Full Report
You can't control when the next critical vulnerability drops. You can control how much of your environment is exposed when it does. The problem is that most teams have more internet-facing exposure than they realise. Intruder's Head of Security digs into why this happens and how teams can manage it deliberately. Time-to-exploit is shrinking The larger and less controlled your attack surface is,
Analysis Summary
# Best Practices: Attack Surface Management (ASM)
## Overview
These practices address the growing trend of shrinking "time-to-exploit"βthe window between a vulnerability being disclosed and threat actors actively scanning for it. The focus is on reducing the external attack surface to minimize exposure and ensure that only intended services are reachable via the internet.
## Key Recommendations
### Immediate Actions
1. **Conduct a Perimeter Audit:** Use automated tools to discover all internet-facing IPs, hostnames, and cloud instances currently associated with your organization.
2. **Verify Asset Ownership:** Review discovery results to identify "shadow IT" (assets created by teams outside of IT/Security oversight).
3. **Port Triage:** Immediately close non-essential ports (e.g., RDP/3389, SMB/445, or database ports) that are exposed to the public internet.
4. **Confirm Vulnerability Scanning:** Ensure active vulnerability scanning is running on all newly discovered assets.
### Short-term Improvements (1-3 months)
1. **Implement Continuous Discovery:** Move from periodic "point-in-time" audits to continuous monitoring that alerts security teams when a new asset or port appears.
2. **Formalize Change Control:** Ensure that any change resulting in a new public-facing endpoint requires a security review/sign-off before deployment.
3. **Harden Public Services:** Apply strict configuration profiles to unavoidable public services (e.g., using Web Application Firewalls, disabling legacy TLS versions).
### Long-term Strategy (3+ months)
1. **Adopt a "Secure by Design" Architecture:** Integrate ASM into the CI/CD pipeline so that attack surface reduction is automated during the build phase.
2. **Zero Trust Migration:** Transition from relying on "perimeter" security to a Zero Trust architecture where services are not exposed to the public internet at all, but accessed via authenticated gateways or SDP (Software Defined Perimeters).
3. **Attack Surface Governance:** Establish KPIs for "Mean Time to Discovery" (MTTD) of unauthorized assets and "Mean Time to Remediation" (MTTR) for critical exposures.
## Implementation Guidance
### For Small Organizations
- Focus on simplicity: Use a single, integrated vulnerability scanner with built-in discovery features.
- Consolidate identity: Ensure all cloud resources (AWS, Azure, GCP) are tied to a single administrative account to prevent fragmented visibility.
### For Medium Organizations
- Implement automated alerts for "DNS changes" and "New Port Detected."
- Assign clear ownership for assets (e.g., Marketing owns the CMS, Engineering owns the API) to speed up remediation when vulnerabilities drop.
### For Large Enterprises
- Utilize specialized Attack Surface Management (ASM) platforms that scan beyond just IP ranges (e.g., searching for leaked credentials, lookalike domains, and third-party SaaS sprawl).
- Integrate ASM data into a centralized SIEM/SOAR for automated blocking of unauthorized exposures.
## Configuration Examples
*While specific code depends on the environment, the following logic applies:*
- **AWS Security Groups:** `0.0.0.0/0` should never be used for management ports (SSH/22, RDP/3389). Use specific VPC Peering or VPN CIDR blocks.
- **Nmap Audit Command:** `nmap -sV -T4 -Pn [Target_IP_Range] --top-ports 1000` (Run regularly to detect unexpected service banners).
## Compliance Alignment
- **CIS Controls:** Control 1 (Inventory and Control of Enterprise Assets) and Control 7 (Vulnerability Management).
- **NIST CSF:** ID.AM (Asset Management) and PR.IP (Information Protection Processes and Procedures).
- **ISO/IEC 27001:** Annex A.8 (Asset Management) and A.12.6 (Technical Vulnerability Management).
- **SOC2:** Security Criteria (CC6.1 - Identification of internal and external network boundaries).
## Common Pitfalls to Avoid
- **"Set and Forget" Mentality:** Assuming your perimeter is the same today as it was during your last annual penetration test.
- **Ignoring Cloud Shadow IT:** Forgetting that developers can spin up public-facing instances in minutes without notifying the security team.
- **Scanning only Known Assets:** A failure to perform "discovery" means you are only scanning what you *know* you have, not what you *actually* have.
## Resources
- **OWASP Attack Surface Analysis:** hXXps[:]//owasp[.]org/www-community/Attack_Surface_Analysis_Cheat_Sheet
- **CISA Known Exploited Vulnerabilities Catalog:** hXXps[:]//www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **NIST SP 800-53:** Security and Privacy Controls for Information Systems and Organizations.