After the data is interpreted in relation to the attack surface, it will become consumable threat intelligence. The intelligence obtained can be used in the following 3 different areas.
When these 3 areas are combined, they form the XTI structure we mentioned at the beginning of our training. Each structure consumes intelligence by using it on different topics.
EASM is part of XTI, which manages organizations' outward assets. We explained how to create the attack surface, which is the basis of External Attack Surface Management, in the previous sections. In this section, we will cover how we manage the attack surface we have created and how it is fed from the collected intelligence.
Attack surface is essential for organizations to detect their unknown or forgotten assets and provide visibility and the EASM will come into play right at this point since any security vulnerability on these assets will pose a risk for the organization. Detected assets must be monitored constantly. For example, adding a newly purchased domain to the asset list immediately or deleting a discontinued domain from the asset list is a part of this monitoring effort. We can keep track of these assets through External Attack Surface Management. EASM will notify the user if a domain expires, the title of the website changes or a subdomain is created. One of the main factors that will provide intelligence in this section is the use of information obtained from the assets themselves. A second factor is using the intelligence produced as a result of the vulnerability data obtained from outside sources like Shodan, etc. In this part, we receive notifications about security vulnerabilities on our assets as a result of the intelligence we used.
In the section below, the alarms that may occur as a result of the active use of threat intelligence by EASM and the actions we can take are mentioned:
New Digital Asset(s) Detected
This is the warning we will encounter when a new asset is detected and added to our continuously monitored asset list. We need to check whether the asset really belongs to our organization and was created by the authorized users of our organization.
Domain Information Change Detected
It is the warning that alerts us when there is any change in the whois information of the domain in our asset list. We should check this activity to see if it is a harmful activity or not by comparing the old and the new data, and verifying if the change is made by the authorized users of our organization.
DNS Information Change Detected
This is the warning that alerts us when there is any change in the DNS records of the domain in our asset list. We should check this activity to see if it is a harmful activity or not by comparing the old and the new data, and verifying if the change is made by the authorized users of our organization.
DNS Zone Transfer Detected
This is the warning that alerts us when there is a change DNS Zone Transfer status of the domain in our asset list. We should check the DNS records for the relevant assets and verify if there is a zone transfer.
Internal IP Adress Detected
Since the IP addresses we specify in the A records of our domains are open to the public and can be seen outside of our network, they must not be internal IP addresses. If an internal IP is disclosed in the A record of a domain or subdomain, we will receive an alert that warns us of the "Internal IP Address Detected" on our EASM side. This may happen due to the lack of communication between different teams in our organization. In such cases, the process should be verified by contacting the POC of the DNS record maintenance and the root cause should be investigated. The IP should be changed if its use is not necessary.
Critical Open Port Detected
This is the warning that alerts us when there is an indication for open critical ports on the IPs that we are monitoring within the intelligence we received from sources such as "Shodan". We should check the ports claimed to be open on the relevant IP addresses that we receive the alert, and we should close or filter them if they are not the ports used by our network actively. If the open ports are used actively, then we should update the services running on them and keep them up to date, and make sure that necessary configurations are complete.
SMTP Open Relay Detected