Historically, security teams and tools have used IP addresses to define their targets and scopes. But in a world where applications and networks are increasingly cloud-hosted or integrated with third-party services, IP addresses alone aren’t enough to ensure coverage.
Modern perimeters are dynamic and constantly changing, which can lead organizations to have an inaccurate picture of their risk simply by failing to properly catalog what Internet facing assets they have. Testing against a stale set of IP addresses means not only missing the changes to your own infrastructure, but also any changes made to your third-party (i.e., cloud-hosted) infrastructure.
To effectively understand your risk, you need to start thinking of your true inventory in terms of domains, not IP addresses. Domains can reveal a far more accurate representation of your assets and risk than IP lists alone. No matter your industry, every extension of your brand now likely generates its own domain.
While that is great for branding, in security terms it has exponentially expanded your potential attack surface. And it’s not just marketing. Mergers and acquisitions come with additional domains and hosts that need to be tracked, cloud-hosting migrations create new attack surfaces, and shadow IT efforts complicate accuracy. At the end of the day, you can’t secure what you don’t know you have.
Ultimately, the complexity of the modern dynamic perimeter is causing inaccurate asset inventories and unintended exposures. So how can companies improve their perimeter inventory?
Let your DNS be your guide
If you make one change to your asset inventory process, start by utilizing your DNS records as the primary way to track perimeter inventory. Cloud-hosting, virtual hosting, load balancers, and dynamic IP spacing all require more than static lists that are immediately out of date. Shift from scanning IP addresses to scanning what customers and employees actually interact with – your domains and subdomains.
Build a better inventory
Security teams are not always involved in the process of setting up new domains and modifying DNS records, but it’s imperative they get access to this information and monitor it for critical exposures. That means investing time to review associated brands, mergers, acquisitions, and any business unit that may have registered a domain. And it means solving your unique organizational concerns for gaining access to the DNS records.
In cloud-hosted infrastructure such as AWS, this is as simple as getting a read-only auditor key to export the DNS records (which can give you a view of unintended exposures such as misconfigured S3 storage buckets).
If you’re unsure where to start to find DNS information and it’s not entirely centrally managed by IT, there are alternate avenues to pursue. If nothing else, follow the money. Get a list of charges for cloud-hosting from the finance department. And remember that changes for domain registration can also be traced to the team that set them up, so working closely with development teams to understand the systems they use to manage them and ensuring the security team has access is a step in the right direction.
Move towards continuous security
As development teams adopt continuous integration and continuous deployment, a model of continuous security is needed as well. Once you get access to DNS records at your organization, don’t stop there – create a regular process to review perimeter inventory changes. Changes to your perimeter are only going to increase in speed and frequency, so it’s important or build repeatable processes now that can supply the right people with the right information.