Attack Surface Discovery
What is Attack Surface Discovery / Management?
Attack surface discovery or management enables continuous monitoring of an organization's infrastructure and external assets. The goal is to detect vulnerabilities and security weaknesses as they arise.
Its main value of attack is finding blind spots like forgotten or missing acquisition infrastructure or unaccounted for dev and production machines that were lost during internal restructuring or staff change.
Ostorlab's Attack Surface Discovery finds internet-facing assets, including domain and subdomains, IPv4 and IPv6 addresses, and Mobile Applications on the Android Playstore and iOS Appstore.
Ostorlab's Attack Surface Discovery provides these capabilities:
- Asset Discovery goes beyond simple subdomain enumeration, like registry correlation, shallow crawling, shared analytics, reverse lookups, etc.
- Asset Management uses a hierarchical ownership model grouped into 4 categories, Internal, Acquisition, 3d Party Service, and Excluded Assets.
- Continuous Asset Scanning using either intelligent asset change detection, like a website cache invalidation header, Mobile Application release, or using simple time scheduling CRON rules.
- Powerful Attack Surface visualization to validate and identify asset connections and correlations that enable large-scale data representation.
- Powerful search and visualization options to zoom in on selected portions of the attack surface or the organization hierarchy.
Finding your Attack Surface
Finding your attack surface starts by seeding in a list of known assets. This includes IP addresses, domain names, or Mobile Applications.
But before we go over how to add an asset, let's first review the different sections of the attack surface menu.
The menu has 4 sections and 2 views.
- An actions section to interact with the confirmed and potential assets.
- A search and filtering bar to control what is shown and how it is shown. This bar affects all tables and visualizations in the menu.
- An asset table that can show both confirmed and potential assets depending on the selected mode.
- A visualization menu that shows a graph of assets and their connections in both 2D and 3D modes.
The 2 views are for confirmed and potential assets. Switching views affect the actions menu and the asset table.
Adding an Asset
To add an asset, go to the attack surface menu and click on the
Add Asset button, you then need to define an Owner of
The owner defines an entity, group, team, or organization responsible for a group of assets. An owner has a name, a type (Internal, Acquisition, 3rd Party Service, or Rejected), a parent owner for a hierarchical group, and a contact email or user.
Once an owner is selected or created, define the asset type and set the asset value, like domain name, IP address, or select the application from the store.
Once an asset is added, you can access it in the Inventory Section of the Attack Surface menu.
Ostorlab requires a set of Assets to be added to seed the asset discovery. Asset discovery is a continuously running process to find new assets as they appear.
To list the potential assets, change the view mode to
Discovered at the left top corner. The assets table will show the
potential assets ordered by score. The score computes the likelihood an asset belongs to the same org as the confirmed
The more assets are confirmed, the better is the asset discovery algorithm in finding other similar assets.
Discovered assets can either be confirmed by clicking the assign owner button and selecting or creating an owner. Or can be rejected to hint to the asset discovery algorithm that this is an external asset. This can include 3rd party services like a DNS service, a CDN, or a SaaS provider.
The discovered assets have more flavors than the traditional subdomain, IP, and Mobile App. It also includes Whois organization, address, geolocation, TLD, developer identity, personal contact, etc.
These can also be confirmed as belonging to the organization to finetune the asset discovery algorithm. For instance, if an organization owns a Whois record, validating that whois record will affect the score of all assets connected to it.
Attack Surface Monitoring
Once your attack surface is confirmed, you can enable continuous monitoring of these assets. To do this, select
the assets in the Inventory view and click on the
The monitor helps create monitoring rules with settings like when the scans should be triggered as well as other settings like credentials, QPS, proxy settings, etc.
For this reason, only assets of the same type can be grouped into a single monitoring rule.
Once assets are confirmed, the next step is to configure the timing of the scan. Two options are possible, either CRON based which is a simple way to define recurrent schedules, like once a week, once a month, the first Monday of each month, etc.
The second option is the continuous mode. The continuous mode uses data and hints collected from the target asset to detect changes, like store version, cache tags, or API schema changes.
The other options are typical to the asset, including setting the credentials, QPS, and Proxy for a Web Scan or credentials and UI Rule for a Mobile Scan.
Managing Inventory and Owners
Each asset has an owner. Owners are grouped in a hierarchy and each owner has a designated contact.
Ostorlab defines 4 categories of owners:
- Internal: anything the organization owns internally. This helps find more assets by the Asset Discovery algorithm.
- Acquisition: simply acquisitions that are not yet integrated internally. These also help find potential assets.
- 3rd Party Service: anything the organization or its acquisition is using but not owning. These will not result in excluding noisy assets not owned or controlled by the organization.
To add an owner, go to the Inventory menu and then Owner. Each owner has an add button to toggle the add owner form. You can also, use these menus to list the assets owned by that owner, edit them or delete them.
Advanced Search and Navigation
The Attack Surface menu is equipped with a powerful search to perform actions like:
- Filtering by asset type or owner
- Search by keyword to find confirmed or potential assets with suggested keywords
- Change the limit and depth of the graph to find more assets and more connections. Depending on your machines, the visualization algorithms are optimized to view up to 80k assets in the 3D model and way more in the 2D model.
Simply click on the search menu and you will get a set of suggestions of support keywords, either click on one or type it directly.
Attack Surface Data Collection
The Attack Surface engine relies on a unified large graph representing internet-facing assets and their known connections.
Assets are added as nodes into the graph and continuously running scans will analyze these nodes for connections, like enumerating subdomains, brute-forcing iterations, resolving the IP addresses of different record types, collecting Whois data, extracting BGP AS numbers, or simply scanning and crawling the target.
The collected data create of elaborate nodes and edges that help find links and correlations between assets.
The data collection runs multiple types of scans of different levels of throughness at different frequencies, hence new potential assets will vary continuously based on the collected data.
The potential assets detection algorithm runs in real-time and returns a varying view based on the current data stored.
Attack Surface Data Updates
A significant challenge of attack surface discovery is ensuring the data collected is accurate, up-to-date, and as complete as possible.
Ostorlab's approach to ensuring the data is current relies on bucket-ization of assets into 4 generations. Each generation represents a set of properties of when it was first seen and last updated.
The approach is similar to garbage collection algorithms used by programming language runtimes like Python or Java.
The result of this approach is that data that changes is often scanned, and the rare changes are scanned at a much lower frequency.
This approach allows for efficient use of resources to provide an accurate and up-to-date view of the collected assets and their connections.