1. Censys
  2. Censys Attack Surface Management
  3. Shrinking Your Attack Surface

Other Articles In This Section

In this article:

Follow the Path, Investigate Your Attack Surface

  • Updated

Censys leverages its industry-leading, Internet-wide data sets and research-backed knowledge about asset relationships to present a current and comprehensive public inventory belonging to your organization.

The Censys attribution process begins from seed data: assets that are, with full confidence, owned and managed by your organization. Branches to new assets are created when the evidence for a relationship between a parent node (a member of the tree) and a potential child node crosses a defined confidence threshold.

You can use the discovery path as a starting place and guide for your own investigation as you discover and monitor your attack surface.

Seeds

Many seeds come from public Internet artifact repositories such as WHOIS and DNS and are often traditional asset types such as:

  • Autonomous Systems

  • Netblocks

  • Domain names

Your organization can also seed the platform with more ephemeral assets from public Cloud Server Provider accounts using a Censys Cloud Connector to add asset types such as:

  • Storage buckets

  • Dynamic cloud IP addresses

  • Subdomains

Discovery Path Layout

Each asset type can be discovered and attributed from a variety of parent types, and paths vary in length from one (which means the asset is a seed) up to five.

In the ASM app, Censys displays a discovery path from your seed data to each asset that is attributed to your organization. A discovery path is present on every asset details page that shows you the path Censys took to the asset you’re viewing.

Censys discovery path on a details page
Figure 1. An asset Details page with the discovery path highlighted

The relationships between parent nodes and child nodes are listed below, grouped by the type of asset that is added.

Host Discovery Paths

The paths that end in a host can be long or short. If your organization is large enough to have allocated sections of IPv4 address space (i.e., netblocks or ASes), these hosts are almost permanently attributed to you, and discovery paths are rather short.

In other cases, hosts are attributed via DNS records or because they are presenting assets (such as certificates) attributed to you.

  • ASN → IP network

    The set of sequential IPv4 addresses (indicated by the prefix) is within an Autonomous System belonging to your organization.

    Path to a netblock from an autonomous system
    Figure 2. Path to a netblock from an autonomous system

  • IP network → IP address

    The IPv4 address is within an IP range belonging to your organization.

    Path to a host from an autonomous system
    Figure 3. Path to a host from a CIDR block

  • Domain name → IP address

    The IP address is present in a DNS A Record with a domain name belonging to your organization.

    Path to a host from a domain
    Figure 4. Path to a host from a domain

  • Certificate → IP address

    The host presented a certificate belonging to your organization when a Censys scanner initiated a TLS handshake.

    Path to a host from a certificate
    Figure 5. Path to a host from a certificate

Certificate Discovery Paths

Certificates are not seeds, so they are always found because of the names they contain or because of the hosts that present them.

  • Domain name → Certificate

    The certificate’s name section contains the domain name belonging to your organization.

    Path to a cert from a name

  • IP address → Certificate

    The certificate was presented by a host in your attack surface when a Censys scanner initiated a TLS handshake.

    Path to a cert from a host
Note
 If your organization does not own all of the names listed on a certificate, an ownership field will indicate "unknown" and the certificate will not be used to discover additional assets.

Domain Discovery Paths

While domain and subdomain paths are often connected to each other by the natural hierarchy of the Domain Name System, the familial relationship of name servers can also feature prominently in these paths.

  • Domain name (A) → Domain name (B)

    Domain name B is a subdomain of domain name A, which belongs to your organization.

    Path from a subdomain to a domain

  • IP netblock → Domain name

    The domain name was seen to resolve to an IP address in an IP block belonging to your organization in the past 270 days.  

    netblock to domain

  • Domain → Name Server

    In the past 270 days, a (non-shared) name server appeared in an NS record with a domain belonging to your organization.

  • Name server → Domain name

    In the past 270 days, a domain’s NS record showed that it was using a name server belonging to your organization.

Path showing a domain-to-name-server pivot

Correcting Misattributed Assets

If you see an IP address, TLS certificate, or domain name that you are certain does not belong to you, you can opt to exclude it from your organization. Follow this how-to guide.

Related articles

Comments

0 comments

Article is closed for comments.