EASM Discovery Techniques for Identifying Hidden Digital Exposures

As organizations rapidly adopt new digital practices and workflows, the threat landscape continues to evolve and expand. Unfortunately, only 17%¹ of organizations can accurately identify and account for their exposed digital assets. This external attack surface - all publicly accessible internet-facing assets that could be exploited by attackers to breach internal networks and data - poses a growing risk that most companies struggle to fully understand and manage.

The attack surface is highly dynamic, constantly changing and expanding. The ephemeral nature of most IP addresses makes it nearly impossible to track internet-facing assets using traditional methods. Even a simple accidental click could inadvertently expose a critical asset, creating significant security risks. With so many changes occurring, it can be challenging to accurately assess your risk exposure and identify vulnerabilities across your attack surface.

Attackers exploit vulnerabilities that organizations are unaware of, giving them a significant advantage. With comprehensive visibility, security teams operate smoothly, able to mount an effective defense. The harsh reality is that security without visibility is mere guesswork.

Viewing the Attack Surface from the Attacker's Perspective

To address this challenge, External Attack Surface Management (EASM) continuously identifies, monitors, evaluates, prioritizes, and provides guided remediation recommendations for potential attack vectors across an organization's external, internet-facing infrastructure. These assets include domains, hosts, web pages, certificates, ASNs, IP addresses, and IP CIDR blocks exposed to the public internet. This approach goes beyond network scanning of known assets; it also uncovers related businesses and joint ventures that could potentially be exploited to gain unauthorized access.

The two primary components of an EASM solution are the digital Asset Inventory and Vulnerability Findings. Together, they uncover previously unknown and unmonitored external assets, providing organizations with comprehensive visibility into their external attack surface.

• EASM Asset Inventory: The EASM Digital Asset Inventory catalogs all internet-facing assets associated with the organization, delivering comprehensive details on each asset.
• EASM Vulnerability Findings: The EASM Vulnerability Findings provide a comprehensive overview of all vulnerabilities linked to the organization's digital assets. For each vulnerability, key details are surfaced, including associated Common Vulnerabilities and Exposures (CVEs), Common Vulnerability Scoring System (CVSS) risk severity scores, CISA's Known Exploited Vulnerabilities (KEV), and Exploit Likelihood (EPSS) data. This empowers proactive vulnerability management by generating alerts to guide appropriate response actions.

EASM Asset Discovery Techniques

The EASM Asset Discovery process ensures that even "shadow IT” assets are identified and brought under security management. The asset discovery process involves the following steps:

Step 1: Seed Profiles

To begin the discovery process for your digital assets, EASM requires a known, legitimate asset from your organization, referred to as a "seed"; typically, domains, IP addresses, or IP CIDR blocks. Seeds are the foundation for discovering connected digital assets in your infrastructure that are exposed to the internet, using various open-source intelligence (OSINT). While setting up asset discovery, EASM allows you to configure seeds by creating a discovery group or profile. A discovery profile adds a layer of granular control to build the attack surface by including specific seeds. For each custom organization that you add, you can configure discovery profiles by adding seeds. 

Step 2: Asset Discovery Mapping

EASM gathers data on domains, IPs, and DNS. This allows for important asset mapping, including:

• Mapping a domain to its subdomains
• Linking domains/subdomains to IP addresses
• Connecting subdomains to name servers
• Relating domains or subdomains to SSL certificates
• Linking domains to IP addresses
• Connecting IP addresses to hostnames
• Associating IP addresses with Automated System Numbers (ASN)
• Finding the geolocation of IP addresses and hosts
• Identifying cloud providers

Step 3: Filling in the Asset Gaps

When the first level of assets associated with a seed is identified, EASM recursively scans additional levels of connections, creating a comprehensive map of the organization's attack surface. To complete the asset inventory, two primary discovery methodologies are utilized:

• Passive DNS Discovery: This approach collects passive DNS data, which is then used to simulate attacker reconnaissance and identify potential blind spots. It can also pinpoint IP hosts without associated hostnames, potentially indicating malicious activity. By providing insight into IP addresses and name servers, passive DNS data helps detect commonalities where similar records have been reused or shared.
• DNS Enumeration: This technique gathers detailed information about a domain's DNS records by querying a DNS server. This reveals key details such as hostnames (including subdomains), IP addresses linked to those hostnames, and various types of DNS records (e.g., A, MX, NS, TXT) associated with the domain.

Step 4: Asset Timeline and Validation

EASM timelines allow you to query, validate, investigate, and analyze connected asset data. This enables you to demonstrate historical compliance, support incident investigations, and identify risks and gaps. When a vulnerability is detected, you can use an active scanner to investigate and verify the finding. Additionally, EASM uses targeted passive scanning to identify asset vulnerabilities, complementing your overall Vulnerability Management program.

Step 5: Automatic Ongoing Monitoring

EASM continuously monitors the organization's external attack surface, ensuring that any new risks are promptly detected and changes to existing assets are tracked. By tapping into up-to-date cyber intelligence, EASM continuously captures the dynamic attack surface, including:

• IP data: Identifies the current geographical location and network provider of the user’s IP assets.
• DNS data: Identifies unauthorized changes to DNS records, finds orphaned DNS entries, and keeps track of new subdomains added to its DNS zone.

Get a Clear Picture of Your External Attack Surface with Zerofox 

The ZeroFox external cybersecurity platform combines the power of AI, full-spectrum intelligence services, and takedown and incident response capabilities. Our External Attack Surface Management (EASM) solution adds powerful continuous discovery, identification, and inventory capabilities to protect your expanding external attack surface, including:

• Discover and inventory digital assets
• Analyze and prioritize exposures and vulnerabilities
• Combat asset sprawl and shadow IT
• Detect data leakage
• Reduce phishing and social engineering attacks
• Adhere to regulatory compliance requirements
• Visualize your external digital risk from one view

Asset Discovery empowers you to continuously monitor your organization's dynamic attack surface, a critical capability in the ongoing cat-and-mouse game with threat actors. Contact us today to uncover and protect unknown exposures in your external attack surface.

¹ Gartner Innovation Insight: Attack Surface Management, 9 April 2024

Tags: External Attack Surface Management