Attack Surface Testing - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-12-04
Category
Administrator Guide
Abstract

Attack Surface Testing runs benign exploits against your externally facing assets to confirm the presence of vulnerabilities.

Cortex XSIAM Attack Surface Testing confirms the presence of a vulnerability on your external attack surface, enabling you to quickly and confidently prioritize risks. With your approval, Cortex XSIAM runs benign exploits against externally facing assets to confirm the presence of vulnerabilities. Rather than manually verifying inferred CVEs yourself, Cortex XSIAM Attack Surface Testing runs daily scans based on your preferences.

When you set up Attack Surface Testing, you select the targets for the testing, either all or a subset of your directly-discovered services (services that are definitively associated with an asset that belongs to your organization). Once you've selected targets, Cortex XSIAM runs attack surface scans daily. Attack surface test results are displayed on the Services tab in the Inventory, so you can review the data as part of your existing attack surface management (ASM) workflow. All attack surface tests are enabled by default, but you can view information about the tests and disable tests if needed from the Attack Surface Tests page.

Note

Attack Surface Testing scans are not typically CFAA compliant, meaning that they may attempt more extensive fuzzing to confirm or deny the presence of a CVE.

Attack surface tests

Cortex XSIAM has an extensive set of attack surface tests for CVEs and other risks that affect externally-facing services and can be confirmed with benign testing. Our attack surface testing is layered on top of our existing attack surface management (ASM) global scanning infrastructure, which distributes requests across a broad time range to minimize the impact to scanned and tested services. We perform external scans only, which means we only test directly-discovered services accessible from the public internet. Cortex XSIAM does not perform authenticated scanning or allow scans to change the state on a tested service. To further decrease test load and the possibility of impacting a service, we map attack surface tests to service classifications, enabling us to run tests only on the relevant services in your approved set of targets. For example, we only run Apache attack surface tests against your Apache services.

New attack surface tests are added at the discretion of the Cortex XSIAM Security Research Team when new vulnerabilities are announced.