Custom attribution for your attack surface using the Censys Python CLI
Censys has introduced a new add-seeds CLI command for the censys-python project that enables customers to automate adding seeds to their attack surface based on search terms from Censys Search. This is an extremely powerful means of customizing your attack surface.
Finding unknowns is hard
An organization’s attack surface can be complex. With hosts scattered across the globe, in data centers, offices, cloud providers, or employee home networks, finding a way to shepherd any rogue, unmanaged assets is a never ending battle for security teams. For example, an employee could expose RDP accidentally on their corporate Windows laptop on the public internet from their home IP address. It’s important for organizations to understand and manage those exposures, even when not formally in their own “sanctioned” networks. At Censys, we refer to the process of discovering all known and unknown hosts for a customer as attribution.
In the attack surface management market, there are several ways which attribution can be performed:
- Not at all: Suffice to say that some vendors simply allow you to enter known IP ranges, and will completely miss anything that you don’t know about, such as rogue hosts with certificates, domains, or IPs. Vulnerability Management companies fall into this category. So do free and paid services that simply monitor IP ranges.
- Red teaming as a service: Companies that utilize this method can obtain high quality results with low false positives, but generally will miss additional items, and will be slower at identifying risky assets.
- Open-source red teaming: Utilize the bug bounty community to pull asset information in. However, the quality of this information can vary widely, since it will depend on the skill level of the freelance contributor, and require a ton of manual grooming.
- Built-in & custom automated attribution: Companies utilizing automated attribution will rely on automating the first two categories via software. Additionally, the best attack surface management vendors will allow companies to customize attribution by enabling practitioners to specify facets of their assets they can use to find their own infrastructure and pull it into their attack surface. Censys specializes in automated built-in and custom attribution, and touts the lowest false positive rate based on customer feedback.
The power of search compels you
With the addition of the add-seeds command to the Censys Search python client, you can now write a simple script to have custom attribution pivots and find more assets that belong to you based on unique facets that they expose through our rich search platform.
Let’s say your organization followed a naming standard for all hosts that run Windows. Namely, that each Windows host must start with the term “FOOCORP.” Using Censys Search, you can write a search query that identifies any host having an RDP certificate (which will match the NETBIOS name) to discover these devices, then pipe them into the Censys CLI asm add-seeds command to automate adding them to your attack surface:
censys search 'same_service(services.service_name: RDP AND services.tls.certificates.leaf_data.subject_dn: FOOCRP)' | jq -r '[..ip]' | censys asm add-seeds -i -
You can create custom pivots using this method using whatever powerful search syntax you want. Try using search to find your own assets today and add them to your ASM account.
To ensure your attack surface is kept up to date with these results, simply automate running the command using cron or another scheduler.
The add-seeds functionality is in beta, and we’d love your feedback. You can try it out now by installing it via pip (note, the above command also utilizes the jq command to extract IPs that are pumped into your ASM seeds list):
pip install censys==2.0.5b1