Attack Surface Management: The Perimeter Module

The External Attack Surface Problem

Every organization has an external attack surface -- the collection of internet-facing assets that an attacker could target. Domains, subdomains, IP addresses, open ports, exposed APIs, cloud storage buckets, email servers, and SSL certificates all contribute to this surface.

The challenge is that attack surfaces grow organically. A developer spins up a test server and forgets about it. A marketing team registers a new domain. A cloud service exposes an S3 bucket with default permissions. Shadow IT creates assets that security teams never learn about.

The Perimeter module provides continuous, automated discovery and assessment of the external attack surface.

Architecture

The Perimeter system is split across two umbrella apps:

prismatic_perimeter: Backend logic -- scanners, scoring engine, asset registry, compliance checks

prismatic_perimeter_web: LiveView dashboard at /perimeter for visualization and management

Core Components

PerimeterSupervisor
+-- AssetDiscovery (discovers internet-facing assets)
+-- VulnerabilityScanner (scans discovered assets)
+-- ScoringEngine (calculates security ratings)
+-- ComplianceChecker (NIS2 and regulatory compliance)
+-- AlertManager (threshold-based alerting)

Asset Discovery

Discovery runs in four phases:

Phase 1: DNS Enumeration

Starting from known root domains, the system enumerates subdomains through DNS queries, certificate transparency logs, and passive DNS databases. A typical organization with 5 root domains might have 200-500 subdomains.

Phase 2: Port Scanning

Discovered hosts are scanned for open ports using a rate-limited, non-intrusive scanner. The scanner checks the top 1000 TCP ports and identifies running services through banner grabbing.

Phase 3: Service Fingerprinting

Identified services are fingerprinted to determine software versions. An Apache 2.4.49 server has different vulnerabilities than Apache 2.4.54. Version information drives the vulnerability assessment.

Phase 4: Cloud Asset Discovery

The system checks for common cloud misconfigurations: publicly accessible S3 buckets, exposed Azure Blob Storage, open Google Cloud Storage, and misconfigured CDN origins.

Security Ratings

The ScoringEngine produces a composite security rating from 0 to 100:

CategoryWeightMeasures

|----------|--------|----------|

SSL/TLS25%Certificate validity, protocol version, cipher strength Vulnerability30%Known CVEs, patch status, exploitability Configuration20%Security headers, CORS policy, cookie flags Exposure15%Unnecessary open ports, exposed admin panels Reputation10%Blacklist status, abuse reports, spam scores

Rating Interpretation

90-100: Excellent  - Minimal attack surface, all patches current
70-89:  Good       - Some issues, none critical
50-69:  Fair       - Multiple issues requiring attention
30-49:  Poor       - Significant vulnerabilities present
0-29:   Critical   - Immediate remediation required

Ratings are recalculated every 24 hours and after any significant asset change.

NIS2 Compliance Scanning

The EU's NIS2 Directive (Network and Information Security Directive 2) imposes cybersecurity obligations on essential and important entities. The Perimeter module includes automated compliance checks for:

Incident reporting readiness: Can the organization detect and report a significant incident within 24 hours?

Risk management measures: Are appropriate technical and organizational measures in place?

Supply chain security: Are third-party dependencies assessed for security risk?

Encryption: Is data encrypted in transit and at rest using current standards?

Access control: Are authentication and authorization mechanisms appropriate?

Each check produces a compliance status (compliant, partially compliant, non-compliant) with specific remediation guidance.

Vulnerability Assessment

Discovered vulnerabilities are classified using the Common Vulnerability Scoring System (CVSS v3.1):

%Vulnerability{
cve_id: "CVE-2024-1234",
asset: "api.example.com:443",
cvss_score: 7.5,
severity: :high,
description: "Remote code execution in OpenSSL 3.0.x",
remediation: "Upgrade to OpenSSL 3.0.13 or later",
first_seen: ~U[2026-03-20 14:30:00Z],
status: :open
}

Vulnerabilities are tracked through a lifecycle: discovered -> confirmed -> remediation_planned -> remediated -> verified. The dashboard shows the current distribution across lifecycle stages.

The Perimeter LiveView Dashboard

The dashboard at /perimeter provides:

Asset inventory: Sortable, filterable table of all discovered assets with service details

Security score overview: Current rating with historical trend chart

Vulnerability timeline: When vulnerabilities were discovered and when they were resolved

Compliance status: NIS2 compliance checklist with current status per requirement

Scan history: Log of all discovery and assessment scans with results

Alert configuration: Set thresholds for automatic alerting on score drops or new critical vulnerabilities

Real-Time Updates

The dashboard uses Phoenix PubSub to receive live updates. When a scan completes or a new vulnerability is discovered, the dashboard updates without requiring a page refresh. Scan progress is displayed as a percentage with estimated time remaining.

Integration with OSINT

The Perimeter module integrates bidirectionally with the OSINT subsystem:

OSINT to Perimeter: OSINT adapters that discover internet-facing assets (domain lookups, IP geolocation, WHOIS) feed directly into the Perimeter asset registry

Perimeter to OSINT: Discovered assets become OSINT targets for deeper investigation -- exposed services trigger automated reconnaissance workflows

This integration means that a single OSINT investigation can automatically expand the known attack surface, and newly discovered attack surface elements automatically trigger intelligence gathering.

---

You cannot defend what you cannot see. The Perimeter module makes the invisible visible.