In cybersecurity it helps to think like a hacker. To celebrate European Cyber Security Month we sit down and think for a moment about what the attacker can see.

Open Source Intelligence (OSINT) is using publicly available information to address intelligence requirements. Amount of information that is publicly available is of course a lot of information, even when we narrow it down to what is related to our company. This information can be used by cybersecurity professionals but also by threat actors. I this article we focus on digital assets but there is of course numerous amount of other information that might be interesting, too, like names of personnel to guess user credentials, or job openings to learn technology stack that the company is using.

Defender Attack Surface Management (EASM)

There is one tool in Azure that tries to map digital attack surface of a company. It is called Defender External Attack Surface Management (EASM). EASM feels a bit out of place in Azure. It is not tightly coupled with other Azure resources and it seems a bit external piece of software by itself. It belongs to Defender family but you can’t easily find it from the list of Defender products. It also is missing from the Microsoft Cybersecurity Reference Architecture.

EASM is a Software-as-a-Service (SaaS) that is quite a black box. Using it starts from filling something that you already know like Business Identity Code of a company, or a domain name. The tool then tries to identify digital assets related to the company. Digital asset can be:

• Domains and subdomains
• TLS Certificates
• IP Addresses

It doesn’t do anything super magical that you couldn’t do with other tools. It does DNS queries, grabs information from Certification Transparency logs, checks open ports and analyzes the contents of web pages. It also tries to combine this information to threat intelligence of its own (or likely, somehow related to XDR). As the end result you get interactive content and bunch of reports that try to tell you what assets were found and what is their security posture when looking from an external perspective. Reports that you get out-of-box (no tools to create your own) are:

• Attack surface summary – Amount of high priority observations and total numbers
• Security posture – CVE`s that were found
• GDPR compliance – PII data, logins and cookie violations
• OWASP Top 10 – Same as security posture but mapped to OWASP TOP 25
• CWE Top 25 Software Weaknesses – Same as security posture but mapped to SANS top 25 Software weaknesses
• CISA known exploits – Vulnerabilities found that are known to be used by a threat actor

To get EASM running you can use following Bicep:

resources": [
  {
     "type": "Microsoft.Easm/workspaces",
     "apiVersion": "2023-04-01-preview",
     "name": "[parameters('easm_name')]",
     "location": "[parameters('easm_location')]",
     "properties": {}
  }
]

Experiences

EASM makes the process really simple and fast. The tool has a 30-day free trial, too, which is super nice. So if I would be a CISO of a company, I would definitely check if this tool gives us information that we weren’t aware of like new assets to protect or if the digital attack surface differs somehow from our current knowledge. For me, the setup took literally 5 minutes where AMASS that I used as a benchmark took hours to setup. Initial scans for both took some time (prepare for hours).

Cost of the tool is hard to forecast. It is directly related to size of the attack surface of a company. It costs 0.011€/day per asset where billable assets are:

• Domains
• IP addresses
• Host – IP combinations

Also the black box nature of the tool might be annoying. It scans once a week and there is not much you can tweak in terms of technical performance. You have REST API, SDKs and Log Analytics Workspace options in pulling the data out of the tool and using at elsewhere but beside that you are pretty limited.

When trying out the tool with the company that I know well – Zure, I found something interesting on the way:

• Old marketing campaigns
• Internal tools
• Few services that I did not know about
• Customers of a service we use (TLS certificates and domain names associated with same multitenant cloud service as we use)

Usage considerations

Although the tool gives you information about the possible vulnerabilities in the website it is not a substitute for a vulnerability management solutions. It looks from outside and can’t exactly tell if certain patches are installed or not. It tries to hint you about cookie problems and GDPR issues but it should not be the thing you rely on your company about those topics.

The best would be to think about it as an external attack surface check tool or as a first step for a threat hunting activities. It can also tell you something about brand exposure. In best scenarios it finds assets that you did not know about or cloud services that somebody had just left dormant. It would be useful to compare the results to your digital asset inventory and see if they match.