vm-4 High priority Vulnerability Management / Vulnerability Management

Internet-exposed attack surface is identified and minimized

Every service, port, and domain exposed to the internet is a potential entry point for attackers. Organizations often have more exposed assets than they realize, including forgotten cloud instances, dev environments, staging servers, and legacy services that were never decommissioned. Attack surface management (ASM) is the practice of continuously discovering what you have exposed and reducing it to the minimum required for operations.

4h estimated effort

attack-surface external-exposure internet-facing asm

Complete first: ds-1 , ds-3

Implementation steps

1

Enumerate your internet-facing assets using external discovery tools

Run an external attack surface scan to discover all assets associated with your domains, IP ranges, and cloud accounts. This includes subdomains, open ports, cloud storage buckets, exposed APIs, and any asset that responds to internet probes. Compare results against your asset inventory to find assets you did not know about.

shodan censys runzero qualys expanse
2

Close or restrict unnecessary internet exposure

For each internet-facing service discovered, confirm it needs to be public. Shut down or restrict access to any service that does not need to be internet-facing: admin panels, database ports, development environments, and remote management tools. Move admin access behind a VPN or zero-trust gateway. Close unused ports at the firewall and cloud security group level.

aws-security-groups cloudflare palo-alto terraform tailscale
3

Set up continuous monitoring for new internet exposure

Configure continuous external scanning so that when a new service is exposed to the internet it is detected quickly, ideally within 24 hours. Alert your security team when new ports, services, or subdomains appear. Integrate ASM tooling into your CI/CD pipeline to prevent accidental exposure during deployments.

runzero censys wiz orca-security pagerduty