The 3 Most Critical Requirements for Effective Attribution
Attack Surface Management (ASM) is quickly emerging as a critical element of any digital security strategy. Within ASM, a technique called “Attribution” is foundational because it can automatically detect parts of an organization’s external attack surface that they didn’t realize even existed. And when attribution is automated and efficient, it can adapt to the changes that naturally happen with any active organization. But before we dive into Attribution, let’s talk about the attack surface itself.
Understand threats by establishing your attack surface
The first task in defending any landscape, digital or otherwise, is to establish a perimeter, and an attack surface is just like a perimeter. You need to understand where your liabilities are and where threats could gain a foothold. From there, you can work to understand your level of exposure, how critical the associated risks are, and how to prioritize the things you need to do to protect yourself. But, without an accurate perimeter as a starting point, you could be spending time on the wrong things and leaving important assets vulnerable.
The reality for most modern organizations is that their Internet perimeter, their external attack surface, isn’t easy to map out, and once established, it’s hard to maintain. Just some of the reasons for this:
- Digital transformation means more internet-facing functionality across the organization.
- The boom in remote work has demanded more flexibility in access and availability to corporate systems.
- Increasing sophistication in IaaS cloud providers and tools makes it easier than ever to put data and services online.
For those responsible for system security, all of the above have only made it harder to achieve and maintain a sense of visibility and control. An effective security program needs an accurate view of all internet-facing assets that is up to date.
What is Attribution in ASM?
Attribution is the automated process of finding an organization’s Internet perimeter. Attribution takes some known facts about an organization, such as registered domain names, and makes inferences about what else belongs to that same organization. There are three critical requirements to effective Attribution:
- Get a complete view of what’s out there
- Make smart inferences
- Stay on top of changes
1. Get a complete view.
In order to help people find the stuff they didn’t realize was even theirs, you need a complete view of what’s out there to begin with, and with as much detail as possible to help make the connections. There’s a lot to consider – IP blocks, domain names, certificates, autonomous systems, cloud infrastructure – so it is a massive challenge to stay on top of what’s out there. But without a comprehensive atlas of the total landscape, you don’t have a chance of protecting yourself from threat actors.
2. Make smart inferences.
There are some easy ways to attribute any given asset to an organization. For example, by connecting to any site using TLS (HTTPS) and looking at the domains listed on its certificate, a given organization could be listed as an owner. But some inferences aren’t quite so straightforward. With some cleverness, and by working with a complete set of reference data, you can have confidence that you are covering a lot of ground when it comes to asset attributions to organizations.
3. Stay on top of changes.
Organizations don’t sit still. Being able to rapidly refresh a view of what’s out there and how it connects to you is critical to maintaining visibility and control. Internally, there are always new projects and initiatives that can change an attack surface. Externally, there may be third-party acquisition targets or other reasons to assess surfaces that have an impact on you. In any case, the ability to refresh and adapt to a changing environment is vital, not optional.
Gain the confidence that comes with knowing your attack surface
How are you establishing your perimeter? How confident are you that it is complete? How frequently does it refresh? Attack Surface Management means getting these things right so that you can move on confidently to risk assessment and remediation. At Censys, we are always looking at how to innovate and lead on all the elements of good Attribution. After all, without knowing the whole perimeter, you can’t hope to defend it.
Our attribution algorithm helps customers discover up to 80% of their unknown attack surface.