A National Financial Institution Uses Censys to Fight Phishing
As an early adopter of Censys, a large financial institution shared information with us about how it uses Censys scans and queries to improve its overall security posture.
The information security analyst at the institution explained how he heard about Censys early on and tested it to scan for certificates. He was evaluating a few other certificate-based scanning solutions, but the information Censys had on certificates in general and the amount of data we collected on them is what initially sold him on using Censys.
“We had looked at a couple other scanners that just scanned certificate transparency logs or the internet as a whole and we ran into various issues as they just didn’t have the same or as much data,” he explained.
“Censys was the product that has been the easiest to use and it’s been running smoothly since we implemented it.”
Protecting the Institution’s Reputation, Customers, and Employees with Censys
The institution started using Censys to make sure it protected its reputation. One of the keys to that mission is to have visibility into when new phishing sites are stood up so that it can protect its customers and, in some cases, employees, if either group is targeted by a phishing site.
Initially, the institution’s certificate management team was simply scanning for anything that contained the company name. “As part of that process,” explained one of the organization’s software developers, “we started seeking out phishing domains such as ‘*[part of our company name*]’.”
Protecting Employees from…Themselves
Like employees at most organizations around the world, this institution’s employees are focused on getting their jobs done quickly – which sometimes means they aren’t thinking about the negative security implications of their actions. One of the challenges the institution’s security team was trying to manage is that of employees creating external corporate certificates and domains without following the institution’s internal process.
“Sometimes a department will go out there and make up a domain and buy it on their corporate credit card,” said one of the institution’s information security analysts. “Censys is one of the ways that we can help catch them doing that because we’ll see these domains in the scan and we can follow up with them and educate them on the correct process they need to follow and help to get them into the governance that we have around domains and certificates.”
And it’s not just about the domains themselves. “The Censys scanning process can help to expand our influence out to all the departments within the organization that we need to work with,” he explained. “We can help get some governance around shadow IT.”
Discovering Unknown and Unmanaged Certificates
Another way the financial organization uses Censys is to uncover unknown certificates. “We use Censys to discover certificates that are issued from certificate authorities that we don’t work with or have a relationship with,” he said. “In that case, we don’t know to track that certificate, so if it expires or is compromised for some reason, then our certificate management team doesn’t know about it. Censys allows us to get visibility we need into those certificates so that we can find and manage them appropriately.”
The primary group utilizing Censys is the institution’s certificate management team. As for the phishing sites that they find during scans, however, “those are sent to the organization’s cyber security operations team,” he said. “Typically, we see at least twenty new phishing sites a day that get reviewed, so that group reviews those and works with our phishing site takedown tool to remediate the threat.”
How Has Censys Helped Secure their Organization?
“What Censys allows us to do is go beyond looking at just newly registered base domains, only reviewing the zone files from all of the TLDs,” he said.
“What looking at the certificate data allows us to do is to see all the way down to the subdomain. So you could be looking at a domain that has a good reputation and an adversary takes over an aspect of the management of that domain, such as an administrative panel that allows them to create a sub-sub-subdomain, insert our institution into the certificate and craft a phishing site. The Censys scans help us locate those exploits and mitigate the risk.”