Follow the Trail, Investigate Your Attack Surface
Censys leverages its industry-leading, Internet-wide data sets and research-backed knowledge about asset relationships to present a current and comprehensive public inventory belonging to your organization.
The Censys attribution process begins from seed data: assets that are, with full confidence, owned and managed by your organization. Branches to new assets are created when the evidence for a relationship between a parent node and a potential child node crosses a defined confidence threshold.
You can use the trail as a starting place and guide for your own investigation as you discover and monitor your attack surface.
Seeds
Many seeds come from public Internet artifact repositories such as WHOIS and DNS and are often traditional asset types such as:
-
Autonomous Systems
-
Netblocks
-
Domain names
Your organization can also seed the platform with more ephemeral assets from public Cloud Server Provider accounts using a Censys Cloud Connector to add asset types such as:
-
Storage buckets
-
Dynamic cloud IP addresses
-
Subdomains
Trail Layout
Each asset type can be discovered and attributed from a variety of parent types, and trails vary in length from zero parent nodes (which means the asset is a seed) up to five.
In the ASM app, Censys displays a trail from your seed data to each asset that is attributed to your organization. A trail is present on every asset details page that shows you the path Censys took to the asset you’re viewing.
The relationships between parent nodes and child nodes are listed below, grouped by the type of asset that is added.
Host Trails
The chains of relationships that end in a host can be long or short. If your organization is large enough to have allocated sections of IPv4 address space (i.e., netblocks or ASes), these hosts are almost permanently attributed to you, and the trail is rather short.
In other cases, hosts are attributed via DNS records or because they are presenting assets (such as certificates) attributed to you.
-
ASN → IP network
The set of sequential IPv4 addresses (indicated by the prefix) is within an Autonomous System belonging to your organization.
-
IP network → IP address
The IPv4 address is within an IP range belonging to your organization.
Figure 2. Trail to a host from an autonomous system -
Domain name → IP address
The IP address is present in a DNS record with a domain name belonging to your organization.
Figure 3. Trail to a host from a domain -
Certificate → IP address
The host presented a certificate belonging to your organization when a Censys scanner initiated a TLS handshake.
Figure 4. Trail to a host from a certificate
Certificate Trails
Certificates are not seeds, so they are always found because of the names they contain or because of the hosts that present them.
-
Domain name → Certificate
The certificate’s name section contains the domain name belonging to your organization.
-
IP address → Certificate
The certificate was presented by a host in your attack surface when a Censys scanner initiated a TLS handshake.
|
Note
|
If a certificate presented by a host belonging to your organization does not contain any names attributed to you, an ownership field will indicate "unknown." |
Domain Trails
While domain and subdomain trails are often connected to each other by the natural hierarchy of the Domain Name System, the familial relationship of name servers can also feature prominently in these trails.
-
Domain name (A) → Domain name (B)
Domain name B is a subdomain of domain name A, which belongs to your organization.
-
IP netblock → Domain name
The domain name was seen to resolve to an IP address in an IP block belonging to your organization in the past 90 days.
-
Domain → Name Server Within the past 90 days, a (non-shared) name server appeared in an NS record with a domain belonging to your organization.
-
Name server → Domain name
Within the past 90 days, a domain appeared in an NS record with a name server belonging to your organization.
Correcting Misattributed Assets
If you see an IP address, TLS certificate, or domain name that you are certain does not belong to you, you can opt to exclude it from your organization.
|
Caution
|
Choosing to exclude an asset has a ripple effect. Other assets whose trail includes the one you excluded will also be removed; however, those assets may reappear later if Censys finds them via other trails. |
To most effectively remove false positives, follow the trail back to the highest parent node you do not own and remove that one.
How to Exclude a Single Asset
There are a few ways to exclude an asset from your organization. If you are viewing its Details page, you can click the blue Remove button in the top right-hand corner and confirm your choice in the modal that pops up.
How to Exclude Multiple Assets
If there are multiple assets you want to exclude from your organization, you can do so at one time with the multi-select feature.
Click one or more of the checkboxes on the left side of the table rows to open a banner at the bottom of the screen with a Remove button. Click the button and confirm your action in the modal that pops up.
Remove a Seed
If following the trail back from a discovered asset brings you to a seed that does not belong to you, you can visit the Seed Data page and remove it. This will ensure that all of the assets discovered from the incorrect seed are removed from your workspace.
View Excluded Assets
You can access the list of assets that you’ve excluded from your attack surface by selecting the Excluded Assets menu item from the user menu.
If you accidentally excluded an asset or decide to restore an asset to your collection for any reason, click the "Restore" link on the right-hand side of the table in the asset row, and confirm your choice in the modal that pops up.
You can also click the "Logbook" link on the right-hand side of the table to see logbook events pertaining to the excluded asset.
Next Step
Now that your inventory is groomed and accurate, it's time to baseline your attack surface to understand what's normal and what's not.
Comments
0 comments
Article is closed for comments.