Documentation
Start typing to search…

Baseline Your Attack Surface

Leverage the Censys Attack Surface Management platform to track what's normal and spot outliers faster.

With your entire Internet presence cataloged by Censys Attack Surface Management, try conducting a few baseline exercises to help you define what is normal and what is not normal within your organization. Then, outliers will be easy to spot, and you can find opportunities to tighten your attackable surface area by migrating outliers to your sanctioned policies.

Select an inventory type and use the Attack Surface Management platform to answer the questions below:

Certificate Baselines

  • Certificate Issuers
    • Is my organization obtaining certificates from my preferred registrar?
    • Are there certificates issued by issuers I do not want my organization to use?
  • Certificate Names
    • Does my organization use wildcard names in certificates?
    • Are names appearing together on my certificates the way I expect?
    • Are all of the unexpired certificates in my collection in use?

Host Baselines

  • Data Centers and Clouds
    • In which data centers or clouds is most infrastructure located?
    • Is my organization using my CDN or Webhosting Provider for the names I expect?
  • Services
    • Do the services on my organization's hosts appear on unexpected ports?
  • TLS Versions and Cipher Suites
    • Are my hosts using modern, secure versions of TLS with strong cipher suites?

Domain Baselines

  • Domain Registrars
    • Is my organization registering domains with my preferred vendor?
    • Are my DNS records being served from the name servers I expect?

Software Baselines

  • Sanctioned Software
    • What does my organization's software footprint look like?
  • End-of-Life Software
    • Are any of my hosts running software versions that their vendors no longer support?

To baseline your attack surface, we recommend using the filters available on every inventory list page and tagging assets with outlier attributes. For more information on tagging, review our technical documentation.

Baseline your preferred domain registrar

Let’s say that your business uses CSC Corporate Domains for IT Service Management. You want to log in at any time and check whether any domains belonging to your organization are registered with a registrar or reseller apart from your single-sanctioned vendor.

Use this example exercise in other areas of your attack surface to spot changes in assets that don’t match your expectations.

Create a baseline filter

  1. From the Censys web console, click Inventory > Domains.

  2. Use Search shortcuts to create a rule that reads Registrar does not contain CSC.

    👍

    Tip

    To account for spelling variations in WhoIs data, we recommend using the Does Not Contain operator instead of the Is Not operator.

  3. Review the list of domains with outlier registrars to determine the appropriate action. You can use tags to help group the outlier assets. An example of a tagging strategy is:

  4. TagDetails
    investigateUse this to indicate you and your team are investigating this domain and how it should be administered.
    move-to-cscUse this to group domains that you want to be moved over to CSC.
    acceptedUse this to indicate a domain's non-standard registrar has been sanctioned.

  5. After this is done, adjust your baseline filter to continue to find assets that are out of compliance.

  6. You can revisit the search regularly to spot-check new domains that appear within your attack surface but are not administered by CSC.

Next Steps

Learn more about Censys Attack Surface Management assets and all the information you can use to establish baselines and investigate aberrations.

Updated about 1 month ago