The mysterious EASM and where they live. Where are you? / Hebrew

The mysterious EASM and where they live. Where are you? / Hebrew

In the final part of the study, CyberOK experts compare the provision of information by ASM systems from the user’s point of view. You can read the first part here, and the second part here.

The full text of the study has been published here.

1.6 Comparison of information provided

This section presents a comparison of the analyzed ASM systems from the user’s point of view.

1.6.1 Comparison of technical characteristics

Table 12 provides data on what site information the systems provide, the capabilities for grouping results, and the API capabilities.

1.6.2 Comparison of UI/UX quality

Table 13 shows a comparison of ASM services in terms of UI/UX quality. The convenience of requests was subjectively evaluated: yes, the construction of the request is intuitive in Shodan, similar in CriminalIP. In Netlas, it is worth noting a convenient interface with the ability to search for the necessary parameter – a kind of request designer. In Hunter.how, you can highlight a little more functionality: for example, you can make a request for the number of open ports. Censys also has a lot of functionality: it supports “?” and “*”, spec. characters “/n”, ”

1.6.3 Comparison of data quality

8 different nodes were randomly selected for comparison. Several ports are open on each of them, and several network services are running. Information was collected on which ports, products, and domains ASMs would define. Reliable information about open ports was collected using the nmap utility. The correctness of domain determination was carried out by sending direct DNS requests (as a result, the IP address associated with the corresponding domain name is returned). If a network port, service, technology or domain was incorrectly determined by ASM, then Table 14 highlights these values ​​in red

Methodology for evaluating the accuracy of determining open ports: each node has a share of open ports against the results of scanning by nmap. After that, the sum of the shares is calculated and normalized on a 5-point scale. This method is used because it is known for sure which open ports are on the node.

Methodology for assessing the accuracy of domains associated with a node: each ASM is assigned 16 points (2 for each node); for each node for which the system found at least one invalid domain with a valid second-level domain, 0.5 points are deducted; 1 point is deducted for each node with at least one incorrectly defined domain of the second level; 2 points are deducted for each node with the number of incorrectly defined domains more than half of the total number of defined domains in ASM-a; for each node for which the system has not determined any domain, 2 points are deducted from the score. The final score is normalized on a 5-point scale. This technique is used because the exact number of domains associated with an IP address is not reliably known, and a large number (more than half) of incorrect results can interfere with the service user.

Example 1. The system identified the test.abc.ru, test2.abc.ru, test3.abc.ru domains for the site, while only the first one did not respond to a direct DNS query. Then, since the rest of the domains passed the check and abc.ru is a valid domain of the second level, 0.5 points are deducted for this node.

Example 2. The system identified the test.def.ru, test2.abc.ru, test3.abc.ru domains for the node, while only the first one did not respond to a direct DNS request. Then, since the rest of the domains passed the check, and abc.ru is a valid second-level domain, 1 point is deducted for this node.

Table 15 presents the data quality assessment results for the considered services.

Conclusion

Summing up, we can say that none of the considered services exceeds the others in all categories. However, the choice of ASM should be based on the task at hand. Some are better at identifying open ports and products used on the node being tested. Others have a more convenient API or interface in a web application. In addition, some of the considered services offer more features, but within the framework of this article, a comparison of the same functionality was made.

Author: Maksym Pushkin, specialist in CyberOK expertise development


Subscribe to our Habr and Telegram — there CyberOK experts talk about the hottest trends and threats of the digital world, so that you do not remain in the shadow of cyber dangers.

If you look events in Mykolaiv – https://city-afisha.com/afisha/

Related posts