Attack Surface Management vs. Attack Trigger Management
Now a days, the importance of Attack Surface Management cannot be denied for keeping an eye on Organization's digital assets, networks and cloud resources. However, Is there any real difference between Attack Surface management, and Attack Trigger Management? This article tries to encapsulate few of our thoughts.
Attack Surface Management
Attack surface management (ASM) gives cyber security teams an overview of their environment through the eyes of attackers, how attackers see their target. ASM basically maps the critical internet facing assets of an organization that can provide a possible entry point to attackers. ASM basically maps out potential vulnerable assets or entry points of an organization. ASM is a pre-attack scenario where ASM identifies and analyzes critical assets and digitized infrastructure of an organization that can be particularly become target of threat actors.
The term "attack surface" is used to describe the areas of a system that are vulnerable to attack because they are either easily accessible from the outside or contain vital information for threat actors. Isolating and correctly identifying system components as part of the attack surface is crucial to the success of attack surface management strategies. ASM has some basic utility functions that map out the entire attack surface of an organization. These utility functions include:
- Port Scanning
- Subdomain Enumeration
- DNS Enumeration
- Who Is Lookup
- SSL Certificate Info.
- Sub Domain Takeover
- Open Redirect Vulnerability
The attacks in ASM are always planned and executed from the hacker's point of view, rather than the defenders. It locates potential weak points and calculates the danger they pose in light of the potential gains for an adversarial actor. Many of the same tools and techniques that hackers employ are used in ASM, and many of the activities and technologies used in ASM are developed and executed by 'ethical hackers' who are familiar with the habits and techniques of cyber criminals and can successfully imitate them.
There are three core functions of ASM which include:
- Discovery of critical internet facing assets
- Detecting change in discovered assets
- Alarm generation whenever there is change in discovered assets or security posture of an organization.
Figure 1. ASM working [ https://www.coalfire.com/solutions/threat-and-vulnerability-management/attack-surface-management ]
Identify potential targets and monitor them
Explore the uncharted. What you can't see, you can't protect. ASM performs constant network scans to discover, map, and keep tabs on organizations potential attack surface. ASM increases the discover-ability of hidden assets before they may be exploited by adversaries.
Locate potential dangers and arrange objectives in order of importance
ASM aids in prioritizing the direst risks. An efficient ASM helps to identify potential dangers and establish actionable goals. Prioritizing the most important risks requires an understanding of where the biggest flaws are and a plan to fill them before an incident occurs.
Techniques and strategies employed by adversaries
Expertly executed attacks with an adversarial focus. Using attack simulation, ASM verifies security flaws and evaluates exploit-ability.
Support for corrective action and reporting
Quickly fix vulnerabilities by consulting with technical experts. To help mitigate risk and back up the operational activities of an organization, ASM provides actionable intelligence and works with the business.
Attack Trigger Management
A trigger is an event in the system that causes the malicious payload to be released. A trigger condition can be anything from the existence of a certain file or a specific user action to the identification of dangerous files from data sources, such as discovering a malicious phishing link on Twitter.
Attack Trigger Management (ATM) finds malicious campaigns including script alerts, phishing links, malicious files, web technologies and public malware dictionaries from various data sources and triggers security evaluation whenever a malicious campaign is found. ATM triggers security evaluation to perform a security test when a new malicious campaign is found from data sources.
ATM basically has some trigger functions or conditions which trigger the security evaluation to perform a security test. Trigger functions monitor the attack surface of the organizations.
ATM includes scraping malicious campaigns from various data sources that include Twitter, LinkedIn, and public malware dictionaries such as Malware Bazaar. Security analysts and professionals post about new malwares, phishing campaigns, and script alerts on these platforms. ATM scraps the malicious campaigns from these platforms and when it detects one it immediately triggers security evaluation to perform a security test.
Figure 2. ATM working
ATM Trigger Functions
ATM trigger functions send a trigger to security evaluation on some specific conditions. Whenever a particular condition is met ATM sends a trigger to security evaluation to perform a specific security test against the target. ATM trigger functions include:
2.1.1. Scrapping Data Sources
ATM uses an automated bot to scrap malicious campaigns from public data sources that include, twitter, linkedIn, and public malware dictionaries such as malware bazaar. Cyber security analysts frequently post about ongoing malicious campaigns on these data sources along with their analysis. Automated bot uses some keywords to scrap malicious campaigns and whenever it finds one it sends a trigger to security evaluation to perform a test against target website.
Twitter continues to be the preferred social media sharing medium for cyber security. Twitter is a one-stop shop for up-to-the-minute information on any topic related to cyber security, including but not limited to: ransomware assaults, cyber crime, advanced persistent threats, incident response, malware outbreaks, and reverse engineering. Information security is all about sharing knowledge, and you can find industry's best and brightest doing just that on Twitter.
ATM used an automated bot to scrap latest malicious campaigns from twitter. It uses a set of specified keywords to scrap malicious campaigns and forwards them to security evaluation for further testing.
LinkedIn is another important social platform; cyber security professionals usually post blogs about emerging malwares on this platform. These blogs include the analysis of tactics and techniques of the malwares. This analysis can provide great insights to cyber security teams and these malwares can be used to trigger security evaluation for further testing. ATM uses specified keywords to extract useful data regarding the latest malicious campaign from data sources.
Malware Dictionaries
Public malware dictionaries contain a pool of latest malwares and their analysis report one such example is malware bazar. The goal of the malware bazaar is to pool the most up-to-date malware samples, which will in turn aid IT-security experts and threat analysts in their efforts to safeguard the public and their clients from cyber risks. ATM will extract latest malwares and their definitions from malware bazar, and it will trigger security evaluation for performing further testing. Whenever a malware or malicious campaign is detected on malware bazar ATM will immediately trigger security evaluation to perform a security test on the target using the designated malware.