The Attack Surface Management Category Series: Internet Scanning Frequency
With all the noise in the Attack Surface Management (ASM) market, we’re noticing a lot of confusion around what makes up the solutions in this category. This series will shine a light on what makes up an ASM solution so that you can better assess the tools on the market.
As with any emerging category of solutions that comes up in the market – cybersecurity or otherwise – there are legitimate products that define the category, and others that fall short. Some are shoehorned to fit into the category to capitalize on the buzz; others have some of the features, but none of the category-defining ones; and yet others are listed as such to attract customers, but in execution don’t deliver everything the category calls for.
With our recent visits to RSA and Gartner, one of the top things we heard was that what makes up an ASM solution was murky, at best. In fact, some of the vendors putting themselves in the ASM category are unintentionally giving ASM solutions a bad reputation. Their inability to provide clarity around surfaced assets and the amount of false positives or noise that these “solutions” are generating makes for an ineffectual tool that, frankly, we wouldn’t want to use either.
This series will go through what makes up an Attack Surface Management solution, starting with how frequently your ASM solution should be scanning the internet.
The definition of an Attack Surface Management solution
But first, let’s define Attack Surface Management.
Your attack surface is made up of assets your organization owns that are also accessible from the internet. This could be anything from cloud storage buckets from your many cloud service providers; different types of VPNs; servers; hosting providers; and many others – think anything that’s publicly available on the internet. If it’s visible to anyone on the internet, it’s definitely visible to threat actors.
In a recent report, Forrester defined an Attack Surface Management as, “The process of continuously discovering, identifying, inventorying, and assessing the exposures of an entity’s IT asset estate.”
Most organizations have vulnerability management tools in place and do pen testing. However, these tools still allow for gaps in visibility, especially when it comes to exposed assets.
Your ASM solution should scan the internet frequently
Because business is primarily conducted online these days, your attack surface is expanding and changing – it’s constantly in flux. And a proper ASM solution needs to be able to keep up with that activity by conducting frequent scans.
Additionally, containers and serverless environments have made the landscape particularly ephemeral, so an ASM solution must work at the speed of the cloud. If something is on the public internet, there’s a high chance that someone, somewhere will know about a newly exposed host before you do, and you need to stay ahead of them. Censys’s research shows that attackers begin full internet scans for vulnerable systems within hours of public vulnerability disclosure. If the latest and greatest vulnerability hits the news, you need to know where all your vulnerable and exposed assets are today, not what was exposed a week ago or a month ago.
How often does Censys ASM scan the internet?
Censys has several schedules for discovery based on our experience scanning the internet:
- Global Scan of Popular Ports. We scan the whole IPv4 space on 137 ports with IANA-assigned services every day.
- Cloud Provider Scans. Since many cloud hosts are ephemeral, we scan the 1,440 most popular ports on Amazon, Google, and Azure hosts every day.
- Global Scan of Less Popular Ports. We scan the whole IPv4 space on 3,455 additional ports on a regular basis, completing a walk every 10 days.
- Global Scan of Every Other Port Number. We scan the entire IPv4 address space across ALL ports (65535) at a low background rate.
Once a service has been discovered, Censys prioritizes refreshing the information about that service to ensure it is accurate and up to date.
Once a day, the age of each of the ~2.1 Billion services in our data set is checked. Any (unnamed) service with an observation timestamp older than 24 hours is rescanned. With this process, the average age of high-value service data is about 16 hours.
An astounding 69% of organizations have experienced some type of cyberattack in which the attack itself started through the exploit of an unknown or unmanaged internet-facing asset. For reasons like this, it’s essential that teams look for an ASM solution that prioritizes frequent scanning to ensure freshness of data.
Explore your organization’s attack surface with Censys ASM.