Baseline Your Attack Surface in Exposure Management
Leverage the Censys Exposure Management platform to track what's normal and spot outliers faster.
With your entire Internet presence catalogued by Censys Exposure Management, try conducting a few baseline exercises to help you define what is normal and abnormal within your organization. Then outliers are easy to spot and you can find opportunities to tighten your attackable surface area by migrating outliers to your sanctioned policies.
Select an inventory type and use the Exposure Management platform to answer the questions below:
- Is my organization obtaining certificates from my preferred registrar?
- Are there certificates issued by issuers I do not want my organization to use?
- Does my organization use wildcard names in certificates?
- Are names appearing together on my certificates the way I expect?
- Are all of the unexpired certificates in my collection in use?
Data Centers and Clouds
- In which data centers or clouds is most infrastructure located?
- Is my organization using my CDN or Webhosting Provider for the names I expect?
- Do the services on my organization's hosts appear on unexpected ports?
TLS Versions and Cipher Suites
- Are my hosts using modern, secure versions of TLS with strong cipher suites?
- Is my organization registering domains with my preferred vendor?
- Are my DNS records being served from the name servers I expect?
- What does my organization's software footprint look like?
- Are any of my hosts running software versions that are no longer supported by their vendor?
To baseline your attack surface, we recommend using the filters available on every inventory list page and tagging assets whose attributes are outliers. For more information on tagging, review our technical documentation here.
Example Exercise: Baseline Your Preferred Domain Registrar
Let’s say that your business uses CSC Corporate Domains for IT Service Management. You want to log in any time and check whether any domains belonging to your organization are registered with a registrar or reseller apart from your single sanctioned vendor.
- To create a baseline filter, navigate to the Domains List page of the app.
- Open the Filter builder and create a rule that says Registrar does not contain CSC.
Tip: To account for spelling variations in WhoIs data, we recommend using the Does Not Contain operator instead of the Is Not operator.
Click Save Filter and name it something like “Non-CSC Registrar”.
Now that you have a filter, you can easily identify any domains that do not match your baseline.
- Next, we recommend going through the list of domains with outlier registrars to determine an appropriate action. You can leverage tags to help group the outlier assets. An example of a tagging strategy is:
|Use this to denote that you and your team are investigating this domain and how it should be administered.
|Use this to group domains that you want moved over to CSC.
|Use this to denote that a domain's non-standard registrar has been sanctioned.
After you do this, adjust your baseline filter to continue to home in on assets that are out of compliance:
When you save this filter, you can revisit this regularly to spot-check new domains that are surfacing within your attack surface but are not administered by CSC.
Use this example exercise in other areas of your attack surface to spot changes in assets that don’t match your expectations.
Learn more about Censys assets and all the information you can use to establish baselines and to investigate aberrations.