What is Attack Surface Discovery?

Attack Surface Discovery is the art of creating a View, or an inventory, of all your Internet exposed assets. The holy grail is to find all known & unknown devices before bad guys. Only then can you perform Attack Surface Management.

The next question is how ONYPHE can help you build that View? And, hopefully, to keep it up-to-date? We know that new assets are connected to the Internet on a day-to-day basis. You have to keep track of all of them. This is where we can help thanks to our unique and innovative approach: domain-based. We have developped our own technology with this approach in mind from the beginning, back in 2017. We are pioneers in Attack Surface Discovery & Attack Surface Management.

Domain-based approach

We believe that adopting an IP-based approach to Attack Surface Discovery is doomed to fail. More and more, companies use temporary -or short lived- IP addresses for their devices because of the run-for-cloud everyone is adopting today. We therefore assert that traditional approach is a thing of the past.

That's why we scan both IP addresses and complete Web site URLs. We have designed a dual-scanner to leverage the best part of IP scanning and Web crawling. We do crawl millions of URLs per day and follow new links that are found. This is no different than a Web search engine. Thanks to this approach, we find thousands of new domain names each day.

Thus, to uncover your digital assets, you can just start with a single domain name and search what is bound to it. All our data has to be bound to a domain name, that's one of our numerous mottos. Once you start digging, you can find what we call pivots. For instance, your Web site may have a TLS certificate and an organization property. That's a pivot you can leverage to find other Web sites you own, but under potentially different domain names. That's a recursive process and, thanks to our pivots, you search easily until you don't find any new pivot. Your asset list is complete.

Remember: IP addresses change, domain names stay for a long time.

Protocol-based approach

We also believe that searching exposed assets based solely on port numbers is doomed to fail. Of course, attackers scan ports, but they have the tools, like us, to uncover specific software on non-standard ports. Don't try to hide your service by just changing the port number, that's the antic security-by-obscurity design. It never succeeded.

We identify protocols in a port-number agnostic approach. For instance, RDP service may listen on another port than default 3389/tcp. We "speak" different protocols to identify what is truly listening behind an open port. With our solution, you search by protocol and you say good-bye to your pre-historical port-based searches. You really want to find RDP services and not just an open port, right? Of course, you can still search by port-number if a specific use-case is requiring it.

We perform protocol identification in a port-number agnostic approach.

Device-class approach

Last but not the least, your goal is to identify assets, right? Do you like searching with raw strings to find your VPN servers? No you don't. Please say thank you to our solution that allows you to directly search by device class and product vendor.

First example: Citrix, PulseSecure or FortiNet all sell VPN servers. That's a single query with our solution to identify them all. And for another example, Redis, MySQL, Elasticsearch, Kibana, MongoDB and so many... are all databases. Again, that's a single query with our technology. We have added an abstraction layer on top of software technologies that exist.

We classify devices and identify their vendors. You can say good-bye to your shinny list of string-based dorks.

What is Attack Surface Management?

That's the next step. You first discover, then you can manage. Click here to learn more. You can iterate over these two steps in an endless loop. The initial root name of our company was Sisyphus (or Sisyphe, in French).