High-Fidelity Attack Surface Mapping

April 12, 2021

Post by Jeremiah Grossman

“High-fidelity” is the reproduction of sound with little distortion, resulting in a product very similar to the original. Similarly, in information security, having a clear picture of your attack surface is critical. Breaches happen when adversaries know more than you about your attack surface. These days, you simply cannot afford to have a low-fidelity attack surface map. Clarity and precision keep you ahead of the bad guys. This is why Bit Discovery introduced “high-fidelity” attack surface mapping.

Security tools and processes, particularly within vulnerability management and penetration testing, perform some attack surface mapping. However, the quality of the result varies and often leaves glaring blind spots. Some tools focus on identifying as many assets as possible across an enterprise but only go an inch deep in understanding each asset. The tools miss listening services, software distribution and versions, system configuration, and so on. Other tools focus on going deep into each asset but miss assets located in the cloud, third-party hosted, forgotten legacy systems, test/development, across disparate business units, etc. Therefore very few organizations have an up-to-date attack surface map because it’s not a core competency of the tools they use.

To get a high-fidelity picture of your organization’s Attack Surface, you need 3 things:

1. Horizontal Coverage

Cast a wide net, polling the entire Internet for every asset an organization owns. An asset, as defined by hostname/IP-address, includes those located across domain names, brands, hosting providers, etc. Assets may be hosted on-premise, in the cloud, 3rd-party applications, labeled under subsidiaries & sub-brands, physically located across geographically distributed data centers, and connected through non-contiguous IP ranges.

2. Vertical Coverage

It’s important to have a deep understanding of each asset that you own. From security posture to technology stack to geolocation, every asset detail matters. This includes listening services (i.e., open ports), installed software and versions, ASN, and TLS certificate information. Various fingerprinting techniques may reveal the usage of authentication, CAPTCHAs, CSP, HSTS, load balancers, web application firewalls, programming languages, web widgets, content delivery networks, and much more.

3. Frequent Coverage

New domain names may be registered at any time, often for new product launches, marketing promotions, or even domain squatting. Internet-connected assets may be deployed and decommissioned hour by hour or day by day. New ports/services may be opened and closed with even faster frequency. In addition, the software running on each surface may be frequently updated as well. Frequent and automated reanalysis of horizontal and vertical coverage is absolutely necessary for an up-to-date attack surface map.