Static Lists Are The Wrong Way to Do Attack Surface Mapping
When identifying and cataloging assets, static lists leave your organization vulnerable to constant changes across your attack surface.
Historically, Excel has been the most common way to complete asset inventory, but spreadsheets are static. Static lists are a great place to start and get a snapshot of your attack surface, but static lists should not be used as an ongoing tool for dynamic data. Doing so is the modern equivalent of chiseling information into stone.
There are many legacy reasons for keeping asset inventories in spreadsheets. For instance, spreadsheets are easily shared, searchable and organized. That said, the spreadsheet remains the same unless someone manually updates it. Quickly, the information becomes less relevant to your existing environment.
Static lists can’t keep up with the internet
Your company’s attack surface constantly evolves, making static lists an insufficient method for attack surface mapping. While that may seem obvious, it's difficult to quantify. We know that environments can and do change over time. From research analyzing Fortune 500 data, we have seen anecdotal evidence of a 1%-5% annual drift in assets. It may not seem significant in a one-off example, but when an enterprise has millions of assets keeping these lists up-to-date is simply impossible to do by hand.
With so many assets in their inventory, it's no surprise that over time companies will decide that "these assets no longer belong to us" or "we no longer care about these assets."
The bigger your attack surface, the more likely assets are to change. For example, hosts are added and removed, listening ports/services are open and closed, or software is added, removed or updated.
Fierce automation is the best strategy to keep your attack surface map up-to-date. With automation,, if any changes are unknown or uncontrolled, you can safely refer to them as shadow assets, shadow services and shadow software.
Let's touch on the many reasons why an asset would need to be added or removed from an attack surface map:
- Expired domain name(s)
- Decommissioned or IP-filtered hostname/asset by a perimeter firewall
- Disabled or IP-filtered listening port/service by a perimeter firewall
- Transferred asset ownership to another company (i.e., through a merger or acquisitions)
- Transferred asset management to a third party (i.e., vendors/cloud provider)
- Lapsed assets that are no longer relevant to the organization (i.e., the campaign is over)
- Registered assets to the wrong domain name (i.e., keyword/typo)
- Acquired another company
- Procured new software
- Updated business software
- Hacked via software
- Moved into a new line of business
- Created up new websites for developer or quality assurance testing
- Added new hardware for network engineers to test
- Collaborated with third parties to develop new assets
- Published new marketing webpages
As we can see, attack surface management is more than simply adding assets to an inventory; it's also about shrewdly removing unnecessary assets. If not properly managed, your asset data will be outdated and irrelevant, rendering your attack surface map unusable.
It's unwise to rely on static lists longer than necessary. For example, based on the above, with our analysis of the Fortune 500, if one extrapolates, a small enterprise with just 20,000 assets can change up to 1,000 assets on average, and it only takes one machine having an exploitable issue for an attacker to leverage.
Identifying the assets that are a part of your attack surface is referred to as "discovery" and is often conflated with asset management. Discovery is more than a snapshot of your attack surface map; it is a process that effectively continuously operationalizes asset management. While discovery tools are relevant to penetration testing, they provide little value compared to a mature organization's use of an up-to-date asset map.
Static lists don't stand a chance against zero-day exploits
Zero-day exploits occur whether or not your asset list is up-to-date. When a zero-day exploit is announced, you do not want to realize that your static list is weeks or, worse, months out of date. The time it takes to manually update your list is enormous and cannot scale while trying to combat real threats.
Speed is a growing tactic for attackers targeting organizations. If you are operating with outdated lists, speed is the only thing you don't have. That's why Tenable gives users direct access to the underlying data. If you know a product or service is vulnerable, you can take corrective action.
Static lists fail as adversaries quickly switch up priorities and tactics
Adversaries adapt and change tactics to match shifting attitudes and priorities, limiting the effectiveness of static asset lists. For example, the hacker community may not consider attacking your organization, but you become a prime target when an issue gets shared across social media. Or you may not be a target one day, and suddenly, by someone else's misfortune, you've become the next most target-rich environment. Knowledge of how adversaries think and operate regarding your environment is essential.
However, checking for malicious activity is impossible if you have no idea what you own. If an adversary is talking about "example.com," but you don’t even know you own "example.com," then you can't secure it. Additionally, you can't monitor for social signals, or hacking activity in underground channels, if you simply have no idea what assets you should be monitoring.
Understand how asset value shifts over time
An asset's value is not static.
Security teams often focus on how risks change but forget asset values can shift over time. New vulnerabilities may become known or change in scope depending on other site features.
Firstly, the asset can decrease in value. This happens when:
- Features of the site are removed: For example, when a company removes a credit card database and starts clearing credit cards with a third party. The site's value to an attacker is wildly less if there is nothing worth stealing.
- The season of value is over: Many retail sites and landing pages are extremely valuable between Thanksgiving and Christmas due to holiday shopping. After the holidays, the site's value diminishes because it receives less traffic. For example, let's say for the season, there is a one-off promotional deal that only lasts a few weeks. After it's over, no one will visit the site.
- The site is deprecated: If backlinks no longer point to the site, not only is the attacker less likely to find it, so are legitimate users, so it diminishes in risk and value simultaneously.
Inversely, here's how asset value increases over time:
- Increasing site popularity: When a site becomes popular, it receives a massive uptick in the number of users who convert into leads and ultimately into customers. Alternatively, your website may have introduced the best deal widget, and people are looking for deals. All of that improves the value of the site.
- Launching new features: The site's new features can improve the company's valuation. A fully functional app is almost always worth more than one that is missing features.
- Storing sensitive information: If an asset becomes the conduit for placement of sensitive information, it increases in value and requires the business to beef up protections. That can be trade secrets, application codes, customer lists or traditional PII/PHI.
It's clear that static lists are ineffective for attack surface mapping. Yet, not only are they the most common way companies manage their assets, but they are also widely used by vendors, contractors, and third parties. Often there is a "mechanical Turk" (a person behind the curtain) tasked with updating the list semi-regularly. That at least has the advantage of being updated, but with some significant downsides of human error. That's why automation is key to successful attack surface management.
Learn more
Gain visibility across your entire attack surface with Tenable.asm. Find out more.
Related Articles
- Attack Surface Management