Security Management Glossary
Attack Surface Management (ASM) - Angriffsflächen-Management
Attack Surface Management (ASM) is the continuous process of discovering, cataloging, classifying, and assessing the risks associated with all assets and vulnerabilities that an attacker could exploit. External ASM (EASM) focuses on assets visible from the internet; internal ASM focuses on lateral movement risks. ASM forms the foundation for CTEM (Continuous Threat Exposure Management).
Attack Surface Management (ASM) answers the question attackers ask themselves every day: "What can I attack at this company?" Many organizations have a poorer understanding of their own external attack surface than experienced attackers. ASM provides the defense with the same overview—continuously and automatically.
External vs. Internal Attack Surface
EASM (External Attack Surface Management):
→ Perspective: What does an attacker see on the internet?
→ Scope: Domains, subdomains, IP addresses, certificates, email setup,
cloud resources, exposed services, technology fingerprints
→ Sources: DNS, Shodan, Certificate Transparency Logs, WHOIS, Wayback Machine
→ Question: What is accessible from the outside? Is it configured securely?
CASM (Cyber Asset Attack Surface Management) / Internal ASM:
→ Perspective: What can an attacker do after gaining initial access?
→ Scope: Internal assets, AD structures, attack paths (BloodHound)
→ Question: What lateral movement paths exist?
Typical EASM findings:
□ Forgotten subdomains (dev.company.com is still running on outdated software!)
□ Exposed development/staging environments
□ Old IP addresses still pointing to company services
□ Subdomain takeover (sub.company.com points to a deleted Heroku app)
□ Expired SSL certificates
□ Weak email configuration (no DMARC!)
□ Publicly accessible cloud storage (S3, Blob)
□ VPN and remote access portals detectable (attacker target!)
□ Legacy services: FTP, Telnet, RDP directly accessible from the internetASM Methods and Tools
EASM Execution:
1. Passive Reconnaissance (no interaction!):
Certificate Transparency Logs:
→ crt.sh: all issued TLS certificates for *.company.de
curl "https://crt.sh/?q=%.firma.de&output;=json" | jq '.[].name_value'
→ Detected: all subdomains that have ever had a certificate
DNS Enumeration:
→ amass enum -passive -d firma.de # Passive, no DNS brute force
→ subfinder -d firma.de # Aggregates many passive sources
→ DNSDumpster: dnsdumpster.com (Web, free)
Shodan/Censys:
→ org:"Firma GmbH" Shodan query: all IPs known to Shodan
→ ssl.cert.subject.CN:firma.de # Certificate-based search
→ netblock:"ip-range" Port scan results from Shodan
OSINT sources:
→ VirusTotal Passive DNS: virustotal.com/ui/domains/company.de/subdomains
→ SecurityTrails: historical DNS data
→ Wayback Machine: old URLs and paths (often still accessible!)
2. Active scanning (with permission – your own assets!):
nmap -sV -p- company.de # Full port scan + version detection
nuclei -u https://firma.de -t exposed-panels/ # Exposed admin panels
testssl.sh --full company.de # TLS configuration
3. Automated ASM platforms:
→ Censys Search + ASM Platform: continuously discover new assets
→ Shodan Monitor: alerts for new open ports (via email!)
→ IONIX (formerly Cyberpion): fully automated EASM
→ Mandiant Advantage ASM: enterprise solution
→ Detectify: web security + EASM combined
Free Getting Started:
1. crt.sh: all subdomains via certificate
2. Shodan Monitor (free for 1 target)
3. SecurityHeaders.com: HTTP headers of all discovered web servers
4. SSL Labs: TLS rating of all web servers
5. MX Toolbox: Email security (SPF, DMARC, DKIM)Subdomain Takeover
Subdomain Takeover - common EASM finding:
How it works:
1. Company previously used: blog.company.de → Hosted on Heroku
2. Heroku app was deleted (CNAME remained in DNS!)
3. CNAME: blog.company.de → company.herokudapp.com
4. Attacker registers firma.herokudapp.com → now controls blog.company.de!
5. Attacker can: host any content under blog.company.de
6. Phishing: "company.de/blog" looks legitimate!
Affected services:
→ Heroku, GitHub Pages, Azure CDN, CloudFront, Fastly, Shopify, HubSpot...
→ Tool: subjack (GitHub) - scans CNAME records for takeover potential
subjack -w subdomains.txt -t 100 -timeout 30 -ssl -c fingerprints.json
Verification:
dig CNAME blog.company.com # What does the CNAME show?
curl https://blog.firma.de # Does it show "repository does not exist"? → DANGER!
Prevention:
□ Inventory and check all CNAMEs
□ When shutting down a service: Delete the CNAME record from DNS!
□ Monitoring: Run subjack/nuclei regularly on your own domains
□ ASM platform: Automatic detectionASM in the Security Strategy
ASM as the foundation for other programs:
ASM → Vulnerability Management:
→ ASM discovers all assets
→ VM scans all assets for vulnerabilities
→ Prioritization: Internet-facing systems first!
→ CTEM uses ASM + VM as a basis
ASM → Penetration Testing:
→ Pentest scope is based on ASM results
→ "All internet-facing IPs and domains are in scope"
→ Attackers start right here
ASM → Incident Response:
→ After an incident: which other assets could be affected?
→ ASM shows: Which systems have similar configurations?
ASM Governance:
→ ASM Owner: IT Security (not IT Operations!)
→ Reporting: Monthly to CISO
→ New Assets: Added to ASM within 24 hours of go-live
→ Alert: New internet-facing asset without security review
KPIs for ASM:
→ Number of internet-facing assets (trend: decreasing = reduced attack surface)
→ Mean Time to Remediate for ASM findings
→ Unknown assets discovered per month (shadow IT!)
→ Expired SSL certificates: 0 days should be the goal
→ DMARC/SPF coverage: % of domains with proper email security
