Skip to main content
  1. Posts/

Enterprise Attack Surface Management (EASM) - Tuning

·887 words·5 mins· loading · loading · ·
English EASM Security Azure Beginner
rOger Eisenecher
Author ::..
rOger Eisenecher
> 12 years leading and building a SOC for MSSP • > 20 years working in security • > 40 years working with IT • 100% tech nerd.
Table of Contents
EASM - This article is part of a series.
Part 2: This Article

Microsoft provides an Enterprise Attack Surface Management (EASM) tool. In this blog series I want to disover the tool and the possibilities. This is part 2 of this series and covers tuning..

Introduction

In part 1 of this blog series we saw how to activate the Microsoft Enterprise Attack Surface Management (EASM) tool. After activation and first disover run typical tasks are tuning the findings. In this article we will go through the tuning of the EASM environment.

For better understanding of the next steps here is a schematic view of the infrastructure. This should help you later in the tuning process to adapt it to you environment.

Infrastructure Overview
EASM covered infrastructure (simplified).

As you can see we have shared responsibility: Most external services are hosted by a dedicated hoster (mainly domains icer.ch, eisenecher.ch and modern-soc.ch) - only some services (eg. gabble.eisenecher.ch) are served from a datacenter behind a firewall.

State of Assets

To fine tune your EASM Microsoft provides so called state of assets (Source: https://learn.microsoft.com/en-us/azure/external-attack-surface-management/modifying-inventory-assets#change-the-state-of-an-asset) :

  • Approved Inventory: A part of your owned attack surface; an item that you are directly responsible for.
  • Dependency: Infrastructure that is owned by a third party but is part of your attack surface because it directly supports the operation of your owned assets. For example, you might depend on an IT provider to host your web content. While the domain, hostname, and pages would be part of your “Approved Inventory”, you may wish to treat the IP Address running the host as a “Dependency”.
  • Monitor Only: An asset that is relevant to your attack surface but is neither directly controlled nor a technical dependency.
  • Candidate: An asset that has some relationship to your organization’s known seed assets but does not have a strong enough connection to immediately label it as “Approved Inventory.” These candidate assets must be manually reviewed to determine ownership.
  • Requires Investigation: A state similar to the “Candidate” states, but this value is applied to assets that require manual investigation to validate. This is determined based on our internally generated confidence scores that assess the strength of detected connections between assets. It does not indicate the infrastructure’s exact relationship to the organization as much as it denotes that this asset has been flagged as requiring additional review to determine how it should be categorized.

When to use which state?

That’s a good question. As of my current understanding I follow this rules:

  • Approved Inventory: Mark all assets which are under direct control of your company (means eg. you are responsible to update the software). In the example scenario this belongs to all assets which are part of the datacenter (all components which are visible from external in the red square). Additional due web sites are hosted externally, corresponding domain, hostname and pages are marked as approved.
  • Dependency: In our case the IP address of the hosting server is a dependency for our approved assets. This because it is needed to run our web site but we do not have control over the system regarding eg. patching. Additional I mark resources which points to the same physical system also as a dependency because if the main asset is patched also automatically all other pointing resources are patched. Furthermore also discovered pages with protocol http are marked as dependency because those are just redirects to the https site.

For example we check host eisenecher.ch. As we can see the associated IP address is currently marked as not in inventory. But due it is e dependency we have to change the state accordingly:

Searching for specific assets

As mentioned above I treat all redirects from http to https as a dependency due there is no more functionality behind.

For such use cases EASM provides a search builder on top of the inventory page. You can create here queries which can also be saved for later use. In this example I’m looking for all pages which are using protocol http which are not in state dependency:

EASM Search for HTTP
EASM Search for pages with protocol HTTP.

Query, each condition is logically combined with AND:

  • Kind Equals Page
  • Name Starts with http:
  • State Not Equals Dependency

Searching for assets which will be charged

In the first part of this series we saw that you get billed for approved assets of type host, IP address and domain. To get an overview over all assets for which you will get charged create a query with following conditions:

EASM Search for charged resources
EASM Search for charged resources.

Query, please note the logical operator at the end of each line:

  • State Equals Approved AND
  • Kind Equals Host OR
  • State Equals Approved AND
  • Kind Equals IP Address OR
  • State Equals Approved AND
  • Kind Equals Domain OR

Tipp: Save this query for later use by hitting Save query (on top).

Summary

In this part of the series we did some fine tuning of the discovered assets. This is an important part to get only charged for those assets where you are responsible for. This task has to be done on a regular base because the disovery will be done permanent in the background and every day potential a new asset get added to your External Attack Surface.

In the next part of this series I will summarize the pro and cons of Microsofts EASM solution.

Further Reading

Here are some links:

EASM - This article is part of a series.
Part 2: This Article