Adding IP Ranges

Recently we were asked if someone should add their known IP space to their inventory. At first, I really struggled to explain why. But after some thinking, I hope this post will explain why IP address ranges should be added to your asset inventory.

Let’s start with an example where your company is “Example, Inc” and you have a primary domain of “example.com”. One could stand to reason that “www.example.com” is a very high-value subdomain because it’s how your customers interact with Example, Inc. But let’s say you own another domain with a subdomain of “27jsbhwjj.iiq6s.com”. Is that subdomain the same importance as “www.example.com”? Just by looking at it, the answer is probably no. Probably.

Every subdomain that you own has a varying level of importance, on a spectrum of high to low. But the problem is there is no way to know for sure just by looking at the subdomain, that its level of importance will not become higher in the future. Also, there’s no way to know for certain if a compromised low-value asset can’t allow an adversary to impact the high-value asset. What if it uses the same usernames and passwords as your high-value asset? What if they’re behind the same firewall so pivoting to the database of the high-value asset is possible? What if the subdomain has source code to valuable assets on it? And on and on.

So the reason we track low-value assets is the same reason we track high-value assets in a security context. We want to ensure none of our assets lead to a large breach. Now, onto IP ranges.

If we know that you own several domains of varying importance and some (but not all) of those subdomains point into an IP space that you own (versus other people’s IP space), we will monitor your associated IP addresses naturally. But what if you change your DNS from pointing to your IP address to pointing to a cloud provider/cloud WAF/cloud CDN? Does that mean that the original IP address is no longer valuable? Of course not. It may have shifted its level of importance downwards significantly but it still has some value.

What if the original IP address in your IP space is still serving up content (e.g., now you’re using Cloudflare but you didn’t protect the origin IP address from being accessible to the Internet)? Does that mean that the IP address has no value, even if no subdomains are pointing to it anymore? In the Cloudflare example, it has tons of value because an attacker can bypass your WAF by going to the origin IP address.

Likewise what about if there are no and never have been any IP addresses with DNS pointing to them? Does that mean a developer can’t be building a site to test using a hosts file instead of DNS? Of course not—that can and does happen all the time. That IP address may never have a subdomain pointing at it in the future either. And yet it may be a critical app because it’s a copy of a production instance, or it’s your next big release of some new subsidiary technology/brand, or it can just be a compromised/vulnerable server that was never meant to be exposed.

So while the average IP address may be of lesser importance than the average subdomain, both have some importance and that importance may evolve. This is the core difference between discovery and asset inventory—things change and evolve. Assets change over time, they have ports open, their DNS changes, they get compromised, etc.

There is no such thing as an asset of zero importance if you own it. Everything you own has some level of importance, albeit often low. Everything is inclusive of your IP ranges—even those that may feel sparsely populated after a cursory investigation. Therefore you should add and actively monitor all IP address ranges that you own. To not do so could amount to absolutely nothing or it could be risking the entirety of your brand.

 

Post by Robert Hansen

June 9, 2020