Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Do Not Take an IP-centric Approach to Attack Surface Mapping

Attacks surface mapping

Relying on IP data to identify assets means you're likely missing critical information needed to map your attack surface.

While many security tools scan and produce data based on IP addresses, it is an arduous process. It relies on companies knowing the IPs of all of their assets, including legacy and shadow assets. Many vendors and tools pass off the hidden cost of finding each of these assets' IP to companies employees by forcing them to identify the IPs in question.

IP data misses vital asset information

The easiest way to gather HTTP data on a wide swath of IP addresses is to connect to the IP addresses and issue a GET request. However, depending on how you connect and send the request it will yield widely different and unhelpful results. Let’s walk through a few examples:

  1. Connect to an IP address and do not send "Host" header. Without sending the "Host" header, the application server does not know what to do, or what you would like to contact. Below is an example:Attack surface management
  2. Complete the same request, but send "Host" headers. Including the "Host" header and the cloud-based web application firewall (WAF) it's now possible for the request to understand that you want to reach the server that the WAF is protecting. Here's what that may look like:Attack surface mapping

The above example is a very popular cloud-based WAF called Cloudflare that protects millions of machines. Now, those millions of machines are missed in your collection process.

When a scanner connects to an IP address, it only knows what you tell it. If you connect to an IP address without sending a "Host" header, the system will not elicit useful application logic.

Content Delivery Network (CDN) and WAF providers use a minimal amount of IP space. Many leverage tricks with "Host" headers and SSL/TLS certificates to host enormous amounts of web applications from a disproportionately small amount of IP space. This practice aims to relieve administrative constraints and reduce the costs of buying up large swaths of IP space.

However, even smaller organizations and completely unknown applications leverage VirtualHosts to host two or more web applications on the same IP address. That means there is a significant amount of application logic not exercised by the average IP scanner.

Adopt a DNS-based scanner

As a result, most of your attack surface is hidden from an IP-based (versus DNS-based) scanner, including dangerous application logic, insecure cookies, links to old social profiles, out-of-date JavaScript libraries and more. Attackers can leverage these overlooked assets while moving through your architecture.

Utilize DNS to make numerous requests to a singular IP address gathering detailed information. In the case of round-robin DNS, it's essential to make the requests to all the IP addresses helping the scanner identify each asset's application logic.

Using IP data alone is ineffective at identifying what type of application logic and services are running on IP addresses. While IP data is relevant it should only be used as a supplement to find shadow IT.

If organizations happen to know their IP space they should upload it, to get the most coverage, but only after they've uploaded their domains. Don't miss out on critical assets by relying on an IP-only approach for attack surface mapping.

Learn more

Gain visibility across your entire attack surface with Tenable.asm.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

Contact a Sales Rep to Buy Tenable.cs

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Promotional pricing extended until December 31st.
Buy a multi-year license and save more.

Add Support and Training