>_AYSOLI SECURITY HUB
THREAT AREA

Continuous Attack Surface Management

Security is a snapshot in time. An annual pentest is not enough if your cloud infrastructure changes daily. CASM closes the gap between scans and reality.

Your Strategy

Shift the focus from reactive scans to continuous monitoring of your "edge". Identify new assets, forgotten test systems, and misconfigured cloud services before attackers can find them.

Best Practices

  • Inventory: Maintain a gapless, automated inventory of all internet-facing services.
  • Context-Awareness: Evaluate vulnerabilities not just by score (CVSS) but by their visibility and criticality to your business.
  • Automation: Use automated discovery tools that scan your infrastructure from an attacker's perspective.

STRIDE-LM Design Risks

SpoofingS-01

Identity Spoofing

Attacker impersonates a legitimate user or partner.

TamperingT-01

Data Tampering

Unauthorized modification of shared data or configurations.

RepudiationR-01

Audit Log Manipulation

Deleting or altering traces of an action.

Information DisclosureI-01

Sensitive Data Exposure

Unintentional disclosure of internal information to externals.

Denial of ServiceD-01

Resource Exhaustion

Overloading systems through massive requests or resource hogging.

Elevation of PrivilegeE-01

Privilege Escalation

Gaining privileges beyond what is intended.

Lateral MovementL-01

Lateral Movement

Accessing further internal systems after initial login.

Monitoring GapsM-CLD-01

Shadow Cloud Assets

Creation of uncontrolled resources through "sprawl".

MITRE ATT&CK® Techniques

Reconnaissance
T1595

Active Scanning

ATT&CK

Active scanning of web infrastructure for vulnerabilities.

Mitigated by
External Attack Surface Management (EASM)Extended ProtectionMedium
CIS: 1.1NIST: ID.RA-1
Advanced Threat Protection (WAF)Extended ProtectionMedium
CIS: 16.11OWASP: API8
T1592

Gather Victim Digital Network Information

ATT&CK

Collecting information about the target infrastructure.

Mitigated by
External Attack Surface Management (EASM)Extended ProtectionMedium
CIS: 1.1NIST: ID.RA-1
API Asset InventoryBaseline ProtectionMedium
CIS: 1.1OWASP: API9
Initial Access
T1190

Exploit Public-Facing Application

ATT&CK

Exploiting vulnerabilities in internet-facing services.

Mitigated by
Infrastructure as Code (IaC) ScanningExtended ProtectionMedium
CIS: 1.1NIST: PR.IP-1
Advanced Threat Protection (WAF)Extended ProtectionMedium
CIS: 16.11OWASP: API8
Credential Access
T1110

Brute Force

ATT&CK

Attempts to gain access to accounts or API keys through systematic trial and error.

Mitigated by
Advanced Threat Protection (WAF)Extended ProtectionMedium
CIS: 16.11OWASP: API8
Discovery
T1580

Shadow IT Asset Discovery

ATT&CK

Finding unmanaged resources in the network.

Mitigated by
External Attack Surface Management (EASM)Extended ProtectionMedium
CIS: 1.1NIST: ID.RA-1
API Asset InventoryBaseline ProtectionMedium
CIS: 1.1OWASP: API9
Hardware Asset TaggingBaseline ProtectionLow
CIS: 1.1NIST: ID.AM-1
T1526

Cloud Service Discovery

ATT&CK

Identifying cloud resources and permissions.

Mitigated by
External Attack Surface Management (EASM)Extended ProtectionMedium
CIS: 1.1NIST: ID.RA-1
API Asset InventoryBaseline ProtectionMedium
CIS: 1.1OWASP: API9
Infrastructure as Code (IaC) ScanningExtended ProtectionMedium
CIS: 1.1NIST: PR.IP-1
Hardware Asset TaggingBaseline ProtectionLow
CIS: 1.1NIST: ID.AM-1
T1046

Network Service Discovery

ATT&CK

Port scan-based reconnaissance of active services on the network.

Mitigated by
External Attack Surface Management (EASM)Extended ProtectionMedium
CIS: 1.1NIST: ID.RA-1
T1087

Account Discovery

ATT&CK

Enumeration of internal accounts and group structures after initial access.

Mitigated by
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021

Is your scenario more complex?

AYSOLI experts support you in implementing your specific security requirements.

Free consultation