What’s the difference between Attack Surface Monitoring and Vulnerability Scanning?

Detectify is driving the future of internet security with automation and crowdsourcing hacker research. It’s focused on helping companies detect anomalies in their web attack surface at scale, and creative automated hacks in the web app layer in time.

While companies are just scratching the surface of understanding their Internet-facing architecture, hackers have been monitoring growing attack surfaces to find vulnerabilities in places where companies aren’t looking (or maybe not prioritizing) and reaping the rewards through bug bounty programs.

Some of these findings can be as critical as spotting instances of CVE-2021-26855: Microsoft Exchange SSRF or recovering abandoned subdomains before they fall into malicious hands. What’s the common denominator? They’re finding issues in the infrastructure and third-party services, not just in the owned code. This calls on companies to zoom out of vulnerability scanning to look at the bigger picture of the attack surface.

What are the different types of vulnerability scanning?

If you’re building web applications and websites, the logical thing to do is put money into the main applications built. If you write the code, you’re expected to design and build it with OWASP Top 10 in mind and keep company and user data protected at all costs. The types of vulnerability scanning include testing with authenticated and unauthenticated settings to see what an internal threat actor vs. external actor (hacker or pentester) could respectively exploit.

Scanning is typically done in Staging or Pre-prod, giving an obvious idea of what’s found in code and libraries but not necessarily in the live environment where sharks could be lurking around. But the need of the hour is a way to proactively look for vulnerabilities further up the attack chain before they access deep into the developer code.

A growing tech stack and fast development widen the attack surface

A lot of things go unnoticed because of the speed and scale of development. The exposed attack surface increases every time a web-facing asset is made public: new campaign subdomains, a new Confluence site, or commits with user inputs in Github. Security often has a tough time maintaining visibility over every single one of these events. At the same time, the discovery of new attack vectors or accidental exposure of things in the tech stack also grow the surface.

You know this,
we know this,
and attackers know this.

Vulnerability scanners without discovery or crawling DNS function aren’t effective here because they are scanning a specific target further down the attack chain. Could there be a way to prevent attackers from finding weaknesses in the code sooner by exploring the attack surface for anomalies? 

In the hacking community, they’ve approached this by innovating their own tools for “asset discovery” to map out publicly discoverable assets connected to a company’s domain. Bugs found along the attack surface tend to be low effort because they can just “fire and forget” using automated reconnaissance tools. Even though some vectors could be relatively simple, they also result in high rewards because the impact is critical, like that time Detectify co-founder Fredrik Nordberg Almroth managed to possess the .cd top-level domain.

Enter attack surface monitoring, where you zoom out of vulnerability scanning of code to continuously look for the possible weaknesses across your digital surface.

What is attack surface monitoring?

External attack surface monitoring of applications is the continuous practice of looking for vulnerabilities and anomalies that could take advantage of entry or exit points on public (sometimes accidental) interfaces. To be able to do this, you first need to map out the surface to understand what systems speak to each other, and what is intentionally an internal vs external interface. OWASP has a handy Attack Surface Analysis Cheat Sheet to walk through it.

Detectify also recently interviewed Crowdsource hacker Jasmin Landry to get a hacker’s perspective on managing the attack surface, “We’ve seen so many breaches in the past few years and a lot of these were simply because they didn’t have proper web attack surface management in place. It could be by mistakenly exposing a server, web application, S3 bucket, credentials in GitHub, etc.”

Buyer’s tips:

While the attack surface management space is growing, and even Gartner has created a category for it, here are few capabilities to look for to get complete visibility of risks in the company cloud:

• Asset discovery to take inventory of hosted software and spot shadow IT
• Enumeration of subdomains connected to the apex domain
• Detection of open ports exposed to the Internet
• Find API keys, tokens, passwords, etc. hardcoded or left in plain text
• An intuitive UI makes it easy to manage domain team assets, especially after mergers and acquisitions, in complex enterprise organizations
• Scan hosted services like JIRA, SAP, S3 buckets for security misconfigurations and other vulnerabilities

Application scanning and surface monitoring aren’t mutually exclusive – they work in tandem.

Vulnerability scanners are procured to test the security of the development code using set logic, fuzzing, and crawling to see how far it can get into the targeted system. However, using this without a discovery component limits it to known and albeit highly secured assets. It also only focuses on code deeper in the web layer.

To uncover the unknowns, attack surface monitoring tools will crawl across the web interface by getting information on what’s connected to the DNS. In an attacker’s world, they do this by running automated tools to help with the recon work and scale it out to find all the information needed and cover all the ground it can to see that exposed point. From a defender’s point of view, there are actionable ways to reduce the attack surface:

Examples of where the gaps can come from:

• The software you didn’t know about
• Out-of-date software
• Exposed “internal-only” interfaces
• Leaked credentials or API tokens in a git repo 
• Critical port left open
• Misconfigured S3 buckets 
• Forgotten subdomain

Putting two and two together

Leading security teams are shifting paradigms from vulnerability management to external attack surface management such as Grammarly and Visma . Instead of taking the traditional approach of statically scanning the application code signature-based vulnerability scanners, they take a more holistic approach. They are using External Attack Surface Management solution, Detectify Surface Monitoring, that begins where an attacker would. It takes inventory of all available attack points such as subdomains, and then leveraging crowd-based hacker research to assess for exploitable vulnerabilities using automated hacker payloads.

There can be cases where low severity vulnerabilities in the web attack surface may seem trivial at first glance. By augmenting surface monitoring with a vulnerability scanner, you can begin to chain attack vectors together to see how far things could go, mimicking real-life hacker attack chains. They don’t stop at an open port or an exposed Confluence page and instead will start up vulnerability scanners and execute exploits specific to the technology profiled on the discovered asset.

Results in exposed web attack surfaces can guide security teams on where to allocate more resources or strengthen security. Where the attack surface cannot be reduced, they could apply vulnerability scanning to harden the security and continuously check on the endpoint. 

Zooming out of the web app layer

The wave is already here where companies are taking a few steps back from Vulnerability Management to look at the External Attack Surface as the starting point of web security. With attack surface monitoring, you will get a big picture view of all web interfaces exposed and hosted service. Mitigating misconfigurations in the infrastructure could prevent attacks from happening further down the code pushed by your teams. By combining both, you can discover critical vulnerabilities in areas easily missed by untrained eyes before the attackers exploit them.

Detectify users get coverage from web attack surface to the code

Detectify users can easily turn on attack surface monitoring with a few clicks. Once the monitoring is on, it begins discovery of Internet-facing web assets along the surface, followed by fuzzing and payload-based vulnerability testing to see what can be exploited.

image: asset discovery feature of Detectify will continuously discover and monitor assets connected to your DNS

In particular, it will help catch serious security misconfigurations in the infrastructure, subdomains vulnerable to takeovers, and more beyond the OWASP Top 10. With the help of the Crowdsource ethical hacker community, Detectify customers access critical security testing and mitigate emerging web vulnerability threats.

See what Detectify will find in your attack surface with a free 2-week trial. Go hack yourself!

Jocelyn Chan is the Content Manager at Detectify. She is a self-proclaimed hype-girl for automated web security powered by white hat hackers and believes that the future is in the crowd. She also would like to connect more women in tech and security together which is why she is co-leading the Women in Security – Stockholm Chapter. And yes she has seen Hackers, and believes that it's so good because it's so bad.