5. Remediation tracking

Metrics for ASM:
  → Attack Surface Size: Number of external assets (Trend!)
  → High-Risk Exposures: Number of critical exposures
  → Mean Time to Discover New Assets: How quickly detected?
  → Mean Time to Remediate Exposures: How quickly resolved?
  → Unknown Assets Discovered: Found by EASM, previously unknown