Attack Surface Management: What You Need to Know

Read More

We at Halo Security are excited to welcome Packetlabs into our partner network as a vetted penetration testing partner. Through our partnership, we’ll be working together to help organizations strengthen their security posture with our complimentary services.

If you’re not familiar with Halo Security, we are a team of security professionals with a focus on attack surface management (ASM). ASM is a growing sector in the security space, so in this post, we’ll break down what it is and why it’s important to incorporate it into your security program.  

What is attack surface management?

Let’s start with some definitions. At Halo Security, we think of the attack surface as the sum of all the possible entryways that an attacker could use to infiltrate an organization. Therefore, attack surface management is a way of keeping track of these entryways, which are typically the internet-facing assets outside of your firewall, in an effort to identify weaknesses that could lead to an attack.

Attack surface management has three main components which are:

  • Discovery–You cannot secure an asset if it’s not on your radar, so ASM must start with a discovery of all the assets on your perimeter. 

  • Fingerprinting–To identify potential weaknesses in the attack surface, you need to fingerprint your technology, its contents, and its connections to third parties.

  • Monitoring–Your attack surface is constantly in flux. To ensure it remains free of weaknesses that attract attackers, you must implement continuous monitoring on your entire attack surface.

Why is attack surface management important?

Attack surface management is especially important now because nearly every modern business has public-facing assets. Over time, these assets accumulate as businesses develop and expand their online presence. Without tools or systems in place to keep track of these assets, many can become lost or forgotten about through the years as business initiatives are abandoned, and employees come and go.

Oftentimes, the assets that are forgotten about may become susceptible to an attack because of the fact that they aren’t being closely monitored. For example, a forgotten WordPress site might be running an outdated version that has since been found to have vulnerabilities, or a once trusted third-party JavaScript could be hacked and replaced with malicious code, putting your own site and users in jeopardy.

Attackers know that many businesses have forgotten assets with weak security, and they have access to powerful scanning tools to easily find them. We hear news reports of this happening all the time. Last year, an attacker compromised 50 million T-Mobile customer records by gaining access to T-Mobile’s network via an insecure router. In another incident, Starbucks was found vulnerable to cross-site scripting and session hijacking because of a forgotten subdomain that was pointing to a non-existent Azure cloud resource. Had these companies been closely monitoring their entire attack surface, both of these incidents may have been prevented.

Key features of an effective attack surface management solution

There are many attack surface management solutions available on the market that include a range of tools and services. If you’re looking to add an ASM solution to your security tech stack, ensure that it has the following features.

Attack surface discovery

As we mentioned earlier, you need to know what’s on your attack surface before you can manage it, so a comprehensive discovery tool is an absolutely essential component of an effective ASM solution. 

ASM discovery tools should be able to detect every asset outside your firewall that is associated with your business along with:

  • Outdated software

  • Application security flaws

  • Third-party scripts

  • Expired TLS certificates

  • Missing security headers

  • Shadow infrastructure

  • Assets inherited through mergers and acquisitions

  • Open ports and misconfigurations

  • RDP or VNC remote access tools

  • Forgotten and legacy services

Continuous testing and monitoring

New weaknesses and vulnerabilities can arise at any moment, so it’s crucial that you have up-to-date information about your attack surface to complement results from point-in-time testing services like penetration testing. 

At Halo Security, we go by the 80/20 rule: 80% of attack surface issues can be discovered with automated scanning. However, the remaining 20%, which consists of things like business logic flaws, can only be identified by human assessment. By implementing continuous attack surface monitoring along with yearly manual penetration testing, you’re more likely to become aware of critical issues before an attacker can discover and exploit them.


As the saying goes, you’re only as strong as your weakest link. To help you avoid becoming overwhelmed with a long list of weaknesses and vulnerabilities, your attack surface management solution should highlight your weakest links. By identifying the issues that pose the greatest risk to your business, you can spend your time focusing on fixing the problems that really matter, as opposed to those that are less likely to lead to an attack. Some solutions will help you prioritize issues by assigning a risk score to each asset so that you can quickly see your greatest weaknesses. 

In conclusion

With the rising dependence on cloud assets, security teams should practice attack surface management to eliminate security blindspots that can lead to a breach.

If reducing perimeter risk is a priority for your team, Halo Security can help you gain the attacker’s perspective with our complete attack surface management solution. Download our white paper to get a step-by-step guide to testing and monitoring the security of your attack surface.

Written by Nick Merritt

As the VP of Security at Halo Security, Nick utilizes 15+ years of experience to help businesses get better visibility into their attack surface and stay protected against a data breach.

Featured Posts

See All

- Blog

London Drugs Gets Cracked By LockBit: Sensitive Employee Data Taken

In April 2024, London Drugs faced a ransomware crisis at the hands of LockBit hackers, resulting in theft of corporate files and employee records, and causing operational shutdowns across Canada.

- Blog

Q-Day And Harvest-Now-Decrypt-Later (HNDL) Attacks

Prime your knowledge about post-quantum encryption and risks it creates today via Harvest-Now-Decrypt-Later (HNDL) attacks.

- Blog

The Price vs. Cost of Dark Web Monitoring

Learn more about the price vs. cost of Dark Web Monitoring in 2024, as well as the launch of Packetlabs' Dark Web Investigators.