How Halo Security can help you identify your organization’s attack surface
If your company is like most modern businesses, the internet is essential to your operations. Your websites, servers, and services are all connected to the cloud, removing physical limitations that once restricted businesses.
But as your organization grows and your internet-facing assets begin to multiply, keeping your business protected from digital threats becomes a more complex task. With developers continually adding new websites and services, and acquisitions bringing in new assets, some will inevitably get lost in the shuffle.
To attackers, each asset that touches the internet is a doorway leading to your sensitive data. Hopefully you’ve closed and locked each of those doors, but if you overlook even one, attackers have a potential way to get inside your business.
Keeping tabs on every single asset is the best way to ensure that your attack surface can’t be breached, because you can’t protect your assets if you don’t know they exist. That's why you should always start your cybersecurity efforts by identifying and cataloguing every asset you control. These can include:
- Public-facing websites and web applications
- APIs and mobile backends
- Email servers and other services
- Related websites, domains, and subdomains
- Cloud storage
- Servers, certificates, and IP addresses
So how do you go about compiling all of your internet-facing assets, including the ones you don’t know about? Here’s how we do it at Halo Security.
1. Start with what you know
We like to start off with the easy stuff, like your primary domain and any other websites you're aware of. Then we like to get a list of DNS records from your hosting provider and a list of dedicated IP ranges from your internet service provider (ISP). But if your organization is larger, these lists will only scratch the surface of your true attack surface.
2. Scan for related domains and subdomains
With our Discovery service, we use your known top-level domains (TLDs) to check for the existence of tens of thousands of possible subdomains like staging.example.com or secure.example.com. We use a similar approach to find alternative TLDs, like example.co or example.net that may also be under your control.
3. Scan for active IPs in your network ranges
If you've been assigned static network ranges by your ISP, you can use our Discovery service to detect alive IPs. During the scan, we identify and compile each address that responds to the Internet Control Message Protocol (ICMP) or has open ports.
4. Crawl your content and resources for clues
With Website Monitoring, Halo Security can crawl your websites looking for externally hosted scripts, forms, and iFrames. These sources can tell you of additional assets that may be within your control. We'll also look at alternate names listed on your SSL certificates and redirects from other domains.
5. Deduplicate, compile, and create a positive feedback loop
Once we find new potential assets, we compile, deduplicate, and remove known popular third-party providers. And as each new asset is identified, running the same processes on the found domains can create a positive feedback loop to help you identify even more of your attack surface.
Finding your assets is the first step to better security.
Once all of the assets within your organization are identified, Halo Security's attack surface management solution can help you determine if any should be removed or disabled, and then assign security testing resources to the rest. With complete knowledge of your attack surface and security measures put in place, your business will have a much stronger defense against attackers.
If you're interested in a complimentary discovery, Halo Security experts are here to help. Schedule a free consultation today.
Editor's note (August 2022): This article was originally posted on the TrustedSite blog in Dec 2020. It has been updated for the Halo Security blog.