Baseline Your Attack Surface
Leverage the Censys ASM platform to track what's normal and spot outliers faster.
With your entire Internet presence catalogued by Censys ASM, try conducting a few baseline exercises that will allow you to define what is normal and abnormal within your organization. Then, outliers will be easy to spot and you can find opportunities to tighten your attackable surface area by migrating outliers to your sanctioned policies.
Select an inventory type and use the ASM platform to answer the questions below:
Certificate Baselines
- Certificate Issuers
- Is my organization obtaining certificates from my preferred registrar?
- Are there certificates issued by issuers I do not want my organization to use?
- Certificate Names
- Does my organization use wildcard names in certificates?
- Are names appearing together on my certificates how I expect?
- Are all of the unexpired certificates in my collection in use?
Host Baselines
- Data Centers and Clouds
- In which data centers or clouds is most infrastructure located?
- Is my organization using my CDN or Webhosting Provider for the names I expect?
- Services
- Do the services on my organization's hosts appear on unexpected ports?
- TLS Versions and Cipher Suites
- Are my hosts using modern, secure versions of TLS with strong cipher suites?
Domain Baselines
- Domain Registrars
- Is my organization registering domains with my preferred vendor?
- Are my DNS records being served from the name servers I expect?
Software Baselines
- Sanctioned Software
- What does my organization's software footprint look like?
- End-of-Life Software
- Are any of my hosts running software versions that are no longer supported by their vendor?
To baseline your attack surface, we recommend using the filters available on every inventory list page and tagging assets whose attributes are outliers. If you need more information on tagging, you can review our technical documentation here.
Example Exercise: Baseline Your Preferred Domain Registrar
Let’s say that your business uses CSC Corporate Domains for IT Service Management. You want to be able to log in any time and check whether any domains belonging to your organization have been registered with a registrar or reseller apart from your one sanctioned vendor.
Step One
To create a baseline filter, first navigate to the Domains List page of the app.
Step Two
Open the Filter builder and create a rule that says “Registrar does not contain CSC.”
Tip: To account for spelling variations in WhoIs data, we recommend using the “Does Not Contain” operator instead of the "Is Not" operator.
Step Three
Click Save Filter and name it something like “Non-CSC Registrar”.
Now that you have a filter, you can easily identify any domains that do not match your baseline.
Step Four
Next, we recommend going through the list of domains with outlier registrars to determine an appropriate action. You can leverage tags to help group the outlier assets. An example of a tagging strategy would be:
Tag | Details |
investigate | Use this to denote that you and your team are investigating this domain and how it should be administered. |
move-to-csc | Use this to group domains that you want moved over to CSC. |
accepted | Use this to denote that a domain's non-standard registrar has been sanctioned. |
Once you do this, you can adjust your baseline filter to continue to home in on assets that are out of compliance:
When you save this filter, you’ll be able to revisit this regularly to spot-check new domains that are surfacing within your attack surface but are not administered by CSC.
Use this example exercise in other areas of your attack surface to spot changes in assets that don’t match your expectations.
Next Step
Learn more about Censys assets and all of the information you can use to establish baselines and to investigate aberrations.
Comments
0 comments
Article is closed for comments.