Seeds & Discovery in Defender EASM
The challenges of managing the modern external attack surface are everyone’s challenge. While most security teams focus on the internal systems and Cloud environments, the external attack surface is exposed to the attackers with no interruptions.
The first and second articles focused on “EASM” and “Deploy Defender EASM” as part of the Defender EASM Series. The recent article focused on External Attack Surface Management and gave an overview of the approaches, needs, and insights about EASM. More information is on the link below.
This post focuses on the first step in Defender EASM and digs into Discovery and Seeds.
Attack Surface Mode
After installing and running Defender EASM, we should start the main actions. The real work is to find out where our data is, what the existing data is, the relationships between the pieces of information, and the meanings of each data. Then we will get the complete picture of the data, possible exposures, and security gaps.
At this point, and after Defender EASM is created, we land in the Defender EASM Overview console. The console shows a general view with the option to “Search from a list of pre-built attack surfaces to understand your organization’s internet exposure.” This option is part of the continuous scanning that Microsoft maintains an inventory of internet-facing assets which can be used to discover an organization’s attack surface.
The other option on the console, such as Attack Surface Summary, Security Posture, and Discovery, won’t be effective until we create an attack surface.
A brief look at the “Welcome to Microsoft Defender External Attack Surface Management (EASM)!”
While Defender EASM can search for Attack Surface assets in a few ways, we can find the assets based on two general ways:
- Pre-built attack surfaces – Automated
- Custom attack surface – Customize & Automated
Pre-built attack surfaces – Automated
Microsoft has configured the attack surfaces of many organizations, mapping their initial attack surface by discovering infrastructure connected to known assets. It is recommended that all users search for their organization’s attack surface before creating a custom attack surface and running additional discoveries. This lets users quickly access their inventory as Defender EASM refreshes the data, adding additional assets and recent context to your Attack Surface.
At this point, the Discovery will be running in the background. Suppose you selected a pre-configured Attack Surface from the list of available organizations. In that case, you will be redirected to the Dashboard Overview screen, where you can view your organization’s infrastructure insights in Preview Mode. Review these dashboard insights to become familiar with your Attack Surface as you wait for additional assets to be discovered and populated in your inventory.
Suppose you notice any missing assets or have other managed entities that may not be discovered through infrastructure linked to your organization. In that case, you can select to run customized discoveries to detect these outlier assets.
After quick settings of the Pre-built attack, the result with all information surfaces with the AWS information.
Insights & Tips
- The Pre-built attack surfaces are compatible with specific scenarios.
- Discovery groups aren’t editable.
- No option to add seeds.
- A Pre-built attack surface can cover part of the external assets.
- A pre-built attack surface is a quick discovery result.
- You can search for pre-built attack surfaces by company name, company category, domain, etc.
- Once pre-built attack surfaces are assigned, you run on the assets, seeds, and gathered data.
A Discovery point view from a Pre-built attack surfaces settings with Discovery Group, Seeds, and Configuration. As you can see, the Pre-built attack surfaces provide the process with all settings, but you can’t edit this configuration.
While Discovery and then the Inventory part is crucial, we must know how Defender EASM works, what information we can search for, and how the Seeds are working – this takes us to the part of Plant Seeds.
Custom Attack Surface – Customize
While Pre-built attack surfaces can do the work and satisfy in some situations, the second method is Custom Attack Surface – Customize. The Customizing Discovery is ideal for organizations that require deeper visibility into infrastructure that may not be immediately linked to their primary seed assets. The discovery engine will return a wider pool of assets by submitting a more extensive list of known assets to operate as discovery seeds. Custom discovery can also assist organizations in finding disparate infrastructure related to independent business units, acquired companies, etc.
Discovery Groups – Custom discoveries are organized into Discovery Groups. They are independent seed clusters with a single discovery run and operate on their recurrence schedules. You can select to organize the Discovery Groups to trace assets in whatever way best benefits the company and workflows. Standard options include organizing by responsible teams, business units, brands, and subsidiaries.
The part of Custom Attack Surface is straightforward, and you can create a custom attack surface in minutes. From the Overview, you need to choose the Create a custom attack surface that will take you to the Discovery area, and then you need to add the relevant Seeds. The Seeds can be various assets such as Domain, IP, Host, Email, etc.
Note: Even with a great platform that gives the ability to put Seed and the required information, and get the External Attack Surface. Still, you must know how to set the seed and perform an ongoing action based on the known information and after with new information. Otherwise, you won’t be able to identify all of your assets, which can lead to an attack scenario in which you don’t know what you’ve got on your external assets.
Now, let’s see what the Discovery looks like in Customize Mode.
Insights & Tips
- Avoid Misconfiguration – Defender EASM provides simple ways to configure the external attack surface.
- Custom Attack Surface mode is editable, and you add or remove seeds.
- Discovery scan duration on a large enterprise can take 48 to 96 hours to give the first results.
- In the first phase, don’t add too many Seeds – it can provide a massive picture that does not relate directly or indirectly to the target.
- Isolate Discovery between environment, sub-company, and other situations. (if it is reasonable).
The Discovery Group details page contains the run history for the group. Once expanded, this section displays vital information about each discovery run performed on the specific group of seeds. The Status column indicates whether the run is “In Progress,” “Complete,” or “Failed.” This section also includes “started” and “completed” timestamps and counts of the total number of assets versus new assets discovered.
Similarly, you can click the “Exclusions” tab to see a list of entities excluded from the discovery group. These assets will not be used as discovery seeds or added to your inventory. It is important to note that exclusions impact future Discovery runs for an individual discovery group. The “type” field displays the category of the excluded entity.
Alternatively, you can manually input seeds. Defender EASM accepts domains, IP blocks, hosts, email contacts, ASNs, common names, and WhoIs organizations as seed values. You can also specify entities to exclude from asset discovery to ensure they are not added to your inventory if detected. For example, this is useful for organizations with subsidiaries that will likely be connected to their central infrastructure but do not belong to your organization.
Before working and configuring the Custom Attack Surface, you must know how to work with Seeds and why you need to configure Discovery properly. Again, to put the domain can give a lot of information but not all of the detailed picture!
Seeds & Discovery
The example of seeds in the Defender EASM can be paralleled to the situation where a farmer plants seeds. We must be careful about sowing and planting in the right season and in the desired climate for good results. What about the land? So, we’re not farmers, and the land is here with a lot of data. This is the area we need to know to understand the implications.
Seeds or Discovery Seeds and how we’re working with them can do the difference between the whole picture and part of it – the picture of the external assets and exposure. While we want to know the external shadow, we must be accurate with the seeds, the Discovery, and how to configure them.
Defender EASM depends on a dedicated discovery technology to continuously define your organization’s unique Internet-exposed attack surface. Discovery scans known assets owned by your organization to uncover previously unknown and unmonitored properties. Discovered assets are indexed in a customer’s inventory, providing a dynamic system of record of web applications, third-party dependencies, and web infrastructure under the organization’s management through a single pane of glass.
Defender EASM allows you to monitor their constantly shifting digital attack surface proactively and identifies emerging risks and policy violations through this process. Many vulnerability programs lack visibility outside their firewall, leaving them unaware of external risks and threats – the primary source of data breaches. At the same time, digital growth continues to outpace an enterprise security team’s ability to protect it. Digital initiatives and overly familiar “Shadow IT” lead to an expanding attack surface outside the firewall. At this pace, validating controls, protections, and compliance requirements are nearly impossible. Without Defender EASM, identifying and removing vulnerabilities is nearly impossible, and scanners cannot reach beyond the firewall to assess the entire attack surface.
How it works
To create a comprehensive mapping of your organization’s attack surface, the system first intakes known assets (i.e., “seeds”) that are recursively scanned to discover additional entities through their connections to a seed. An initial seed may be any of the following kinds of web infrastructure indexed by Microsoft:
- Host Name
- Contact Email Address
- IP Block
- IP Address
Starting with a seed, the system then discovers associations to other online infrastructure to discover other assets owned by your organization; this process ultimately creates your attack surface inventory. The discovery process uses the seeds as the central nodes and spiders outward towards the periphery of your attack surface by identifying all the infrastructure directly connected to the Seed and then identifying all the things related to each of the things in the first set of connections, etc. This process continues until we reach the edge of what your organization is responsible for managing.
To discover MISCONFIG infrastructure, you might use the domain misconfig.io as the initial keystone seed. Starting with this Seed, Defender EASM could consult the following sources and derive the following relationships: WhoIs records and DNS records.
Using this set of first-level connections, we can quickly derive an entirely new set of assets from investigating. Before performing additional recursions, Microsoft determines whether a connection is strong enough for a discovered entity to be automatically added to your Confirmed Inventory. The discovery system runs automated, recursive searches for each asset based on all available attributes to find second and third-level connections. This repetitive process provides more information on an organization’s online infrastructure and therefore discovers disparate assets that may not have been discovered and subsequently monitored otherwise.
The Defender EASM provides functionality for interacting with Seeds, Assets, and other information. Many seeds come from public Internet artifacts such as WHOIS and DNS, but Defedenrer EASM takes additional seeds.
- IP Blocks
- IP Addresses
- Autonomous System Numbers (ASNs)
- SSL Certificates
- WHOIS Contacts
High-level information is key to understanding your assets at a glance. Most of these fields apply to all assets, although this section can also include information specific to one or more asset types.
- Block info
- Data tabs
The discovery chain outlines the observed connections between a discovery seed and the asset. This information helps users visualize these connections and better understand why an asset was determined to belong to their organization.
- Discovery information
- IP reputation
- IP Addresses
- Mail Servers
- Name Servers
- Open Ports
- Web Components
- SSL certificates
The top assets, the general information, and the discovery chain all provide massive information. Remember that Discovery Chain is fed from the other information.
For example, some seeds or objects can be used individually but must be initialized for each resource type (Seeds, Assets, and Events):
How do the Seeds interact and do kind of trails? Let’s take Some Trails.
The chains of relationships that end in a host can be long or short. Suppose your organization is large enough to have allocated sections of IP address space. These hosts are almost permanently attributed to you, and the Trail is relatively short.
In other cases, hosts are attributed via DNS records or because they are presenting assets attributed to you.
- ASN to the IP network.
- IP Network to IP address.
- The domain name to the IP address.
- SSL Certificate to IP address.
- IP Block to ASN.
The Trail can be two seeds and more.
You can do the “Trail” with all seeds and information within Defender EASM. You can dig into the Trail from one asset to another in every Seed. The General information, Discovery Hain and Discovery Information provide the whole picture.
The example below shows the Trail of Assets > Hosts > IP Address. As we can see in Web Components & CVEs, some of the resources in the lab need hardening and security updates ASAP.
The following posts will focus on the Inventory, Atack Surface with Posture Security, and the last will be about how to tip.