Attack Surface Assessment
An Attack Surface Assessment (ASA) is an intentionally time constrained exercise that uses open-source information in a largely passive way to establish what services you are publishing to the internet.
This may help you to find exposed systems that would typically be found by threat actors, including those you may not know about or may not be included in your management oversight, helping identify your technical attack surface.
Unlike a typical engagement where the scope is tightly defined, in an ASA, the scope is broadly aligned to the organisation name and the main domain. These are used as a starting point to the assessment; however, in most circumstances other organisational names and domains may be brought into the scope.
For example, where you host remote access services on a different domain or where the main organisational operations use a different brand name or where the organisation has recently rebranded.
The services found during the assessment do not necessarily indicate the existence of vulnerabilities but provide an insight into what your threat actors can see publicly.
However, the ASA doesn’t just identify technical assets, we look at much more, including:
- Who your suppliers are
- What cloud services you own
- What technology you use
- Where do you operate
- Who your staff are
- What are their contact details
- Whether you have any breached credentials exposed on the dark web
- If any threat actors are selling your information online
- Whether you are being actively targeted by threat actors
- And much more…
Additionally, this assessment looks to identify who your typical attackers are and the types of Tactics, Techniques and Procedures (TTPs) they would typically carry out when performing reconnaissance, resource development, initial access and execution.
However, information is worthless without intelligence.
The ASA and threat actor analysis elements helps to build threat actor scenarios that outline, at a high level, the systems typical threat actors will target and the types of attacks they will carry out against the systems, this helps provide risk assessed context to the information found in the ASA. These scenarios can, should you wish, be simulated with a Red Team assessment.