Expert Talks: Attack Surface Management for beginners
by Secutec
Much-needed protection or an excessive luxury? Thomas Jannes, SOC Manager (Security Operations Center) at Secutec answers some pressing questions: what is Attack Surface Management (ASM)? Why is continuous monitoring recommended? How does it help protect your company from external threats? And how does Secutec make it easy for you with SecureSIGHT?
Anyone taking a closer look at the MITRE ATT&CK[1] framework will notice that there are a lot of wide-ranging aspects within cybersecurity – a whole list of challenges that are impossible for any one organization to solve without a helping hand. Secutec offers specialized assistance that draws inspiration from the different stages of an attack as they are described by MITRE.
One of these stages is ‘Reconnaissance’. This involves a hacker looking for every possible way to penetrate an organization’s network, without having access to leaked credentials or leaked user data. This is called ‘Attack Surface Management’ (ASM), the topic on which Secutec SOC Manager Thomas Jannes is shedding his light today. He explains how Secutec works in this domain, what the benefits are for customers and how it fits into the broader picture of Secutec SecureSIGHT.
What is Attack Surface Management?
Jannes: At Secutec, we specialize in external ASM. This means we look for every possible way to crack systems from the outside, the same way a hacker would. We put ourselves in the shoes of a cybercriminal and try everything he would do to get into a network. We specifically focus on our client’s internet-facing systems.
We offer internal ASM, or ‘full vulnerability scanning’, as well in addition to SecureSIGHT. However, this internal scanning provides a very large amount of vulnerabilities, whereas SecureSIGHT offers a clear-cut focus on concrete short-term action items that should keep hackers out as effectively and efficiently as possible.
Finally, we also look at leaked credentials (logins and passwords). If a hacker has these in his possession, the game is already (largely) played. A hacker on the inside will be able to achieve his goal very quickly. After all, why would a car thief smash the window if he simply has the key.
How does ASM work?
Jannes: When we get to work for a client, we fire up several tools. We start looking for all the organization’s systems that are accessible from the internet: (web) servers, firewalls, cloud services,… Everything we can detect, we bring together in a list and we start testing for vulnerabilities.
Simply put: we start this test with a simple ‘hello’. This is the first step in setting up a connection and then we take a look at what we get back. Often this is more than you might think. Web servers, for example, are usually very chatty. In the background, they immediately provide a lot of information that is not visible to the user, but which contains a wealth of information for the hacker. To turn this into an analogy; apparently web servers find it necessary to tell visitors where to hang up their coats or where to go to the restroom from the moment one says ‘hello’.
How does Secutec’s ASM solution work?
Jannes: ASM is a module that is part of our in-house developed solution SecureSIGHT. This is a cyber intelligence service for which we work with a combination of commercial platforms and open-source intelligence (OSINT). Think of tools such as Shodan, a service known to many because you can find unsecured home cameras on it, for example. We use multiple sources to get the broadest possible view and inform our customers as efficiently as possible. We apply two general principles with SecureSIGHT; we make everything visible, and on an ongoing basis.
We strive for efficiency, which means automating our services as much as possible. That means we offer ASM as a Managed Service, continuously looking for open doors through which a hacker would potentially enter. If you only do that once, with a one-time snapshot, you get a representation of one very specific moment in time that could be completely obsolete weeks or even hours later.
What does Secutec do with the information it gathers?
Jannes: First, we help customers to prioritize vulnerabilities. We don’t simply deliver a report or a list of ‘things to look at when you find the time’. We clearly indicate: you need to focus on this today, you can leave this until next week, and you tackle this vulnerability whenever you have a spare moment. In calls with customers I sometimes jokingly say ‘tell your technical colleagues that their weekend can’t start until this vulnerability is fixed’. When critical vulnerabilities surface, we inform the customer immediately via email. If we don’t get a quick response, we call the customer.
That’s the big difference from a traditional vulnerability scanner that works from within – internal Attack Surface Management. Such traditional solutions use your login credentials and full access to the corporate network when compiling a list of vulnerabilities. This is usually a terribly long list that does not define priorities for the administrator, while not every vulnerability can actually be (immediately) exploited.
That’s how our managed service works: we give you concrete, actionable data, so you and your colleagues can focus on what your job really is: supporting your business.
Why does this require a third party such as Secutec?
Jannes: A first significant reason is that you don’t always have complete visibility into all your assets that are internet-facing. Very often we hear ‘Right, we forgot about those’. Web servers are often hosted outside of the company network; think for example of a webshop hosted by an external partner. We help you map the dangers so you can communicate the necessary action points to your partner with technically sound arguments.
Besides visibility, we offer ease of use. A disadvantage of using best-of-breed products is that each tool has its own portal that you have to monitor separately. Combining all of them does give you the best results, but putting all the information together is no mean feat. That is where Secutec helps: with SecureSIGHT we provide the glue that adds up the information in one platform and makes it immediately clear where you should point your attention first. We hand our customers the so-called ‘Single Pane of Glass’.
Additionally, one of the reports we provide is a monthly executive report: here we visualize the evolution of your organization’s security posture. This makes it immediately clear to the IT Manager, his colleagues and management whether the company is on the right track.
In addition to ongoing vulnerability audits, Secutec SecureSIGHT also offers the ability to monitor leaked credentials on the Darknet and provides solutions for Active Managed Threat Hunting and Managed XDR.
Interested in how Secutec automates your exposure detection for you? Contact our cybersecurity experts for a demo.
[1] MITRE ATT&CK® is a globally accessible knowledge base of hacker tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as the basis for developing specific threat models and methodologies.