Views:

Attack Surface Discovery discovers and assesses your internet-facing domains as part of your external attack surface.

Attack Surface Discovery identifies your internet-facing domains, subdomains, and hosts to be used as discovery seeds using your connected identity and access management (IAM) systems and Trend Vision One sign-on information. Domains undergo a secondary verification process before appearing in Internet-Facing Assets. Information about your internet-facing domains is updated daily.
Important
Important
It may take up to seven days for added or removed domains to be reflected in the domains list.
The following table explains the usage of domain-related terms in Internet-Facing Assets.
Term
Description
Domain
  • Refers to the root domain
  • Serves as a group name for a set of subdomains or hosts
  • Example: example.com
Subdomain
  • Refers to the root domain plus a prefix
  • Separates content or services within a root domain for specific organizational and navigational purposes, including identifying devices
  • Example: ex.example.com
Host
  • Refers to an internet-connected device, often a web server
  • Serves as an identifier ("host name") that can be resolved by the domain name system (DNS) to one or more IP addresses
  • Example: ExampleDesktop.example.com
When Attack Surface Discovery assesses your domains, domain-related risks are identified based on the following factors:
Factor
Example of risk
Domain information
Domain expired
SSL/TLS information
SSL/TLS certificate using weak or deprecated protocols
HTTP response
Server information advertised in HTTP response
After assessment, domains receive a risk score based on risk indicators of both the domain and related IP addresses. Domains with no risk indicators may still receive a significant risk score if the related IP addresses have risk indicators after assessment. If there are no risk events detected for the domain, you can view the related IP addresses to understand the contributing risk.
The following table outlines the actions you can perform on the Domains tab:
Action
Description
View an overview of internet-facing root domains and hosts
The Internet-Facing Assets widget provides the following information:
  • Number of discovered root domains and hosts per month
  • Discovery trend from the last 12 months
View the list of verified internet-facing root domains and hosts related to each root domain
The list includes the following information:
  • Root domains: Automatically discovered and manually added root domains
  • Hosts: Risk score, number of related public IP addresses, and other key information
You can filter list entries based on criteria such as criticality and host provider.
Note
Note
Assets marked with the star icon are highly critical to your organization's operations. For more information, see Asset criticality .
Add root domains or subdomains/hosts to the list
  1. Click Add.
  2. Perform one of the following actions:
    • Select from the list of recommended root domains.
    • Specify root domains and hosts that belong to your organization.
    You can add a maximum of 20 domains at a time. To add more than 20 domains, contact your support provider.
    Attack Surface Discovery verifies the domains and discovers associated internet-facing domains. New domains may take up to 10 days to appear on the domains list.
  3. View the verification status of manually added domains by clicking Review Status.
    Manually added domains that have finished the verification process are marked as approved and added to the domains list along with any associated subdomains.
Remove root domains or subdomains/hosts from the list
  1. Select one or more root domain or hosts you wish to remove.
  2. Click Remove.
View the asset details screen for each root domain and host
The asset details screen includes the following tabs:
  • Risk Assessment: Displays the risk score and list of risk indicators, including descriptions of risk events and recommended remediation actions
  • Related IPs: Lists the related public IP addresses with information such as location, host provider, and detected CVEs
  • Certificates: Displays SSL/TLS information about the domain certificate
  • Asset Profile: Displays criticality-related information, including the criticality level and list of profile tags
Note
Note
If Related IPs displays the IP address 0.0.0.0, Trend Vision One was unable to find any IP addresses related to the root domain. The 0.0.0.0 address is a placeholder to allow the root domain's subdomains to be classified.
Export information about root domains and hosts discovered in the last 7 days
  1. Click Manage Reports.
  2. Select Internet-Facing Assets.
    The Report Management › Internet-Facing Assets Template screen appears.
  3. Configure the report settings.
    Note
    Note
    To view the list of data fields for each asset type, click View CSV Fields.
  4. Click Create.
Each CSV file contains a maximum of 100,000 records.
Scan selected subdomains for exposures
Important
Important
This is a "Pre-release" feature and is not considered an official release. Please review the Pre-release disclaimer before using the feature.
Note
Note
This feature is not available in all regions.
  1. Select up to five subdomains and click Scan for exposures.
  2. Select a Service Gateway deployed to a public cloud platform.
  3. Confirm the assets to be scanned.
  4. Click Scan for exposures.
For more information, see Internet-facing asset exposure scans.