Discover internet-exposed assets with Microsoft Defender EASM in Azure
In this article, I will give some context and demonstrate how to kick-start your journey to get a holistic view of your own or others’ internet-exposed assets (known and/or unknown assets) and their vulnerabilities with Microsoft Defender External Attack Surface Management (EASM).
EASM service in Microsoft Azure is an effective tool, that hackers and defenders can use to support attacks against or defend internet exposed assets.
Exploitation of internet-facing applications is the number one initial attack vector — Kaspersky
Attack vector in cybersecurity refers to an attacker’s path or route to exploit a vulnerability and break through the attack surface.
Every business is a software business — Watts S. Humphrey
Every company or organization today, can be viewed as a technology/software company due to the high level of digitization across its business operations. Companies are advancing daily with the speed and scale of application and system development. This means that available cyber attack surfaces are growing. Whenever a web-facing asset is made public, such as a new marketing campaign subdomain or commits with user inputs in GitHub, your available attack points increase. It is not a secret that IT and Security teams struggles to maintain and control visibility over every assets — new, old or forgotten once.
According to Gartner, risks associated with the use of cyber-physical systems and IoT/IIoT, open-source code, cloud applications, third party, third party dependency, middelware, container technology, complex digital supply chains, social media and more have brought organizations’ exposed surfaces outside of a set of controllable assets.
Maintain and control internet exposed assets (External attack surface)
An external attack surface is the entire area of an organization or system that is susceptible to an attack from an external source. An organization’s attack surface is made up of all the points of access that an unauthorized person could use to enter the system. The larger your attack surface is, the harder it is to protect.
Microsoft Defender External Attack Surface Management (EASM)
EASM will continuously and automated conduct discovery, inventory, and monitoring of all Internet-facing assets.
EASM enrich insight on assets with linked critical information, such as open ports, DNS record types, expired certificates, and list technologies hosted on asset. Combined with the linked Common Vulnerability Scoring(CVSS) and Common Vulnerabilities and Exposures (CVE) on discovered vulnerabilities linked to assets.
EASM uses Microsoft’s crawling technology to discover internet-exposed assets and relationships. Known assets (Seed) discover connected (known and/or unknown) assets through a discovery chain to built-up the attack surface.
Starting with the Seed Microsoft scans the Microsoft Security Graph and repeatedly build associations/Discovery with other assets; this process ultimately creates the attack surface Inventory. From Inventory Microsoft pull in other datasets for deeper Inspection, then outline the Assets details, before final analysis and Reports on findings.
Once the process described above has completed its scans, a comprehensive attack surface containing a system of records of Web application, third-party dependencies and web infrastructure will appear. This can be used to find unmanaged assets, understand an organizations security posture, assets compliance and determine and prioritize risks.
Discovery Chain
The discovery chain outlines the observed connections between a discovery seed and the asset. To illustrate how Discovery Seed/Seed is used to build a Discovery Chain see below.
“The example above is where the seed is a domain and the others assets (host and IP-address/block) are discovered via the initial seed.” — Derk van der Woude
The following assets are available in Microsoft Defender EASM:
- Domains (e.g. contoso.org)
- Hosts (e.g. storageaccount.contoso.org)
- Webpages (e.g. www.contoso.org)
- IP-address (e.g. 131.107.136.40)
- IP-blocks (e.g. 131.107.0.0/16)
- WHOIS registrant (e.g. domains@microsoft.com)
- ASNs (Autonomous System Numbers e.g. 3598)
- SSL Certificates
EASM actively scans these assets to find new connections over time. All the above assets are used as Discovery seed to search, correlate and link publicly available information. To calculating the Attack Surface Priorities and Security Posture. It offers a visibility to recognize unknown risk, vulnerability scope and exposure control outside of the corporate firewalls.
Get started in Microsoft Azure
Prerequisite to get started with Microsoft Defender EASM is an Azure account, Azure subscription, resource group and the contributor role. The initial setup of the Microsoft Defender EASM can be done through the Azure portal.
- If you do not have an Azure Account and subscription you can create it here.
- And if you are all new to Microsoft Azure I recommend to have a look at the Azure Fundamentals training to get started.
- Open the Azure portal and search for Microsoft Defender EASM
Then click Create, to create an EASM instance.
2. To create an instance it requests the information below
- Subscription: Select your Azure subscription.
- Resource Group: Select a precreated Resource Group, or create a new one as part of the process of creating the instance.
- Name: give the workspace a name.
- Region: Select an Azure location. The following regions are EASM supported at the time of writing (southcentralus, eastus, australiaeast, westus, swedencentral, eastasia, japaneast)
3. Search from a list of pre-built attack surfaces
Microsoft maintains an inventory list of discover internet-facing assets linked to an organization. From the list, multiple pre-built organization profiles are available. Search the company name to find your organisation of interest. It is recommended by Microsoft:
- that all users search for their organization’s pre-built Attack Surface before
- creating a custom inventory.
4. Create a custom inventory/attack surfaces
Do you not find the organization of interest? Create a custom inventory/attack surfaces, with the known seeds you have available.
Type in what you know:
- Domains (e.g. contoso.org)
- IP-blocks (e.g. 131.107.0.0/16)
- Hosts (e.g. storageaccount.contoso.org)
- E mail contacts
- ASNs (Autonomous System Numbers e.g. 3598)
- WHOIS registrant /organisation(e.g. domains@microsoft.com)
- Certificates common names
NB. To create the attack-surface it takes up to 24–48 hours after confirmation.
Loading Attack Surface.
When Attack Surface is created you will be able to access the overview page below and more. You can drill into details and utilize pre-made dashboards. Have fun!
