Skip to main content
  1. Posts/

Enterprise Attack Surface Management (EASM) - Activation and a first look

·1041 words·5 mins· loading · loading · ·
English EASM Security Azure Beginner
rOger Eisenecher
Author ::..
rOger Eisenecher
> 12 years leading and building a SOC for MSSP • > 20 years working in security • > 40 years working with IT • 100% tech nerd.
Table of Contents
EASM - This article is part of a series.
Part 1: This Article

Microsoft provides an Enterprise Attack Surface Management (EASM) tool. In this blog series I want to disover the tool and the possibilities. This is part 1 of an upcoming series.

Introduction

From a security point of view it is important to know how the external attack surface of the company looks like. For this purpose several tools exist. In typical scenarios a simple vulnerability scanner is used to discover weaknesses in your external surface.

The main issue with such tools is that you need to know what your external surface is - furthermore changes are not automatically updated so you often miss important things in your external surface.

Here comes External Attack Surface Management (EASM) to the rescue. Those tools should help to discover with intelligent information gathering assets which could belong to your external surface.

EASM Tool
EASM tool in your Azure portal.

This blog series will discover the possiblities of the Microsoft External Attack Surface Management tool which you can activate in your Microsoft Azure Tenant. The series consist of following articles:

  • Basic Setup and Check first results (this article)
  • How to tune Microsoft Defender EASM after first discovery
  • Comparison with other known tools

Let’s get started

The initial setup of EASM is easy and is done with following simple steps:

  • Have a subscription ready
  • Create a resource group
  • Deploy Microsoft Defender EASM into defined resource group
  • Define first artifacts as starting point of the discovery process
  • Wait 48 hours (Yes, it takes really two days until you get first results)

Deploy Microsoft Defender EASM

Deployment of the Microsoft Defender EASM workspace is easy as other workload in Azure:

  • Just invoke the wizard by searching for EASM in the search bar in the Azure portal
  • Fill in details: Subscription (here Visual Studio Enterprise Subscription – MPN), Resource Group (in my example rg_Security), a name for your EASM workspace (referenced as easm in the article) and region (East US)
  • Hit on Review + create (and finally on Create)

EASM Wizard
EASM wizard to create your Workspace.

Define first artifacts

To get started you have to define data for your first disovery run. You have the following possibilities (not all have to be filled with information):

  • Organisation Namen
  • Domains (Includes)
  • Domains (Excludes)
  • IP Blocks
  • Hosts
  • Email Contacts
  • ASN
  • Whois Organizations

For my first run I just filled in following information (please adapt those for your environment):

  • Organisation Namen
    • Eisenecher
    • icER
    • Modern-SOC
  • Domains (Includes)
    • icer.ch
    • eisenecher.ch
    • modern-soc.ch
  • Hosts
    • remote.eisenecher.ch

Adjustments can be done after the first run so if you forgot something it’s not an issue.

Wait for 48 hours

Now you have to wait until the first run is done. This takes up to 48 hours. Until then you will just see a default screen telling you that discovery is ongoing.

First Results

Now 48 hours passed by and results are available in my EASM instance. I will go through the results and will discuss the findings which the tool presents.

Overview

You will get a nice dashboard over your external attack surface - just go to your enrolled easm workspace and you will see something like this:

EASM Dashboard
EASM Dashboard with the summary of your external attack surface.

As you can see the results are grouped by following topics:

  • Domains
  • Hosts
  • Pages
  • SSL certificates
  • ASNs
  • IP blocks
  • IP addresses
  • Contacts

For further explanation I explore the section Hosts only.

Host Details

As an example here a screenshot of the hosts:

EASM Hosts Inventory
EASM Inventory details about discovered hosts.
You can see that beside the host (remote.eisenecher.ch) we initially specified in the discovery page, EASM found additional hosts which belong to your assets. Beside of the name you get additional information like IP address, corresponding DNS servers, when the name was first and last seen. If you click now on the host you get details about the host. Here are screenshots of the details EASM discovered:

Attack Surface Insights

Below of that overview you will get a prioritiesed list of observed artifacts:

  • High
  • Medium
  • Low
    EASM Attack Surface Insights
    EASM Attack Surface Insights sorted according priority.

In the screenshot it looks like there is an issue with priority low: Expired SSL certificates. If you click on it you get more insight about the finding:

EASM Observations Priority Low - Expired SSL Certificates
EASM Observations Priority Low - Expired SSL Certificates.
The details shows three certificates which seems to be expired. When we get more details about such a certificate we will get following information:
EASM Observations Priority Low - Expired SSL Certificates - Detail 1
EASM Observations Priority Low - Expired SSL Certificates, Details (Part 1).
EASM Observations Priority Low - Expired SSL Certificates - Detail 2
EASM Observations Priority Low - Expired SSL Certificates, Details (Part 2).
Now it is clear why it is expired: In the screenshot you can see that the certificate is from Let’s Encrypt - those certificates have to be renewed every 3 months. So this artifact shows that this specific certificate was seen once and is expired in the meantime. Unfortunatly it is not direct visible that the host has a renewed and valid certificate (means this observation is obsolete).

But this shows you also that EASM not only checks for actual observations (EASM was setup on 30.04.2024, results where available on 02.05.2024) - but also looks back in time (the entry shows details from the timeframe 03-06.11.2023).

Costs

According to the documentation of Microsoft each approved asset (Domain, IP address, Host) will be billed for $0.011 per day. According to the overview shown before and without further tuning we have following billable assets:

  • Domains: 3
  • Hosts: 23
  • IP addresses: 0

The estimated cost will be (3+23+0) x $0.011 x 30 = $8.58/month ($102.96/year)

Good to know: The first time you activate Microsoft Defender EASM you will get a free 30 day trial - so it is easy to check the tool if it is suitable for your needs.

Summary

After the first review of the observations the results are mixed. As detailed above EASM shows information about your external surface and combines it with historic data so you see the development of your external surface over time. On the other hand you also saw that EASM complained about expired certificates which are already replaced. With that the supplied information has only a limited value.

This are the first thoughts about Microsoft Defender EASM. Please check out future blog posts regarding EASM with more details.

Further Reading

Here are some links:

EASM - This article is part of a series.
Part 1: This Article