Attack Surface Testing - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-07
Category
Administrator Guide
Abstract

Attack surface testing runs benign exploits against your externally facing assets to confirm the presence of vulnerabilities.

Note

You must have the Cortex XSIAM Attack Surface Management (ASM) Add-on to use this feature.

While Cortex XSIAM global ASM scans identify inferred CVEs that potentially impact an asset, attack surface testing confirms the presence of vulnerabilities on your external attack surface. With your explicit approval, Cortex XSIAM runs unintrusive, benign exploits against your public internet-facing assets to confirm the presence or absence of vulnerabilities, enabling you to quickly and confidently prioritize and remediate risks.

When setting up attack surface testing, you select the targets for the testing, either all or a subset of your directly discovered services (which are services that are definitively associated with an asset that belongs to your organization). After you've selected targets, Cortex XSIAM runs attack surface scans daily. Attack surface test results are displayed on the Services tab in the inventory, so you can review the data as part of your existing ASM workflow. All attack surface tests are enabled by default, but you can view information about the tests and disable tests if needed from the Attack Surface Tests page.

Attack surface tests
Abstract

Attack surface tests are designed to minimize the potential impact to scanned and tested services.

Cortex XSIAM has an extensive set of attack surface tests for CVEs and other risks that affect externally-facing services and can be confirmed with benign testing. Our attack surface testing is layered on top of our existing attack surface management (ASM) global scanning infrastructure, which distributes requests across a broad time range to minimize the impact to scanned and tested services. We perform external scans only, which means we only test directly-discovered services accessible from the public internet. Cortex XSIAM does not perform authenticated scanning or allow scans to change the state on a tested service. To further decrease test load and the possibility of impacting a service, we map attack surface tests to service classifications, enabling us to run tests only on the relevant services in your approved set of targets. For example, we only run Apache attack surface tests against your Apache services.

New attack surface tests are added at the discretion of the Cortex XSIAM Security Research Team when new vulnerabilities are announced.

Note

Attack surface testing scans are not typically CFAA compliant, meaning that they may attempt more extensive fuzzing to confirm or deny the presence of a CVE.