2024 is well underway, which means your security team is probably already hard at work making progress on its objectives for Q1, or the year as a whole.
As your team tackles these objectives and thinks about other ways to improve its operations this year, there might be one (important) area for improvement you’ve overlooked: your internet intelligence. That is to say, the internet scan data security teams use to power their exposure management platforms, hunt for threats, detect vulnerabilities, and more.
Internet intelligence is important because it’s the bedrock of any cybersecurity strategy, whether teams think of it in those terms or not. Decisions hinge on the availability and accuracy of internet intelligence, and it’s this data that also powers many of the critical tools in a security tech stack.
Internet intelligence is also worth consideration because it turns out that there are still a lot of subpar internet data sources out there. And your team might be using one of them. Relying on inferior data means that your team might make decisions based on false positives, spend extra time searching through incomplete data, overlook important vulnerabilities … the list can go on.
Unsure if your team’s internet intelligence has room for improvement? Consider the following 24 questions.
24 Questions to Ask About Your Data
1.How many sources of internet data does my team use?
Dealing with multiple data sources can create a disparate, fragmented view of the threat landscape that can be difficult to understand and operationalize.
2. How much time do I spend trying to fill in the blanks?
Effort spent attempting to bridge gaps in your data is worth examining. Data should usually provide you with enough context to take an informed next step.
3. How often does my data source scan the internet?
Adversaries are continually searching for exposures to exploit. Internet data that doesn’t provide an up-to-date view of vulnerabilities and threats puts your team at a disadvantage.
4. How often are services refreshed?
Look for data that refreshes all services on a daily basis.
5. Does my data show me IPv4 hosts, IPv6 hosts, or both?
Data should reflect coverage of both IPv4 and IPv6 hosts – adversaries exploit everywhere.
6. Does the data offer a global scanning perspective?
Comprehensive coverage of internet infrastructure is paramount. Again, adversaries are everywhere.
7. Are virtual hosts scanned?
Virtual hosts make up a significant portion of our internet, and should be reflected in any data source.
8. Are non-standard ports scanned?
60% of all services run on non-standard ports. Without intelligent scanning across 65,000 ports and visibility into these services, teams can’t effectively protect their organizations.
9. What does my access to certificates look like?
Identify expired certificates and conduct more agile threat investigations with data that includes access to a robust certificate repository.
10. Do I have the ability to search through the data?
If your internet data isn’t fed into an existing tool in your tech stack, you’ll need a way to parse through the data directly.
11. Is it difficult for me to search through the data?
Data should be delivered in a user-friendly way. The Censys Search tool lets folks access Censys data using simple queries.
12. Is there any context provided to help me make sense of the data?
Context is key, especially when time is tight. Data should include details that make it easy to make sense of what’s presented.
13. Can I see host type?
Data with device type labels will allow you to clearly identify host type, whether IoT, Database, VPN, etc.
14. Can I look at geolocation data?
Where a host resides can be a critical data point in an investigation.
15. Can I learn anything about host intent?
Detailed visibility into open ports and running protocols, regardless of standard port assignment, should make it possible to learn more about host intent.
16. Does the data include details on software?
Software detection helps teams identify potential threats, risks, and vulnerabilities.
17. Do I frequently encounter false positives in my data?
False positives waste time, create alert fatigue, and can distract from real threats. Superior data will minimize the frequency of false positives.
18. Can I use an API to integrate the data into other systems?
The ability to pull in data into other systems can unlock significant efficiency.
19. Is there a way for me to look back at data from a previous point in time?
Threat investigations can hinge on the ability to observe changes to a host over time.
20. When new assets come online, how many go undetected?
Teams need to know about all of the new, unknown assets associated with their organization. Overlooked assets become opportunities for adversaries.
21. How quickly are new assets discovered?
The sooner teams know about new assets, the sooner you can protect or deprecate them before attackers take action. Time-to-discovery is a good metric to pay attention to.
22. Is it easy for me to identify patterns or uncover relationships in the data?
Threat hunters need to be able to make connections across data points – features like tags, labels, and other filters in a data source can help them do that.
23. Is the data useful to me during a zero-day?
On a zero-day, time is of the essence. Your internet data should help your team determine if they’ve been affected by a zero-day, and to what extent.
24. Is it easy for my team to organize the data?
Threat investigations can become complex, and the ability to sort, tag, and comment on data can help teams stay organized.
If your answers to these questions have you thinking, it may be time to invest in a better source of internet intelligence!
To see Censys data in action, head on over to search.censys.io to run queries on our data.
Pro Tip: You can use our AI-powered CensysGPT tool to ask natural language queries, or translate queries from other languages.
See Censys Data in Action