# Attack Surface Enumeration [[Attack Surface Enumeration]] (ASE) is a [[Control Verification]] capability responsible for the discovery of a companies attack surface from a privileged, internal, external perspective. Attack surface enumeration should be oriented from an adversary perspective. There are 3 main types of attack surface categories physical, digital, and people assets. Depending on your business model certain categories may be of more interest than others. Here are some examples of each asset class: - **Physical Assets:** Workforce devices, servers, network equipment, offices, data centers - **Digital Assets:** Internet facing assets, databases, cloud, OS, software, passwords - **People Assets:** Employees, Partners, Customers Establishing ASE capabilities requires assignment to an adversary persona from the [[Persona Management]] catalog and determination of whether the target is accessible from an external, internal, or privileged perspective. It is also possible to detect assets, their weaknesses, and then assign personas to help with tracing remediation priority. Understanding coverage results from the intersection of personas, perspectives, and potential targets. ## Map ``` mermaid <!-- element style="width:90%; height:auto" --> graph TD Top[[Cybersecurity]] --- D[[Control Verification]] D --- D.1[[Attack Surface Enumeration]] D --- D.2[[Resilience Testing]] D --- D.3[[Risk Prioritization]] D --- D.4[[Remediation Management]] D --- D.5[[Assurance Reporting]] D.1 --- D.1.1[[Seed Management]] D.1.1 --- D.1.2[[Target Discovery]] D.1.2 --- D.1.3[[Asset Fingerprinting]] D.1.3 --- D.1.4[[Exploitable Opportunities Feed]] %% Class Definitions %% ===================== class Top,A,A.1,A.2,A.2,A.3,A.4,A.5,A.6,B,B.1,B.2,B.3,B.4,B.5,C,C.1,C.2,C.3,C.4,D,D.1,D.2,D.3,D.4,D.5,E,E.1,E.2,E.3,E.4,E.5,E.6,D.1.1,D.1.2,D.1.3,D.1.4 internal-link,font-color:white; class Top cssClassL0; classDef cssClassL0 fill:black,stroke:black,stroke-width:4px,font-size:15px,font-color:white; class A,B,C,D,E cssClassL1; classDef cssClassL1 fill:darkblue,stroke:darkblue,stroke-width:4px,font-size:15px,font-color:white; class A.1,A.3,A.4,A.5,A.6,B.1,B.2,B.3,B.4,B.5,C.1,C.2,C.3,C.4,D.1,D.2,D.3,D.4,D.5,E.1,E.2,E.3,E.4,E.5,E.6 cssClassL2; classDef cssClassL2 fill:blue,stroke:blue,stroke-width:4px,font-size:15px,font-color:white; class D.1.1,D.1.2,D.1.3,D.1.4 cssClassL3; classDef cssClassL3 fill:#005F7B,stroke:blue,stroke-width:1px,font-size:15px,font-color:black; class D.1 cssClassCurrent; classDef cssClassCurrent fill:#2f9503,stroke:#2f9503,stroke-width:4px,font-size:15px,font-color:white; ``` ## Definition >[!success] Definition > Attack Surface Enumeration is collecting information about the total attack surface from an adversary perspective to support resilience testing which determines whether a weakness could result in a compromise. ## Goals >[!cm-goal] Goal 1 >**Total Attack Surface** - ensuring you have complete asset inventory from both an internal asset inventory (what you know) and an external perspective (what adversaries know). >[!cm-goal] Goal 2 >**Exploitable Opportunity Identification** - Identifying what assets are potentially exploitable should be tested for exploitability or mitigation control effectiveness ## Scope The scope of Attack Surface Enumeration covers all assets that exist within the company and can include 3rd party partners and software. Priority should focus on internet facing assets given the ease of discoverability and accessibility. ## Process ```mermaid flowchart LR A1[Input <br /> Persona Matrix] --> B[1. Identify <br /> Seed Data] A2[Input Internal <br /> Asset Inventory] --> B A1 ~~~ A2 A2 --> D B --> C1[2A. Discover <br /> External Assets] B --> C2[2B. Discover <br /> Internal Assets] B --> C3[2C. Discover <br /> Privileged Assets] B --> C4[2D. Discover <br /> Third Party Assets] C1 --> D[3A. Merge Enumerated <br /> Asset Lists] C2 --> D C3 --> D C4 --> D D --> E[3B. Compare <br /> Combined Enumerated <br /> Asset List <br /> to Internal Asset Inventory] E --> F[3C. Alert <br /> on Inventory Gaps <br /> for Stakeholders] D --> G[4. Fingerprint <br /> Assets] G --> H[5. Identify <br /> Exploitable Opportunities] H --> I[6. Share <br /> Exploitable Opportunities Feed <br /> with Stakeholders] F -.->|Improves| B ``` ## Metrics >[!cm-metric] Metric: Total # of Assets >[!cm-metric] Metric: Internal Inventory vs External Discovery >[!cm-metric] Metric: % Exploitable Assets >[!cm-metric] Metric: Scan Frequency >[!cm-metric] Metric: Mean Time to Inventory ## Inspiration & Resources - [Attack surface - Wikipedia](https://en.wikipedia.org/wiki/Attack_surface) - https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html - [Emerging Tech: Security — The Future of Attack Surface Management Supports Exposure Management (gartner.com)](https://www.gartner.com/en/documents/4283299) - [1N3/Sn1per: Attack Surface Management Platform (github.com)](https://github.com/1N3/Sn1per) ## [Cyber City Map](https://cybercitymap.com/) © 2023-2024 by [ThirdScore, Inc.](https://thirdscore.com/) All Rights Reserved.