Skip to content

Attack Surface Discovery

Section

What is Attack Surface Discovery / Management?

Attack surface discovery enables continuous monitoring of an organization's infrastructure to detect missing and rogue assets. Coupled with vulnerability scanning it ensures complete coverage of an organization exposure.

Attack surface discovery helps with finding blind spots, common examples are forgotten or missing acquisition infrastructure, unaccounted for dev and production machines or lost assets during internal restructuring and staff change.

Ostorlab's Attack Surface Discovery finds internet-facing assets, be it domains and subdomains, IPv4 and IPv6 addresses, and Mobile Applications on both Android Playstore and iOS App Store.

Ostorlab's Attack Surface Discovery provides powerful capabilities, including:

  • Powerful graph asset correlation that goes beyond subdomain enumeration. Other asset discovery techniques include registry correlation, shallow crawling, shared analytics, reverse lookups, etc.
  • Asset Management using a hierarchical ownership model grouped into 4 categories, Internal, Acquisition, 3d Party Service, and Excluded Assets.
  • Continuous Asset Scanning using either intelligent asset change detection, like a website cache invalidation header, Mobile Application release, or using simple time scheduling CRON rules.
  • Powerful Attack Surface visualization to identify asset connections.
  • Powerful search and visualization options to zoom in on selected portions of the attack surface or the organization hierarchy.

Finding your Attack Surface

Discovering an attack surface starts by seeding in a list of known assets. This includes IP addresses, domain names, or Mobile Applications. Individual assets can be added or a bulk upload using a CSV file is also possible

The attack surface page is broken into 4 sections and 2 views:

  • An actions section to interact with the confirmed and potential assets.
  • A search and filtering bar to control what is shown and how it is shown. This bar affects all tables and visualizations in the menu.
  • An asset table that can show both confirmed and potential assets depending on the selected mode.
  • A visualization menu that shows a graph of assets and their connections in both 2D and 3D modes.

Section

The two views are for confirmed and discovered assets. Switching views affects the actions menu and the assets table.

Views

Adding an Asset

To add an asset, go to the attack surface menu and click on the Add Asset button, define an Owner of the asset and set other optionals attributes like tags, color or location.

The owner defines an entity, group, team, or organization responsible for a group of assets. An owner has a name, a type (Internal, Acquisition, 3rd Party Service, or Rejected), a parent owner for a hierarchical grouping, and a contact email or user.

Once an owner is selected or created, define the asset type and set the asset value, like domain name, IP address, or select the application from the store.

Once an asset is added, you can access it in the Inventory Section of the Attack Surface menu.

Discovering Assets

Asset discovery is a continuously running process to find new assets as they appear. To list potential assets, change the view mode to Discovered at the left top corner. The assets table will show the potential assets ordered by confidence which can either be High, Moderate or Low. The confidence has a score that computes the likelihood an asset belongs to the same org as the confirmed ones.

The more assets are confirmed, the better the platform learns how an organization is structured and can make better recommendation.

Discovered assets can either be confirmed by clicking the assign owner button or can be rejected disqualify using any of its connections. An example is a domain name with a CNAME that points to a hosting service. The hosting service should be excluded to disqualify assets pointing to same hosting provider. This can include 3rd party services like a DNS service, a CDN, or a SaaS provider.

The discovered assets have several types, like domain, subdomain, IP, and Mobile App, organization, address, geolocation, TLD, person, email, ASN, etc.

These can also be confirmed as belonging to the organization to finetune the asset discovery algorithm. For instance, if an email is confirmed as belonging to an organization, all Whois records pointing to the email address will be qualified as potential nodes.

Attack Surface Monitoring

Once assets are confirmed, you can enable continuous security monitoring of these assets. To do this, select the assets in the Inventory view and click on the Monitor button.

Only assets of the same type can be grouped into single monitoring rule.

Once assets are confirmed, the next step is to configure timing of the scan, either CRON which is a simple way to define recurrent schedules, like once a week, once a month, the first Monday of each month, etc. Or continuous mode. Continuous mode uses data collected from the target asset to detect changes, like store version, cache tags, or API schema changes.

Other configurable options are typical to the asset, including setting the credentials, QPS, and Proxy for a Web Scan or credentials and UI Rule for a Mobile Scan.

Advanced Search and Navigation

The Attack Surface menu is equipped with a powerful search to:

  • Filter by asset, asset type or owner.
  • Change the limit of how many assets are shown and depth of the graph.
  • Zoom on a single asset and its connections.

Click on the search menu. If you are not familiar with the search tag, suggestions of possible values are shown. Either click on one and complete it or type it directly.

Attack Surface Data Collection

The Attack Surface engine relies on a very large graph representing internet-facing assets and their known connections.

Assets are added as nodes into the graph and is continuously running scans to analyze these nodes for correlations, like enumerate subdomains, brute-force iterations, resolve the IP addresses of different record types, collect Whois data, extract BGP AS numbers, or crawl web apps.

The collected data create of elaborate nodes and edges that help find links and correlations between assets.

Attack Surface Data Updates

To ensure the collected data collected is accurate, up-to-date, and complete, Ostorlab implements bucket-ization of assets into generations. Each generation represents a set of properties to detect changes.

This approach allows for efficient accurate and timely detection of asset change.