External Attack Surface Management for Red Teams

External Attack Surface Management for Red Teams


Share on linkedin
Share on facebook
Share on twitter

The move to the cloud enables organizations to reduce costs associated with daily business operations. Simultaneously, digital transformation expands the attack surface, making it difficult for security teams to keep pace with threat actors. With external attack surface management tools, Red Teams can more rapidly identify and respond to vulnerabilities arising from common vulnerabilities and exposures (CVEs) and misconfiguration.

What are the problems red teams face?

As security professionals, Red Teams act as ethical hackers, trying to gain unauthorized access to an organization’s systems, networks, and applications. Often, they use the same tactics, techniques, and procedures (TTPs) that real threat actors use. As they follow the attack kill-chain, they look for security vulnerabilities that increase the organization’s data breach risks. 

The move to cloud-based infrastructures adds new challenges, making it more difficult and time-consuming for Red Teamers to adequately test and validate practices and technologies. 

Too Many Locations

As organizations add new cloud-based resources, they increase the complexity of their environments and their digital footprint. Each technology offers its own security monitoring tool, but that simply adds more places to review security. 

Multi-Cloud Deployments

Many organizations use more than one primary cloud-services provider. According to the Flexera 2021 State of the Cloud Report, organizations currently use an average of 2.6 public and 2.7 private clouds. This means that Red Teams need to look for security vulnerabilities across an average of 5.3 cloud platforms just for cloud-services providers like AWS, Azure, and Google Cloud Platform.

Software-as-a-Service (SaaS) Applications

More importantly, organizations continue to add more SaaS applications to their stack. According to Netskope, organizations with 500-2,000 employees use an average of 690 distinct applications. Even if only half of those applications fall into “high risk” categories, that still means Red Teams need to look for security weaknesses across 345 locations. 

Too Many Points of Failure

Further, every single connection leads to a potential point of failure. Consider some of the following potential attack vectors:

  • User access
  • APIs
  • Workloads
  • Serverless functions
  • Misconfigured resources, like AWS S3 buckets and databases

Many cloud resources can be spun up and down in a matter of seconds. Traditional approaches to Red Teaming lack the ability to compensate for the cloud’s dynamic nature. As assets continuously connect to and disconnect from the organization’s infrastructure, Red Teamers can easily miss potential vulnerabilities.

Too Few Resources

Threat actors work together and often have more financial resources than Red Teams. Both of these resource limitations leave Red Teams struggling.

Tooling and Financial Resources

Limited financial resources can lead to limited Red Team tool capabilities. Red Teams need a set of tools that enable them to act as threat actors. This includes tools that enable them to:

  • Take over a victim browser
  • Locate exposed API keys
  • Analyze code for vulnerabilities

Although some open-source tools are available, many solutions that enable enterprise Red Teams can be costly.


While open-source tools may meet a company’s budget, they also require a set of skills. Once again, a lack of financial resources leads to a problem. An organization may be able to find security professionals with the right skill set but may not be able to afford the salary. Additionally, many organizations find that they need to choose between hiring skilled professionals or purchasing additional security tools. 

In an attempt to overcome these challenges, organizations increasingly require their Red Teamers to wear multiple hats. Often, security teams whose members engage in both offensive and defensive activities.

How External Attack Surface Management (EASM) Enables Red Teams

EASM tools provide necessary visibility into and across complex on-premises and cloud environments. They scan the entire attack surface, including servers and self-hosted services, which enables them to detect and identify shadow IT assets that would remain hidden. This way Red Teamers can focus on the most impactful security vulnerabilities. Fundamentally, Red Teams look to see if a threat actor would be able to leverage a security weakness. Then they try to follow a series of steps in order to establish a foothold or exfiltrate data.

What Does an EASM Do?

This emerging technology supports organizations’ ability to identify risks arising from systems and assets that face the public internet, providing visibility and awareness around cybersecurity risk.

EASM tools offer five primary functionalities:

  • Monitoring: Scanning complex cloud and on-premises environments for external facing vulnerabilities that can lead to an attack, including Internet of Things (IoT) devices
  • Asset discovery and inventory: Identifying digital assets across multiple environments to maintain a real-time asset inventory across dynamic infrastructures
  • Analysis: Evaluating and analyzing in real-time for continuously updated cross-checks around asset vulnerabilities that increase risk, make them more prone to attack, or behave abnormally
  • Prioritization: Provider alerts based on risk and vulnerability prioritization analytics
  • Remediation: Provide actionable risk mitigation plans based on threat prioritization, including the ability to integrate with current workflows and tools

How Can Red Teams Use EASM?

EASM gives Red Teams a way to purposefully target potentially vulnerable assets, saving time and enabling more robust control testing. 

Targeting Vulnerable Assets

Often, Red Teams need to run multiple scans and target multiple vulnerability possibilities before detecting a security weakness. Traditional Red Teaming activities involve regularly running scans against all assets, reviewing multiple scans for potentially vulnerable services, and reviewing outcomes to determine if they pose an actual risk. 

EASM reduces the amount of time spent on the Red Team’s “guesswork.” EASM solutions provide alerts across complex infrastructures, giving Red Teams a way to target critical services. By prioritizing risks across the ecosystem, EASM gives Red Teams a way to look more purposefully at critical services and the security weaknesses that can lead to a data breach.

Saving Time

Since EASM surfaces critical risks and vulnerabilities, Red Teamers no longer need to engage in as many manual tasks. For example, instead of running a Nmap scan across all ports, EASM automates the process, providing visibility into all risky connection points and services. 

Additionally, EASM suggests control remediation activities so that Red Teams know exactly what vulnerabilities they should be attempting to exploit. They can proactively run exploits on target systems, looking for new attack paths arising from these vulnerabilities.

Enhanced Security

By focusing on high-risk vulnerabilities, Red Teamers are able to deploy more advanced exploits across their infrastructures. Targeting critical systems and security weaknesses allows them to spend more time looking for potential attack paths that can lead to a data breach. 

Even if the Red Team is unable to move laterally or escalate privileges successfully, the inability to do so provides enhanced validation over the organization’s controls.

How Red Teams Should Evaluate an EASM Tool

When looking to incorporate an EASM as part of Red Teaming, organizations should focus on the following key capabilities:

  • Digital asset discovery: Detect and alert teams to new potentially risky exposed assets in real-time, like S3 buckets and workloads, to try to leverage them as potential attack vectors
  • Exposure management: Prioritize remediation activities so teams can attempt to leverage misconfigurations, open ports, or unpatched vulnerabilities as attack vectors to validate controls
  • 3rd party risk management: Map and monitor unknown 3rd party risks like IP addresses, domains, cloud services, and applications. 

These primary use cases can help Red Teams focus their activities and exploits. In doing that, they can save time and provide better security control validation.

Reposify: The Right EASM for Red Teams Everywhere 

With Resposify’s real-time visibility into the external attack surface, Red Teams can know when new assets go online for dynamic security across complex cloud and IT infrastructures. Reposify provides real-time, continuously updated, fresh data.

The Reposify platform can detect IP addresses associated with domains and subdomains, meaning that it provides real-time visibility into new assets and takes the dynamic nature of IP addresses into account. Additionally, as part of Reposify’s proprietary scanning technology, the platform provides context across exposed services that help provide visibility into the existence of vulnerabilities and their severity to help organizations prioritize remediation strategies. 

Reposify provides faster risk detection with automated action plans then continuously monitors assets to validate the remediation status. Red Teams can then run exploits against these newly detected assets to confirm risk and close any additional security gaps. 

Red Teams can use Reposify to help build out more robust threat hunting capabilities. By detecting high-risk vulnerabilities with Reposify, Red Teams can attempt more sophisticated attacks, providing better insight into and validation over security controls’ ability to mitigate a real-world attack.

Contact Reposify and get a free personalized demo from our external attack surface experts.

New call-to-action

Reposify is an attack surface management platform delivering autonomous 24/7 discovery of exposed assets across all environments and the supply chain. Leading enterprises worldwide use Reposify to gain unparalleled visibility of their internet-facing assets and actionable security insights for eliminating shadow IT risks in real-time


Share on linkedin
Share on facebook
Share on twitter

Ready to discover your External Attack Surface?

Read Next

Gartner Recognized Reposify for its Innovative External Attack Surface Management Solution.

Gartner has named Reposify to its 2021 Emerging Vendors list in the external attack surface management (‘EASM’) security category.

The 4 Most Vulnerable Attack Surface Exposures in the Pharmaceutical Industry

Reposify's research team examined the security posture of leading pharmaceutical companies worldwide and found the industry's 4 most prevalent and vulnerable attack surface exposures.

3 Unexpected Exposures We Found in Leading Las Vegas Casinos

Before we headed to the Yearly Black Hat event of 2021 in Las Vegas, we ran security checks on leading las Vegas casinos, and we discovered three unexpected exposures.