外部 攻击面管理 (EASM)

Why is 外部 攻击面管理 (EASM) Important? 

外部攻击面管理(EASM)非常重要，因为当涉及到面向公共互联网或外部的资产时，存在被利用和攻击的可能性. 重要的是要记住，这个外部攻击面可以为威胁行为者打开利用内部攻击面的大门.

EASM解决方案在识别那些成为业务攻击面一部分的面向外部的资产方面变得越来越好，因为每次面向公众的启动都会产生新的攻击向量. An EASM solution should be able to leverage threat feeds to engage in 威胁狩猎. 这对于了解威胁行为者在野外利用什么以及是否值得团队努力并主动解决潜在问题至关重要. Key aspects of a proactive threat hunt can include:

• 数据收集和处理 
• 文件和报告 
• Collaboration 和 communication across teams
• Humans working together with technology

EASM还应该能够利用来自后边界攻击面的外部威胁情报来正确检测和优先考虑风险和威胁, from the nearest network endpoints to around the deep 和 黑暗的网络. 企业每天在公共互联网上投放的无数资产确实令人震惊, 这些资产一旦上线，在防止潜在的剥削方面都会有自己的考虑.

外部, 对于任何希望尽其所能保护其业务的攻击面的安全组织来说，主动威胁情报是必不可少的. 关键是要采取超越网络边界的预防措施，以便能够响应每个动态攻击面上的事件.

EASM是如何工作的? 

EASM通过持续监测和发现面向公共互联网的资产的潜在漏洞来工作，这些漏洞可以被利用为攻击媒介. 如果这发生了, threat actors could then also potentially breach an organization's internal 攻击表面.

事实上 福雷斯特说 EASM works when “tools or functionalities that continually scan for, 发现, 和 enumerate internet-facing assets, establish the unique fingerprints of 发现ed assets, 和识别 曝光 已知的和未知的资产.“让我们来看看Forrester发现的一些用例，这些用例可以说明EASM功能的一些细节:

• 资产发现动态发现未知, internet-facing assets; complement on-premises asset 发现y tools 和 processes
• 资产盘存管理: Automate the capturing 和 refreshing of data representing the IT asset estate; identify asset ownership 
• 脆弱性 risk management (VRM): Enumerate internet-facing assets; inform VRM teams 和 tools of asset 曝光 for remediation
• Cloud security posture management (CSPM): Discover incorrect or weak configurations of cloud assets; identify cloud policy violations 和 potential compliance risks
• Merger 和 acquisition due-diligence assistance: Discover 和 enumerate unknown internet-facing assests of acquisition target; assess the risk to determine next steps in due diligence

有了这些用例, 我们可以开始了解每天有多少资产被用于接入面向公众的互联网，并将组织的攻击面从内部扩展到外部，从而扩展到全球. 外部 威胁情报 feeds are critical to mitigating 和 stopping threats on an external 攻击表面.

What are the Capabilities of EASM? 

The capabilities of EASM are some we have already covered in different sections above, 但是我们将编译它们, 还有一些附加内容, 在这里.

精心策划和微调的检测

取决于提供者, 威胁情报和检测工程团队应该能够通过SaaS交付提供检测, which means access to the latest alerts, 更新, 威胁英特尔. EASM从业者应该能够不断地用最新的信息来丰富威胁管理工具.

SOC增大

A 安全运营中心(SOC) 能否利用EASM平台快速访问所有资产的错误配置数据. 从那里, a prioritization process could be conducted to determine which assets need immediate attention. 在积极主动方面, EASM can be leveraged to perform threat intel gathering for red, 蓝色的, 和 purple teams conducting exercises.

EASM平台主要应该能够帮助从业者获得对顶级外部资产的可见性，这样他们就可以在攻击者发现漏洞之前确定优先级并进行修复.

EASM的好处是什么? 

EASM的好处是深远的，可以对主动安全措施的有效性和企业的整体声誉产生令人难以置信的积极影响. 

• 降低风险:减少 攻击表面 意味着降低整体风险. Attack surfaces will inevitably change, 因此，利用能够执行与外部风险和遥测相关的动态扫描的解决方案来指出潜在威胁或漏洞是很重要的.
• 遵守规定: If an EASM platform is able to identify gaps in a network’s compliance, especially as it operates in an external environment around the globe, then a security organization will have the ability to address those 云合规 gaps 和 remain in compliance with both internal 和 external regulatory bodies.
• 管理漏洞: As the modern perimeter expands, new – 和 old – vulnerabilities become open doors for threat actors. Not all vulnerabilities will be exploited, but a security organization certainly doesn’t want to wait around to find out. Proactively managing vulnerability along an external 攻击表面 is crucial.
• 完善威胁情报: By going post-perimeter with an EASM platform, it becomes more possible to mitigate threats before they have the chance to make an impact. Adding greater context to alerts 和 telemetry will enable a more rapid response 和 prioritization.
• 在云端安全运行: When integrated correctly into a security organization, EASM实践应该产生暴露在公共互联网上的业务资产的完整清单，并且还应该(如前所述)提供对任何错误配置数据的访问，以帮助团队做出响应.

Read More About 攻击表面 Security 

攻击表面 Security 新闻: Lastest Rapid7 博客 Posts

Rapid7 博客: Cyber Asset 攻击面管理 101