In a recent report from Gartner, External Attack Surface Management (EASM) has been highlighted as a major category in cybersecurity. According to Gartner, EASM is an emerging product set that supports organizations in identifying risks coming from internet-facing assets and systems that they may be unaware of threats such as shadow IT, exposure management and, expanding attack surfaces.
In our latest panel discussion with CISO Platform, our speakers - Paul Dibellow, SVP, FireCompass, Tejas Shroff, Director, NTT Data, Ed Adams, CEO, Security Innovation and Bikash Barai, CoFounder FireCompass go over “Why Gartner Is Talking About External Attack Surface Management?”. In this discussion, our panel discussed the critical capabilities of EASM, common use cases, and the MITRE ATT&CK framework.
Bikash talks about the tools that one can use based on the maturity level of the organization. He mentions, one can start with open source tools and build a recon base, and start with point-in-time testing, while gradually then move towards enterprise solutions to do this more continuously.
What is EASM?
Bikash takes the panel down the memory lane through his analogy when for two decades vulnerability testing and Penetration testing were something that kept the organization safe. Security was mostly concerned at the network level. However, he mentions, in the last 6-7years threat vectors have increased. Sharing about a data breach he talks about a large enterprise that faced a massive data breach that happened because one of their databases was left online without a password. The security landscape has massively changed over the last 4-5years. Earlier whatever went online went through the central IT team but in the recent past, almost everyone in the organization put up data on the cloud, and all departments are not trained on the security aspects of these assets.
This creates invisibility for the security team. Currently, the organizations have no central control on which assets go online and how protected they are.
So these are the “unknown unknowns” and most of the breaches are happening because of these assets.
Managing the external attack surface has become critical because of these shadow IT assets. Because of these issues, the EASM acronym got coined by Gartner, as a concept it means knowing what your attack surface includes, which assets are exposed and how protected one is external.
While we already had the term Attack Surface Management in the industry, EASM focuses only on the external attack surface.
Ed mentions that the external attack surface is a sum of all potential digital doorways into an enterprise, which includes, third-party suppliers, partners, cloud services, work from home setups, and more.
The first step is the discovery of this attack surface, and once it discovers, the next step would be to categorize the risk and mitigate the high risk. However, Ed stresses the fact that external attack surface management needs to be ongoing and persistent.
Real Life Examples of Attacks on External Attack Surface
Solarwinds Attack: In December 2020, hackers exploited a vulnerability in SolarWinds' Orion software update to gain unauthorized access to government and SolarWinds systems. In February 2021, Detectify added the zero-day vulnerability, CVE-2020-10148 SolarWinds Orion Authentication Bypass, to its scanner to help organizations identify and mitigate the risk.
Equifax's data breach was partly due to the company's inability to identify vulnerable versions of Apache Struts. A report by the U.S. Federal Trade Commission revealed that Equifax did not maintain an accurate inventory of its public-facing applications, leading to the oversight.
Kaseya Ramsomware: In July 2021, a ransomware attack targeted Kaseya software, affecting up to 1,500 organizations. The attack leveraged a vulnerability in Kaseya's VSA software, which allowed malicious actors to carry out a supply chain ransomware attack against multiple managed service providers (MSP) and their customers.
The Log4Shell vulnerability has proven to be difficult to remediate, as detecting or discovering log4j libraries has proved challenging. The vulnerability is particularly challenging to mitigate since Java files may be deeply embedded within applications and source code.
Kubernetes clusters: A recent discovery by researchers revealed that over 240,000 Kubernetes clusters were publicly exposed on the internet, with open kubelet ports, making them easy targets for threat actors to exploit.
Use Cases - External Attack Surface Management
- Asset Inventory - Keeping a track of external assets has become a major challenge for organizations. EASM as a concept covers the management of external assets.
- Shadow It discovery - Shadow It is assets that are basically the unknown unknowns in an organization. There are multiple tools to discover these hidden vulnerable assets. Tools like CASB, help you identify the applications used by the employees of an organization to put up the assets in the cloud but they cannot identify the asset itself. Because it only scans the network and not the whole internet. Whereas EASM tools scan all internet assets. So CASB and EASM solve the issues in a complimentary way.
- SOC augmentation - Since the challenges today are multiplying by the hour, EASM can work in tandem with SOC, where EASM can feed the information of misconfigured assets to SOC, which then can be taken at a high priority. So basically the intelligence coming from EASM would help SOC.
- EASM augments threat intelligence - Where EASM can feed data to threat management tools.
- Augmenting Vulnerability Management - This one is simple, if one is not aware of the assets, one can’t put them under a vulnerability management program.
- Augmenting red, blue, and purple teaming capabilities by doing the initial reconnaissance and feeding the data to conduct these attacks.