Follow the Trail, Investigate Your Attack Surface

Censys utilizes its industry-leading Internet data sets and research-backed knowledge about relationships between assets to present a current and comprehensive public inventory belonging to your organization. 

For traditional asset types, such as hosts and names, the Censys attribution process uses a rules engine to build out a decision tree. The decision tree begins from seed data: assets that are, with full confidence, owned and managed by your organization. Branches to new assets are created when the evidence for a relationship between a parent node (a member of the tree) and a potential child node crosses a predefined confidence threshold.

You can use the trail as a starting place and guide for your own investigation as you discover and monitor your attack surface.

Seeds

Many seeds come from public Internet artifact repositories such as WHOIS and DNS and are often traditional asset types such as:

• Autonomous Systems
• Netblocks
• Domain names

Your organization can also seed the platform with more ephemeral assets from public Cloud Server Provider accounts using a Censys Cloud Connector to add asset types such as:

• Storage Buckets
• Dynamic cloud IP addresses
• Subdomains

Trail Layout

Each asset type can be discovered and attributed from a variety of parent types, and trails vary in length from zero parent nodes (which means the asset is a seed) up to five.

In the ASM app, Censys displays a trail from your seed data to each asset that is attributed to your organization. A trail is present on every asset details page that shows you the path Censys took to the asset you're viewing.

The relationships between parent nodes and child nodes are listed below, grouped by the type of asset that is added.

Host Trails

The chains of relationships that end in a host can be long or short. If your organization is large enough to have allocated sections of IPv4 address space (i.e., netblocks or ASes), these hosts are almost permanently attributed to you, and the trail is rather short. 

In other cases, hosts are attributed via DNS records or because they are presenting assets (such as certificates) attributed to you.

• ASN → IP network 
  • The set of sequential IPv4 addresses (indicated by the prefix) is within an Autonomous System belonging to your organization.
• IP network → IP address
  • The IPv4 address is within an IP range belonging to your organization.

• Domain name → IP address
  • The IP address is present in a DNS A Record with a domain name belonging to your organization.

• Certificate → IP address
  • The IP address presented a certificate belonging to your organization when a Censys scanner initiated a TLS handshake.

Certificate Trails

Certificates are not seeds, so they are always found because of the names they contain or from the hosts they are presented by.

• Domain name → Certificate 
  • The certificate's name section contains the domain name belonging to your organization.

• IP address → Certificate 
  • The certificate was presented by an IP address belonging to your organization when a Censys scanner initiated a TLS handshake.

NOTE: If a certificate is presented by a host belonging to your organization but does not contain any names attributed to you, an ownership field will indicate "unknown."

Domain Trails

While domain and subdomain trails are often connected to each other by the natural hierarchy of the Domain Name System, the familial relationship of name servers can also feature prominently in these trails.

• Domain name (A) → Domain name (B)
  • Domain name B is a subdomain of domain name A which belongs to your organization.
• IP block  → Domain name
  • The domain name was seen to resolve to an IP address in an IP block belonging to your organization in the past 90 days.  
• Name Server → Domain name
  • Within the past 90 days, a domain appeared in a NS record with a name server belonging to your organization.
• Domain  → Name Server 
  • Within the past 90 days, a (non-shared) name server appeared in an NS record with a domain belonging to your organization.

Correcting Misattributed Assets

If you identify a jump that erroneously brings assets into your attack surface, you may click on the erroneous asset in the trail and click the Remove button. This will sever the decision tree, removing any assets found “underneath” that identified asset.