An attack surface is the sum of an organization’s attacker-exposed IT assets, whether these digital assets are secure or vulnerable, known or unknown, in active use or not, and regardless of IT or security team awareness of them. An organization’s attack surface changes continuously over time, and includes digital assets that are on-premises, in the cloud, and in subsidiary networks, as well as those in third-party vendors' environments.

Attack surface management refers to the continuous processes required to mitigate cyber risk. It includes risk assessments tasks such as asset discovery, vulnerability assessments, penetration testing and cyber risk quantification, as well as the deployment and management of security controls, vulnerability management processes – everything that cybersecurity teams do to map and protecting the attack surface.

The goal of attack surface management is to mitigate cyber risk to acceptable levels by reducing the likelihood and impact of future cyber attacks.

How to define the attack surface area

Organizations increasingly rely on SaaS services and products, meaning the digital attack surface is more than the firewall and network. It is now a sum of the available entry points of the different web applications publicly accessible on the Internet – both known and unknown assets.

Known assets Known assets are the assets you know and monitor with extra care. These include the multiple subdomains under the domain, security checking apache installations, watching the main application, and login interfaces.

Unknown assets There will always be unknown assets that create weaknesses in the attack surface. These can be harder to catch for a growing business without the right processes and tools and often occur when mistakes are made in the code, rogue or shadow IT software is installed, or the result of an insecure supply chain. There are also occasions when new vulnerabilities come up in existing code from a pentester or ethical hacker’s pure creativity of looking at where others aren’t.

Reference:

• https://www.balbix.com/insights/attack-surface-management/

• https://www.cycognito.com/attack-surface-management

• https://detectify.com/external-attack-surface-management

Tools:

Please check the below github repo for implementating the ASM.

• https://github.com/0xtavian/awesome-attack-surface-monitoring

• https://github.com/redhuntlabs/Awesome-Asset-Discovery

Note: Big shout out to all the respective creators.