Hot Take Incomming…….
Warning……
I am going to come right out and say it, and it will sound completely arrogant, but I think the majority of Attack Surface Mapping vendors out there are doing it wrong.
ASM for those who are new to blogs like these, stands for Attack Surface Mapping. This process is meant to look at an organization or business from the view of the internet, and then give the business ideas on what they “look like” from the outside. i.e. “How does a hacker see their potential target” The majority of vendors and tools I have seen so far are presenting this view as they would a vulnerability report. (I will admit that I have not seen everything.) This schism is starting to remind me of the early days of penetration testing, when vulnerability reports were often handed out as penetration tests.
Many of the tools and services I have seen, basically collect information from internet sources, and some maybe do their own network and port scanning. Internet sources are often Greynoise or Shodan. Some will include Intelligence feeds, and the latest vulnerability reports based on the environment discovered.
To me this, what is currently being sold, is just another type of vulnerability management, and probably something that is being done already in many organizations. Some vendors are starting to include the cloud, or other SaaS vendors, and I think this is starting to go down the right path. I have seen one vendor allow you to include other 3rd parties in your risk view, but it is a very manual process.
This is not the only thing that we should be focusing on in terms of ASM in my opinion.
I have started putting together a few scripts that start to do ASM in a way that is being missed in my personal opinion. The first set of scripts I have roughed up are basically just some DNS queries. The scripts are written as if you are looking at a larger environment, and need to break things down into more manageable chunks. The chunks start basically at 1 set of queries per record type. For now, I am only going to work with SOA, NS, and MX records. To me, these can tell quite story about an organization. I will move to other portions of DNS and other tools later in this series.
For now, Let’s assume we have about 100 domains that we know our organization owns. By quickly scanning these three DNS record types, I can start to see some ideas on how many domains have been registered outside of the normal large corporate process. “Shadow IT” as many of us call it. I can see who might not be using the normal large corporate DNS infrastructure. This might be another example of “Shadow IT”. If I look at MX records, and I see a few stragglers, those might be the domains that I try to harvest emails for first. The thinking being that these few outlier domains will not be behind the large corporate email filtering solution. Just maybe the odds of my phishing going through might be better.
Anyway here are some very simple bash scripts to check out. The output will be to a CSV file, which I then upload into a small local instance of Splunk that I am using to help build some pretty pictures. I have included the very basic SPL to get you started. (I am not a splunk guru at all.)
Back to computers …….. More strong opinions about ASM here….
Add your own strong opinions below…