ASM is not a novel idea and has existed as long as there have been things to protect from attacks. With the demise of traditional network perimeters and the expansion of modern infrastructure, the attack surface has grown complex and distributed. It encompasses all aspects tied to an organization, from applications and cloud-based systems to IoT devices and employees.
The need for ASM is attributed to factors like cloud migration, business transformation, and remote work, all of which increase the attack surface’s complexity. Even the introduction of new security controls can inadvertently expand the attack surface. The blog discusses ASM’s role in securing digital, physical, and social attack surfaces, breaking down digital into various subdomains.
The complexity of attack surfaces is expected to grow in 2023, necessitating more advanced ASM strategies. Effective ASM involves reducing complexity, vulnerabilities, and exposure in each domain while gaining leverage and improving control.
Management is a key aspect of ASM, focusing on risk reduction rather than the complete elimination of threats. ASM considers threats from the attacker’s perspective, striving to limit attackers’ opportunities to cause harm. Challenges for 2023 include attackers’ increasing use of legitimate files and utilities in attacks, making malicious presence detection more difficult.
To reduce risk effectively, organizations need to understand not just the vulnerabilities but also which vulnerabilities are exploitable and align with hackers’ goals. Focusing on exploited vulnerabilities, as cataloged by CISA’s Known Exploited Vulnerabilities Catalog, is vital in ASM. Pentesting and red teaming also play a crucial role in locating exploitable vulnerabilities, and in 2023, organizations are expected to better appreciate the value of pentesting.