EASM stands for "External Attack Surface Management" and generally refers to software that is capable of monitoring and managing a company's external attack surface. The focus of an eASM is always everything that is externally accessible and thus potentially attackable by anyone. This includes websites, services and APIs as well as third-party providers and partners. The monitoring of entire ASN and/or CIDR is possible with an eASM as well as the monitoring of cloud infrastructures.
Why is EASM important?
The digital world is complex. A grown company often offers a variety of services - distributed across IP addresses, websites or APIs as well as third-party providers. Over time, the company loses track of all external assets - and what is not known can hardly be protected. eASM monitors the entire perimeter of the company, searches for Shadow IT in known cloud providers and thus helps to reduce the attack surface (if it is taken care of).
How does an EASM work?
Analyzing attack surface
An eASM usually needs some kind of starting point. This is often the company's domain or ASN. From there it begins analyzing all IPs, scanning and collecting data. The same applies to subdomains (see Subdomain Enumeration). Meta-data is collected that allows the tool to expand the attack surface. A classic example is finding another domain in the certificates that matches the company name. This process is incredibly complex in total and can - as in the case of Argos eASM - include hundreds of external data sources and additionally work with proprietary algorithms that further expand the attack surface through additional scans and fuzzing.
The attack surface also includes persons (Persons of Interest), suppliers/partners, acquisitions and third-party providers. An eASM should be able to collect and process this data.
In Depth Analysis & Scans
Once the eASM has analyzed the attack surface, deep scans usually begin - these can be classic port scans, but also fuzzing or special attacks on web applications. Each response is analyzed and evaluated. The primary goal is to find and evaluate vulnerabilities. The secondary goal is always to continuously expand the attack surface - special requests can be made to web applications to provoke errors. Useful information is often hidden in the error output - for example, additional assets that can be assigned to the company but are not trivial to find (there are various reasons for this). Very classically, vulnerability scanning also takes place here - an attempt is made to search for known vulnerabilities.
What type of scan is started when often follows defined rules. For example, if the system stores the nameservers and CNAMEs of web assets, it usually starts additional processes to analyze this data and find domain or subdomain takeovers or similar.
Prioritization & Reporting
An eASM should be able to prioritize the vulnerabilities found. This can be based on CVSS scores, but also on proprietary algorithms. Prioritization allows the company to separate the important things that need to be fixed quickly from the less important things.
Reporting is an important component of an eASM. It should be able to present the vulnerabilities found in a form that is understandable to the company. This can be a PDF, but also a dashboard or an API that passes the data on to other systems. The notification of teams or persons should also be possible. Slack and email are also valid methods to inform the responsible persons in time.
What are the advantages of EASM?
eASM allows companies and IT staff to get a good insight into their entire infrastructure. With this knowledge, IT teams can take action, fix vulnerabilities, minimize or even completely eliminate the attack surface and learn from mistakes that have occurred. In addition, eASM works continuously - for example, Argos scans all customer assets twice daily. This allows even short-term changes to be detected and reacted to. This is often a gateway for attackers - small problems that are simply not recognized quickly enough.
An available eASM is also an excellent source for information gathering in the context of penetration tests or Red Teaming. It allows teams to focus on the really important things and not waste time collecting information. Since anomaly detection is often also part of modern eASM, unusual behavior patterns can also be quickly detected and analyzed - this is where humans often come into play, who finally turn a hint into a security vulnerability.
What does an eASM find?
The answer depends on the monitored asset - this can be a person, a website, an IP or an Android app. Based on the most common case - the website/domain - the following general vulnerabilities are typical:
-
Unpatched Systems:
The monitoring finds a system where no patches have been applied - this often occurs in connection with Shadow IT or other misconfigurations. -
Security Vulnerabilities:
A vulnerability scan finds a vulnerable parameter that allows malicious code to be injected. -
Misconfigurations:
This simple term is extremely complex. "Dir Listing" is a classic. Anyone can see the contents of directories. Viewed in isolation, this is not bad at first, it becomes suboptimal when PII is in this directory. Also incorrect DNS configurations that allow subdomains to be taken over are an example. -
Simple Credentials:
Credential stuffing attacks by eASM find credentials that can be used to log in. This is also a function of eASM - they use the data they collect. In this example in the context of Credentials Stuffing or Brute Force Attacks. -
Unsecured API:
eASM often captures APIs (at least Argos does) and then uses the definition files to specifically check all endpoints and parameters of the API. Here we repeatedly see routes that are accessible without authentication or that allow data to be manipulated or viewed.
Thank you for your feedback! We will review it and optimize this content.
