Behind the scenes, most external attack surface management (EASM) products rely solely on basic reconnaissance technologies for asset discovery and risk detection.
Unfortunately, this approach isn’t just a nice, simple way to understand exposure and risk; it’s actually risky, problematic, noisy, and painful.
Let’s look at why.
From an attacker’s perspective, reconnaissance or “recon” is just the passive or active investigation used to build a profile of a target.
Passive recon uses indirect techniques to build a target profile, making it exceedingly difficult to trace and thus heavily used by attackers. An EASM may use passive recon to expand an organization’s domain name (called DNS enumeration) to build a list of records. This provides insight into the external attack surface since the list of records leads to a list of IPs, illustrated in Figure 1.
Figure 1. Passive recon builds a list of domains in use by the target organization
Active recon techniques go one step further. Active recon interacts once with an asset, stopping after it initiates (but does not complete) a connection on a specific port (for example, port 25 for SMTP), as illustrated in Figure 2. Attackers use active recon carefully; since it is a direct interaction with a target, there is the risk of detection. An EASM uses active recon to scan the IP ranges uncovered using passive recon.
Figure 2. Active recon builds a list of exposed assets found inside the domains found by passive recon
Most EASMs stop at reconnaissance because it provides just enough information to an end consumer to justify their claim to an “attacker perspective.” Unfortunately, the incomplete and low-confidence data forces IT security teams to manually filter out noise, quantify risk, prioritize issues, and build the context required for remediation.
Humans have a tendency to place unwarranted value on information that is presented to them numerically. This phenomenon is called false precision: people assume that if something is presented as counted or calculated, it is also likely to be accurate and complete.
Unfortunately, nothing could be further from the truth. Especially for EASMs that rely on recon as the sole means to discover assets and uncover risk.
Here is why:
As a result, the information presented in these EASMs are best effort due to the underlying technologies. Despite the lists and dashboards, the incomplete asset inventories and lack of accurate risk evaluation leave IT security teams bombarded with low-confidence, low-precision CVEs.
Clearly, reconnaissance is a good starting point for EASM, but it doesn’t go far enough to understand the risks to the external attack surface. For true confidence in risk assessment, organizations must incorporate active security testing.
Security testing is very different from reconnaissance. Unlike recon, security testing establishes a full connection with an asset and runs payload-based tests to understand the success of a specific objective.
Payload is a way to describe a list of instructions and data sent to the target. A payload includes matching conditions, commands, expected responses, and more.
Figure 3. Example payload used in active testing
Active testing uncovers the broadest range of risks with the highest confidence.
Security testing answers the most critical external risk questions, like:
And more.
Five areas where active security testing is required are:
These are non-negotiable for organizations pursuing an elevated understanding of risk and efficient use of IT security staff. All are provided using active security testing. None are available within EASM solutions that rely on passive recon and active recon techniques.
Dynamic application security testing (DAST) may be the most important use case for security testing your external attack surface. But legacy approaches to applying DAST to exposed web applications break most vulnerability scanners and even some dedicated DAST. Why?
Application testing requires a full connection and repeated interaction with an asset. Due to the potential impact on production systems, this means:
This adds up to considerable time and expense, not only from a licensing perspective but also from security staff time. To fully understand external exposure, DAST needs to be performed repeatedly, across all web applications, ideally on a bi-weekly basis.
CyCognito’s purpose-built security testing engine is a module within its EASM platform. This is “black box security testing” at its best and removes the blockers normally associated with security testing at scale.
No EASM product today matches the level of control and visibility delivered by the CyCognito platform.
One of CyCognito’s clients, a large B2C retail vendor, relies heavily on online web purchases. CyCognito’s security testing/DAST enables their team to immediately identify web applications without a web application firewall deployed. This allows the team to proactively reduce risk.
Figure 4. WAF detection using CyCognito
API detection is another example. The growth in B2B communication via API has created new threat vectors. Understanding whether their exposed web application contains an API endpoint is critical to understanding external risk and effectively streamlines the team’s work.
Figure 5. API detection with CyCognito
CyCognito takes the burden and costs out of managing security testing; recon and security tests are completed automatically, at scale, using CyCognito’s enterprise-grade testing infrastructure.
Customers of CyCognito Automated Security Testing (AST) have this testing information already available. Simply navigate to the Risks page from the home menu to see the results.
If you are not a CyCognito customer and want to find out more about how we can help enable automated security testing across your full external attack surface, please contact us at [email protected].
Jason Pappalexis has worked in cybersecurity for nearly two decades, holding roles across government security administration, third-party testing, solutions architecture, product management, and technical product marketing.
Download the report now to stay ahead of emerging threats and strengthen your organization’s security posture for 2024.
Download the report to learn about the historical trends behind the emergence of exposure management, how to develop a strategic plan and assemble a team to smoothly transition frameworks, and example tech stacks to consider for your organization.
Get a free scan of your attack surface and gain valuable insight into your organization's risk posture by allowing CyCognito to discover, contextualize, and test externally exposed assets on a portion of your parent company or a single subsidiary.
Discover insights on application security, exposure management and other key topics below.
The definitive guide to attack surface management. Learn everything you need to know to reduce your cyber security risk with attack surface management.
Exposure management is a set of processes which allow organizations to assess the visibility, accessibility, and risk factors of their digital assets.
Vulnerability assessment is the process of identifying, quantifying, and prioritizing vulnerabilities in a system.
Explore CyCognito modules ASM, AST and EI in the resources below.
Scalable, continuous, and comprehensive testing for all external assets, all the time.
CyCognito Automated Security Testing dynamically applies payload-based testing techniques across your entire external attack surface.
CyCognito Exploit Intelligence uses threat intelligence about attackers’ behavior and exploitability for enhanced prioritization.