ASM Resources

ASM Videos

Nahamsec - 10 minutes each there-about
Attack Surface Management Series - EP0 - What is ASM (In under 10 mins) - YouTube
Attack Surface Management Series - EP1 - Certificate Transparency (In under 10 mins) - YouTube
Attack Surface Management Series - EP2 - Shodan - YouTube

NahamSec series, doesn't include EP0
Recon & Attack Surface Management - YouTube

In this video, Ashley Knowles said she had a list of FOSS/Paid ASM services on her GitHub. So I investigated, and found that her current list[1] was forked from another account several of the links were outdated. I decided to make my own fork with some notes and a datestamp:

GitHub - Curated list of open-source & paid Attack Surface Monitoring (ASM) tools.

The original list has a few issues/pull requests from other people, and while the creator has reacted to them, they haven't integrated those changes, leading me to believe the list is effectively static. Therefore, I'll probably just keep this list updated separately and modify it as it suits me.

Random LinkedIn Post

Joshua Bregler on LinkedIn created a post that listed a few tools and linked to a CSO Online article.

The original post feels a little wordy,[2] so here's my summary, with all the LinkedIn tracking links removed. The original is below for posterity.

Summary

7 best practices for enterprise attack surface management | CSO Online

When it comes to Attack Surface Management, don't be overwhelmed with expensive products. There are plenty of Free, Cheap, and Open Source tools to get you started, and may replace the need for expensive products entirely.

I've broken these tools up into three categories (note that all of them except nmap, zenmap, ZAP, and Burp Suite CE are GitHub Repos, which we love to see).

  1. Domain and Sub-domain Discovery
    1. OWASP Amass is legit and does this well among other things: amass: In-depth attack surface mapping and asset discovery
    2. SubBrute is fast and unapologetic and has some nice upgrades: subbrute: A DNS meta-query spider that enumerates DNS records, and subdomains.
    3. Knock is simple and efficient: knock: Knock Subdomain Scan
  2. Port Scanning (know your potential network ingress points)
    1. Nmap is the OG: Nmap
    2. Zenmap is Nmap's prettier sibling; just has a nice GUI and helpers: Zenmap
  3. Vulnerability/Configuration Scanning
    1. nuclei is nifty and customizable: nuclei: Fast and customizable vulnerability scanner based on simple YAML based DSL.
    2. ZAP is wonderful for web app scans: ZAP
    3. Burp is amazing for a million reasons: Burp Suite CE by PortSwigger

Original post

On Fridays, we build things... This week...

Attack Surface Management!

Understanding the external perspective of your organization is incredibly important. Comprehension of your organization's exposed digital real estate is important to understand your attackers' point-of-view.

But the fact is... the products on the market that can do this for you may be out of your budget.

But have hope! You can build this on your own. And it's a lot of fun!

The CSO Online article is great for framing the basic tenants: https://lnkd.in/ec29vBF4

Ultimately... you can strap together a few basic kinds of tools and get a decent idea of what your attackers see and start making changes to mitigate the issues.

Here's some open source tools to get you started. This is by no means exhaustive and there is A LOT more you can do/add for your situation or industry. But start here and grow where it makes sense...

Is this basic? Yes. But you gotta get basic right before you do more.

Build confidence in your exposed attack surface area. And have fun doing it!

It's a beautiful day to build beautiful things.

  1. The video is a few years old, she might have dropped her original one ↩︎

  2. I'm always succinct, concise, to the point, and never verbose, wordy, circumlocutory, or repetitive. That is to say, I don't repeat myself. ↩︎