Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Static Lists Are The Wrong Way to Do Attack Surface Mapping

When identifying and cataloging assets, static lists leave your organization vulnerable to constant changes across your attack surface.

Historically, Excel has been the most common way to complete asset inventory, but spreadsheets are static. Static lists are a great place to start and get a snapshot of your attack surface, but static lists should not be used as an ongoing tool for dynamic data. Doing so is the modern equivalent of chiseling information into stone.

There are many legacy reasons for keeping asset inventories in spreadsheets. For instance, spreadsheets are easily shared, searchable and organized. That said, the spreadsheet remains the same unless someone manually updates it. Quickly, the information becomes less relevant to your existing environment.

Static lists can’t keep up with the internet

Your company’s attack surface constantly evolves, making static lists an insufficient method for attack surface mapping. While that may seem obvious, it's difficult to quantify. We know that environments can and do change over time. From research analyzing Fortune 500 data, we have seen anecdotal evidence of a 1%-5% annual drift in assets. It may not seem significant in a one-off example, but when an enterprise has millions of assets keeping these lists up-to-date is simply impossible to do by hand.

With so many assets in their inventory, it's no surprise that over time companies will decide that "these assets no longer belong to us" or "we no longer care about these assets."

The bigger your attack surface, the more likely assets are to change. For example, hosts are added and removed, listening ports/services are open and closed, or software is added, removed or updated.

Fierce automation is the best strategy to keep your attack surface map up-to-date. With automation,, if any changes are unknown or uncontrolled, you can safely refer to them as shadow assets, shadow services and shadow software.

Let's touch on the many reasons why an asset would need to be added or removed from an attack surface map:

  • Expired domain name(s)
  • Decommissioned or IP-filtered hostname/asset by a perimeter firewall
  • Disabled or IP-filtered listening port/service by a perimeter firewall
  • Transferred asset ownership to another company (i.e., through a merger or acquisitions)
  • Transferred asset management to a third party (i.e., vendors/cloud provider)
  • Lapsed assets that are no longer relevant to the organization (i.e., the campaign is over)
  • Registered assets to the wrong domain name (i.e., keyword/typo)
  • Acquired another company
  • Procured new software
  • Updated business software
  • Hacked via software
  • Moved into a new line of business
  • Created up new websites for developer or quality assurance testing 
  • Added new hardware for network engineers to test
  • Collaborated with third parties to develop new assets 
  • Published new marketing webpages 

As we can see, attack surface management is more than simply adding assets to an inventory; it's also about shrewdly removing unnecessary assets. If not properly managed, your asset data will be outdated and irrelevant, rendering your attack surface map unusable.

It's unwise to rely on static lists longer than necessary. For example, based on the above, with our analysis of the Fortune 500, if one extrapolates, a small enterprise with just 20,000 assets can change up to 1,000 assets on average, and it only takes one machine having an exploitable issue for an attacker to leverage.

Identifying the assets that are a part of your attack surface is referred to as "discovery" and is often conflated with asset management. Discovery is more than a snapshot of your attack surface map; it is a process that effectively continuously operationalizes asset management. While discovery tools are relevant to penetration testing, they provide little value compared to a mature organization's use of an up-to-date asset map.

Static lists don't stand a chance against zero-day exploits

Zero-day exploits occur whether or not your asset list is up-to-date. When a zero-day exploit is announced, you do not want to realize that your static list is weeks or, worse, months out of date. The time it takes to manually update your list is enormous and cannot scale while trying to combat real threats.

Speed is a growing tactic for attackers targeting organizations. If you are operating with outdated lists, speed is the only thing you don't have. That's why Tenable gives users direct access to the underlying data. If you know a product or service is vulnerable, you can take corrective action.

Static lists fail as adversaries quickly switch up priorities and tactics

Adversaries adapt and change tactics to match shifting attitudes and priorities, limiting the effectiveness of static asset lists. For example, the hacker community may not consider attacking your organization, but you become a prime target when an issue gets shared across social media. Or you may not be a target one day, and suddenly, by someone else's misfortune, you've become the next most target-rich environment. Knowledge of how adversaries think and operate regarding your environment is essential.

However, checking for malicious activity is impossible if you have no idea what you own. If an adversary is talking about "example.com," but you don’t even know you own "example.com," then you can't secure it. Additionally, you can't monitor for social signals, or hacking activity in underground channels, if you simply have no idea what assets you should be monitoring.

Understand how asset value shifts over time

An asset's value is not static.

Security teams often focus on how risks change but forget asset values can shift over time. New vulnerabilities may become known or change in scope depending on other site features.

Firstly, the asset can decrease in value. This happens when:

  1. Features of the site are removed: For example, when a company removes a credit card database and starts clearing credit cards with a third party. The site's value to an attacker is wildly less if there is nothing worth stealing.
  2. The season of value is over: Many retail sites and landing pages are extremely valuable between Thanksgiving and Christmas due to holiday shopping. After the holidays, the site's value diminishes because it receives less traffic. For example, let's say for the season, there is a one-off promotional deal that only lasts a few weeks. After it's over, no one will visit the site.
  3. The site is deprecated: If backlinks no longer point to the site, not only is the attacker less likely to find it, so are legitimate users, so it diminishes in risk and value simultaneously.

Inversely, here's how asset value increases over time:

  1. Increasing site popularity: When a site becomes popular, it receives a massive uptick in the number of users who convert into leads and ultimately into customers. Alternatively, your website may have introduced the best deal widget, and people are looking for deals. All of that improves the value of the site.
  2. Launching new features: The site's new features can improve the company's valuation. A fully functional app is almost always worth more than one that is missing features.
  3. Storing sensitive information: If an asset becomes the conduit for placement of sensitive information, it increases in value and requires the business to beef up protections. That can be trade secrets, application codes, customer lists or traditional PII/PHI.

It's clear that static lists are ineffective for attack surface mapping. Yet, not only are they the most common way companies manage their assets, but they are also widely used by vendors, contractors, and third parties. Often there is a "mechanical Turk" (a person behind the curtain) tasked with updating the list semi-regularly. That at least has the advantage of being updated, but with some significant downsides of human error. That's why automation is key to successful attack surface management.

Learn more

Gain visibility across your entire attack surface with Tenable.asm. Find out more.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training