ASM and the attack surface: 10 key risk factors

Technological progress can be a boon for organizations. It can increase productivity and enhance operational flexibility and efficiency. But by connecting systems to enable it, you also open up new ways for threat actors to violate your digital domain. 

The problem is on the minds of many chief information security officers as generative AI systems and AI-derived code become mainstream. Ron Eddings and Melody “MJ” Kaufmann highlight the problem in a new book, titled “Attack Surface Management: Strategies and Techniques for Safeguarding Your Digital Assets.” Eddings is the founder and executive producer of Hacker Valley Media, and Kaufmann is an author and instructor at O’Reilly.

“In a world where digital transformation is happening at breakneck speed, the old ways of securing networks and endpoints are no longer enough. Our attack surfaces have evolved from a handful of well-defined servers and firewalls to a sprawling, interconnected ecosystem of cloud environments, third-party SaaS applications, APIs, IoT devices, remote workforces, and supply chain dependencies,” the authors said in a statement. 

The modern attack surface is vast, fragmented, and constantly changing. Everything that it encompasses is a prime target for cybercriminals looking for gaps in our defenses.

Ron Eddings and Melody “MJ” Kaufmann

While the attack surface for most organizations may never be entirely secured, your organization can take measures to improve attack surface risk management. Here’s what you need to know about attack surface management (ASM) — and 10 key steps to consider.

CISO Survival Guide: Operationalizing Third-Party Software Risk Management

Understand the evolving attack surface

Attack surfaces are also being expanded by the proliferation of identities. “One of the most critical and often overlooked areas is the sprawl of identity and access across enterprise environments,” said Rosario Mastrogiacomo, chief strategy officer at Sphere Technology Solutions.

John Watters, CEO and managing partner of iCounter, said CISOs have always known that their organizations’ near infinite attack surface and open vulnerabilities presented an insurmountable problem. “They realized that there’s no way you can close every hole, patch every vulnerability, or protect against every type of attack,” he said.

So most CISOs shifted to simply protecting against known threats, Watters said. If you were seeing an attack, it had almost always been seen somewhere before, he added. Intelligence-led security enabled defenders to learn from one another — and to make sure that they were protected against all known threats, Watters said.

Now we enter into an age where every attack vector is discoverable and exploitable by new and novel attack methods that have never been used before. Everyone becomes patient zero. That’s a tough challenge, one we’re not prepared to address as an industry.

John Watters

Brett Tucker, cybersecurity risk management technical manager in the CERT division at Carnegie Mellon University’s Software Engineering Institute, said it is challenging even to measure the organizational attack surface. 

A compounding issue is that attackers are improving their capability to identify vulnerabilities over time. Because of economic limitations and technical unknown unknowns, the attack surface for most organizations may never be resolved entirely.

Brett Tucker

Here are 10 steps to consider when implementing ASM.

1. Shift from reactive controls to proactive hygiene

Sphere Technology’s Mastrogiacomo said attack surface management should start with an intelligent discovery of all identities, privileged accounts, and data access points — especially within Active Directory and cloud environments. “Automating remediation, continuously validating ownership, and enforcing least privilege are key strategies to reduce risk and maintain compliance,” Mastrogiacomo said.

By understanding and actively managing your attack surface, you’re not just reacting to threats but anticipating them, wrote Eddings and Kaufmann: 

You’re reducing risk before it becomes an incident, securing what you know and what you didn’t realize was exposed.

2. Increase the use of SBOMs

Software bills of materials can help organizations better understand the attack surface from a software perspective, CMU’s Tucker said. However, he added, SBOMs only offer more detail over what was previously known rather than prescriptions for solutions. “The economics of risk bound the possibilities of what exactly can be done, even if organizations have such granular detail of their software assets,” he said. “Quantitative impact analysis hinging upon technical understanding of the assets at play will be necessary to prioritize action and inform risk-based decision making.”

3. Prioritize partnerships with engineering

Trey Ford, chief strategy and trust officer at Bugcrowd, a crowdsourced bug bounty platform, said that high-trust partnerships between security and the teams that write, deploy, and support code after implementation lead to a “total ownership model.” That means a strong partnership in discovering new attack surface areas and a stronger response in addressing issues as they’re identified.

4. Promote visibility to better discover, analyze, and manage exposure

Visibility is critical to operational security teams, because code and implementations evolve so quickly that the ability to identify changes in the environment allows for faster incident detection, management of privacy issues, and the ability to drive down third-party risk scenarios as they surface, Ford said.
Larry Slusser, vice president of strategy at SixMap, said it is critical for organizations to understand their digital borders and interconnectivity.

The term ‘attack surface’ has become too linear in describing the challenge. If companies aren’t gaining multidimensional views of their networks and defenses, they are behind in the cyber-arms race. Without visibility into potential or emerging points of weakness, threat actors just walk through cyber-defenses.

Larry Slusser

Visibility is also important for effective ASM. “Security teams are drowning in alerts and vulnerabilities, trying to protect assets that in some cases they don’t even know exist,” Eddings and Kaufmann wrote: 

ASM provides the strategic framework to cut through the noise, helping organizations discover, analyze, and manage their exposure before attackers can exploit it.

5. Be aware of the threats throughout the SDLC

Identifying key vendors and third parties and managing known issues are both good starting points for that process, said Dave Tyson, the partner for intelligence operations at iCounter. 

Applications often introduce new risks by connecting with other tools or integrating in ways not intended during development. These are all places where unseen risk can be introduced. Having early-warning threat intelligence that alerts to changes in threat actor intent will enable measures to counter new threats.

Dave Tyson

6. Pursue continuous attack surface discovery

Continuous attack surface discovery is no longer optional. It’s essential, said Scott Schneider, sales partner at iCounter. “An organization’s attack surface is in a state of constant flux as new third parties are onboarded, assets are added, apps are misconfigured, and new cloud environments come online,” he said.

Continuous discovery tools have been available to the market for many years. The next step is to combine this discovery with advanced cyber-risk intelligence to prioritize which of those assets are the most at risk and counter threats before they strike.

Scott Schneider

CMU’s Tucker, stressed that you cannot protect what you do not know you have, “so continuous attack surface discovery is always going to be critical to being effective in securing your systems,” he said.

7. Implement risk-based vulnerability management

Sphere Technology’s Mastrogiacomo explained that a risk-based approach focuses on what matters most: prioritizing vulnerabilities tied to sensitive systems, privileged access, or active exploitability. “By correlating vulnerabilities with identity context, organizations can take action where the blast radius is greatest, instead of trying to patch everything,” he said.

However, there are risks to focusing on what matters most. “If only the biggest leaks are fixed in the dam,” SixMap’s Slusser noted, “eventually lots of small leaks can cause weakness across the entire surface, leading to an eventual catastrophe.”

In addition to prioritizing vulnerabilities, priorities can be based on which assets are most critical to an organization's mission. “Using mission criticality in this way can help manage and possibly reduce the risk even as the attack surface expands,” Tucker said.

8. Tightly control access to cloud environments and APIs

Eddings and Kaufmann wrote that because cloud services are accessible from anywhere, limiting access to data and services is crucial for secure operations. “This objective encompasses everything from limiting who can sign into the cloud environment to scoping the APIs and interfaces that interact with cloud services,” they noted. “Failing to do so allows attackers to manipulate these interfaces directly, gaining unauthorized access or disrupting services.”

Slusser said that many excellent tools, some provided by the cloud providers themselves, can be used to find misconfigurations in cloud devices. “The challenge isn’t having the technology, but rather having the people power to run the technology and ensure no misconfigurations exist at the velocity required to stop attacks,” he said.

9. Design security policies that evolve with an environment

Mastrogiacomo explained that policies must be adaptable to reflect organizational growth, mergers, cloud migration, and more. “Rigid, outdated policies become blind spots,” he said. “Evolving policies based on real-time intelligence and automated enforcement help maintain a secure state, even as the business changes.”

Policy is key in establishing baselines and expectations of leadership. “If you can get clear intelligence of what threat actors understand about the environment, what they are targeting, and how they plan to conduct reconnaissance and probing, policies and defensive monitoring can be adjusted to limit risk,” iCounter's Tyson explained.

“But policy is guidance,” he cautioned. “It is not the same as taking defensive action based on threat actors' new and novel attack planning. There is no substitute for visibility to threat actor actions and intentions.”

10. Use red teaming and attack simulation to expose attack surfaces

“With the attack surface broadening, the variety of attack vectors is also increasing,” iCounter’s Schneider explained. “Traditional penetration tests, which focus on individual vulnerabilities, are no longer adequate. Red teaming and attack simulations are becoming essential because they attempt to replicate the tactics, techniques, and procedures of actual AI-enabled attackers, including reconnaissance against high-probability targets.”

Bugcrowd’s Ford added that adversarial testing is the only objective way to know if people, process, and technology are arriving at resilient outcomes. “Even known-good reference architectures need to evolve as attack research continues to evolve,” he said.

But Slusser warned that red teaming and attack simulation are useful exercises when they are not restricted by excessive rules of engagement that prohibit true exposure discovery. “Many organizations are so concerned about production interruption that they fail to allow cyberattack simulations to truly be of benefit,” he said.

ASM keeps an eye to the future of risk management

Eddings and Kaufmann predicted that the future belongs to security professionals who can adapt quickly, break down complex challenges into manageable chunks, and automate the actions that become repetitive. “It also belongs to those who realize that security is no longer a specialist’s game, it’s a team sport where continuous learning is the only constant,” they noted.

Remember: The attack surface you’ll be securing tomorrow hasn’t been invented yet. The best skill you can develop is learning how to learn.