Your firewall policy may be spotless. Your endpoint protection may be fully deployed. But right now, an attacker running a Shodan query may be looking at a forgotten development server you spun up eighteen months ago that is still exposed to the internet, running an unpatched version of Apache Tomcat, with default credentials. Attack surface management is the discipline of discovering and continuously monitoring your external-facing digital footprint — not from inside your network, but from the attacker's vantage point outside it.
This post covers what external attack surface management (EASM) encompasses, how adversaries and security teams conduct reconnaissance, how shadow IT contributes to surface expansion, and how to operationalize continuous monitoring.
What External Attack Surface Management Covers
Your external attack surface is everything an attacker can discover about your organization without credentials. It includes:
- IP addresses and ranges registered to your ASN (Autonomous System Number) or used by cloud workloads
- Domains and subdomains — including legacy subdomains pointing to decommissioned services (subdomain takeover risk)
- Open ports and exposed services — RDP on port 3389, SMB on 445, database ports (1433, 3306, 5432) directly internet-accessible
- SSL/TLS certificates — certificate transparency logs reveal every subdomain for which you have issued a certificate, including internal names accidentally included in SANs
- Leaked credentials — employee email/password combinations appearing in breach databases (HaveIBeenPwned, dark web credential markets)
- Cloud storage misconfigurations — publicly accessible S3 buckets, Azure Blob containers, GCS buckets containing internal data
- Technology fingerprints — server software, CMS versions, framework identification that enables targeted exploitation
OSINT Reconnaissance Methodology
Understanding how attackers enumerate your organization is essential to defending against it. The methodology follows two phases:
Passive Reconnaissance
Passive recon gathers intelligence without directly interacting with your systems — no packets sent to your IP ranges, no DNS queries against your resolvers. Tools used:
- Shodan (shodan.io): Indexes internet-facing devices and services by banner grabbing. A query like
org:'YourCompany'returns every IP and service Shodan has indexed for your organization. Shodan alerts can notify you when new services appear on your ASN. - Censys (search.censys.io): Similar to Shodan with richer TLS certificate data. Censys Attack Surface Management provides continuous monitoring with API access.
- SecurityTrails: Historical DNS data — reveals subdomains, historical A/MX records, and DNS changes that indicate infrastructure movements.
- crt.sh: Certificate transparency log search. Query
%.yourdomain.comto enumerate all subdomains for which certificates have been issued. This is public data — attackers use it routinely. - LinkedIn and OSINT frameworks: Employee enumeration reveals technology stack (job postings reference specific tools), organizational structure, and potential social engineering targets. Tools like theHarvester automate employee email harvesting.
Active Reconnaissance
Active recon directly queries your infrastructure. Security teams conducting authorized assessments use:
- DNS brute forcing: Tools like
amass,subfinder, anddnsxenumerate subdomains by querying DNS resolvers with wordlists of common subdomain prefixes (dev, staging, api, vpn, portal, admin). - Port scanning:
nmapandmasscanidentify open ports across your IP ranges. A 65,535-port scan of a /24 with nmap takes under 10 minutes on a modern system. - Web crawling and directory enumeration: Tools like
gobusterandferoxbusterdiscover hidden paths, backup files (.bak,.old), and administrative interfaces.
Shadow IT: The Hidden Expansion of Your Attack Surface
Shadow IT is the primary driver of unexpected attack surface growth. A developer provisions an EC2 instance for testing, adds a security group rule allowing SSH from 0.0.0.0/0 for convenience, forgets about it when the project ends, and three years later the instance is running an EOL kernel with a public exploit. A sales team adopts a SaaS CRM without IT involvement, feeding customer data into a third-party system with no security review.
Common shadow IT categories that expand attack surface:
- Forgotten cloud instances in non-primary AWS accounts or regions
- Legacy VPN concentrators that were replaced but never decommissioned
- Developer-operated internet-facing services (Jupyter notebooks, ngrok tunnels, development APIs)
- Acquired company infrastructure that was never fully integrated or inventoried
- Third-party SaaS integrations with OAuth tokens granting excessive permissions
Continuous Monitoring vs. Point-in-Time Assessment
A point-in-time external assessment — even a thorough one — has a shelf life of roughly 30 days before infrastructure drift makes findings stale. New cloud instances spin up, certificates are issued for new subdomains, development environments get promoted to production with open firewall rules. Continuous attack surface monitoring solves this by running reconnaissance queries on a scheduled basis (daily to weekly) and alerting on new findings.
Commercial EASM platforms that provide this capability include:
- Palo Alto Cortex Xpanse: Enterprise-grade EASM with integration into XSOAR for automated response. Excels at attributing assets to your organization even when not directly registered under your name.
- Mandiant Attack Surface Management: Strong threat intelligence correlation — surfaces not just what is exposed but what is actively being targeted by threat actors.
- CyCognito: Agentless discovery with automated risk prioritization. Well-suited for mid-market organizations.
Reducing Your External Attack Surface
Discovery without remediation is intelligence without action. Surface reduction follows a prioritized workflow:
- Decommission: If a service, server, or domain is not actively used, terminate it. Remove DNS records. Delete cloud instances. Cancel unused SaaS subscriptions. Every decommissioned asset is an attack surface permanently eliminated.
- Segment and restrict: Services that must be internet-accessible should be firewalled to the minimum necessary IP ranges. Administrative interfaces (SSH, RDP, management consoles) should never be directly internet-accessible — require VPN or zero-trust network access.
- Credential rotation: Leaked credentials discovered in breach databases require immediate rotation. Implement a breach-monitoring process that triggers credential resets when employee credentials appear in new data breaches.
- Certificate hygiene: Audit certificate transparency logs for unexpected subdomains. Implement CAA DNS records to restrict which CAs can issue certificates for your domain.
Fortress MSSP conducts external attack surface assessments as part of our network penetration testing engagements and as standalone reconnaissance reviews. To understand what attackers currently see about your organization, contact us for a no-obligation external exposure report.