Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Do Not Take an IP-centric Approach to Attack Surface Mapping

Attacks surface mapping

Relying on IP data to identify assets means you're likely missing critical information needed to map your attack surface.

While many security tools scan and produce data based on IP addresses, it is an arduous process. It relies on companies knowing the IPs of all of their assets, including legacy and shadow assets. Many vendors and tools pass off the hidden cost of finding each of these assets' IP to companies employees by forcing them to identify the IPs in question.

IP data misses vital asset information

The easiest way to gather HTTP data on a wide swath of IP addresses is to connect to the IP addresses and issue a GET request. However, depending on how you connect and send the request it will yield widely different and unhelpful results. Let’s walk through a few examples:

  1. Connect to an IP address and do not send "Host" header. Without sending the "Host" header, the application server does not know what to do, or what you would like to contact. Below is an example:Attack surface management
  2. Complete the same request, but send "Host" headers. Including the "Host" header and the cloud-based web application firewall (WAF) it's now possible for the request to understand that you want to reach the server that the WAF is protecting. Here's what that may look like:Attack surface mapping

The above example is a very popular cloud-based WAF called Cloudflare that protects millions of machines. Now, those millions of machines are missed in your collection process.

When a scanner connects to an IP address, it only knows what you tell it. If you connect to an IP address without sending a "Host" header, the system will not elicit useful application logic.

Content Delivery Network (CDN) and WAF providers use a minimal amount of IP space. Many leverage tricks with "Host" headers and SSL/TLS certificates to host enormous amounts of web applications from a disproportionately small amount of IP space. This practice aims to relieve administrative constraints and reduce the costs of buying up large swaths of IP space.

However, even smaller organizations and completely unknown applications leverage VirtualHosts to host two or more web applications on the same IP address. That means there is a significant amount of application logic not exercised by the average IP scanner.

Adopt a DNS-based scanner

As a result, most of your attack surface is hidden from an IP-based (versus DNS-based) scanner, including dangerous application logic, insecure cookies, links to old social profiles, out-of-date JavaScript libraries and more. Attackers can leverage these overlooked assets while moving through your architecture.

Utilize DNS to make numerous requests to a singular IP address gathering detailed information. In the case of round-robin DNS, it's essential to make the requests to all the IP addresses helping the scanner identify each asset's application logic.

Using IP data alone is ineffective at identifying what type of application logic and services are running on IP addresses. While IP data is relevant it should only be used as a supplement to find shadow IT.

If organizations happen to know their IP space they should upload it, to get the most coverage, but only after they've uploaded their domains. Don't miss out on critical assets by relying on an IP-only approach for attack surface mapping.

Learn more

Gain visibility across your entire attack surface with Tenable.asm.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training