Baseline Your Attack Surface in Attack Surface Management
Leverage the Censys Attack Surface Management platform to track what's normal and spot outliers faster.
With your entire Internet presence catalogued by Censys Attack Surface Management, try conducting a few baseline exercises to help you define what is normal and what's not normal within your organization. Then outliers are easy to spot and you can find opportunities to tighten your attackable surface area by migrating outliers to your sanctioned policies.
Select an inventory type and use the Attack Surface Management platform to answer the questions below:
Certificate Baselines
-
Certificate Issuers
-
Is my organization obtaining certificates from my preferred registrar?
-
Are there certificates issued by issuers I do not want my organization to use?
-
-
Certificate Names
-
Does my organization use wildcard names in certificates?
-
Are names appearing together on my certificates the way I expect?
-
Are all of the unexpired certificates in my collection in use?
-
Host Baselines
-
Data Centers and Clouds
-
In which data centers or clouds is most infrastructure located?
-
Is my organization using my CDN or Webhosting Provider for the names I expect?
-
-
Services
-
Do the services on my organization's hosts appear on unexpected ports?
-
-
TLS Versions and Cipher Suites
-
Are my hosts using modern, secure versions of TLS with strong cipher suites?
-
Domain Baselines
-
Domain Registrars
-
Is my organization registering domains with my preferred vendor?
-
Are my DNS records being served from the name servers I expect?
-
Software Baselines
-
Sanctioned Software
-
What does my organization's software footprint look like?
-
-
End-of-Life Software
-
Are any of my hosts running software versions that are no longer supported by their vendor?
-
To baseline your attack surface, we recommend using the filters available on every inventory list page and tagging assets whose attributes are outliers. For more information on tagging, review our technical documentation here.
Let’s say that your business uses CSC Corporate Domains for IT Service Management. You want to log in any time and check whether any domains belonging to your organization are registered with a registrar or reseller apart from your single sanctioned vendor.
Use this example exercise in other areas of your attack surface to spot changes in assets that don’t match your expectations.
-
To create a baseline filter, navigate to the Domains List page of the app.
-
Open the Filter builder and create a rule that says Registrar does not contain CSC.
Tip
To account for spelling variations in WhoIs data, we recommend using the Does Not Contain operator instead of the Is Not operator.
-
Click Save Filter and name it something like Non-CSC Registrar.
Now that you have a filter, you can easily identify any domains that don't match your baseline.
-
Next, we recommend going through the list of domains with outlier registrars to determine an appropriate action. You can leverage tags to help group the outlier assets. An example of a tagging strategy is:
Tag
Details
investigate
Use this to indicate you and your team are investigating this domain and how it should be administered.
move-to-csc
Use this to group domains that you want moved over to CSC.
accepted
Use this to indicate a domain's non-standard registrar has been sanctioned.
-
After you do this, adjust your baseline filter to continue to find assets that are out of compliance.
-
After you save this filter, you can revisit this regularly to spot-check new domains that are surfacing within your attack surface but are not administered by CSC.
Learn more about Censys Attack Surface Management assets and all the information you can use to establish baselines and to investigate aberrations.
Comments
0 comments
Article is closed for comments.