System and method of identifying internet-facing assets

US 10,171,318 B2
Filed: 10/21/2014
Issued: 01/01/2019
Est. Priority Date: 10/21/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a seed at a computing device, wherein the seed includes an identification of a domain name system (DNS) name server, an identification of a whois contact, an autonomous system number (ASN), a domain name, a host name, an Internet Protocol (IP) address, or a combination thereof;

retrieving first data based on the seed, the first data indicating a plurality of first internet-facing assets, wherein the first data includes first DNS data retrieved from a DNS database based on the seed, first border gateway protocol (BGP) data retrieved from a BGP database based on the seed, first whois data retrieved from a whois database based on the seed, or a combination thereof;

retrieving second data based on at least one of the first plurality of internet-facing assets, the second data indicating a plurality of second internet-facing assets, wherein the second data includes second DNS data retrieved from the DNS database based on at least one of the plurality of first internet-facing assets, second BGP data retrieved from the BGP database based on the at least one first internet-facing asset, second whois data retrieved from the whois database based on the at least one first internet-facing asset, or a combination thereof;

generating a graphical user interface (GUI) that includes a list of internet-facing assets related to the seed, wherein the list identifies differences between the plurality of first internet-facing assets and the plurality of second internet-facing assets; and

accessing, by the computing device via one or more proxy servers, at least one internet-facing asset of the plurality of first internet-facing assets or the plurality of second internet-facing assets.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes receiving a seed at a computing device. The method further includes identifying, based on first domain name system (DNS) data, first border gateway protocol (BGP) data, first whois data, or a combination thereof, a plurality of first internet-facing assets related to the seed. The method further includes identifying, based on second DNS data, second BGP data, second whois data, or a combination thereof, a plurality of second internet-facing assets related to at least one of the first internet-facing assets. The method further includes generating a graphical user interface (GUI) that includes a list of internet-facing assets related to the seed, where the list includes the plurality of first internet-facing assets and the plurality of second internet-facing assets.

Citations

21 Claims

1. A method comprising:
- receiving a seed at a computing device, wherein the seed includes an identification of a domain name system (DNS) name server, an identification of a whois contact, an autonomous system number (ASN), a domain name, a host name, an Internet Protocol (IP) address, or a combination thereof;
  
  retrieving first data based on the seed, the first data indicating a plurality of first internet-facing assets, wherein the first data includes first DNS data retrieved from a DNS database based on the seed, first border gateway protocol (BGP) data retrieved from a BGP database based on the seed, first whois data retrieved from a whois database based on the seed, or a combination thereof;
  
  retrieving second data based on at least one of the first plurality of internet-facing assets, the second data indicating a plurality of second internet-facing assets, wherein the second data includes second DNS data retrieved from the DNS database based on at least one of the plurality of first internet-facing assets, second BGP data retrieved from the BGP database based on the at least one first internet-facing asset, second whois data retrieved from the whois database based on the at least one first internet-facing asset, or a combination thereof;
  
  generating a graphical user interface (GUI) that includes a list of internet-facing assets related to the seed, wherein the list identifies differences between the plurality of first internet-facing assets and the plurality of second internet-facing assets; and
  
  accessing, by the computing device via one or more proxy servers, at least one internet-facing asset of the plurality of first internet-facing assets or the plurality of second internet-facing assets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, further comprising retrieving third data indicating additional internet-facing assets associated with DNS name servers associated with the plurality of first internet-facing assets.
  - 3. The method of claim 2, further comprising retrieving fourth data indicating hosts associated with the additional internet-facing assets.
  - 4. The method of claim 2, further comprising receiving a canonical name (CNAME) record.
  - 5. The method of claim 1, wherein the GUI is configured to receive user input indicating that a particular internet-facing asset is to be added to a scanning list, wherein internet-facing assets in the scanning list are scanned by the one or more proxy servers continuously, periodically, randomly, in response to user input, or any combination thereof.
  - 6. The method of claim 5, wherein scanning the particular internet-facing asset generates additional information regarding the particular internet-facing asset, wherein the additional information indicates a language that the particular internet-facing asset is associated with, whether particular the internet-facing asset performs redirects, whether the particular internet-facing asset supports secure sockets layer (SSL), whether a SSL certificate associated with the particular internet-facing asset is valid, how many media files are associated with the particular internet-facing asset, whether the particular internet-facing asset is associated with malware, or a combination thereof.
  - 7. The method of claim 5, further comprising generating an alert in response to determining, based on scanning the particular internet-facing asset, that the particular internet-facing asset violates a policy.
  - 8. The method of claim 1, wherein the one or more proxy servers includes a plurality of proxy servers, and wherein each of the plurality of proxy servers belongs to a different domain, is located in a different geographic region, is associated with a different user agent, or a combination thereof.
  - 9. The method of claim 8, wherein each of the different user agents corresponds to a different type of web browser used by the one or more proxy servers to access the at least one internet-facing asset.
  - 10. The method of claim 1, wherein the seed is generated by a discovery application executing at the computing device via an iterative feedback process during identification of internet-facing assets related to a previously received seed.
  - 11. The method of claim 1, wherein the seed is associated with a particular user or business entity.
  - 12. The method of claim 1, further comprising receiving first information indicating that a DNS name server is associated with a particular internet-facing asset and receiving second information indicating domains for which the DNS name server is an authoritative name server.
  - 13. The method of claim 1, wherein the seed is associated with information including an e-mail address, a physical address, a contact name, or a combination thereof, and wherein the first data is received from a database responsive to a query based on the information.
  - 14. The method of claim 1, wherein the GUI is configured to receive user input dismissing a particular internet-facing asset, and further comprising refraining from including the dismissed internet-facing asset from a subsequently generated list of internet-facing assets.
  - 15. The method of claim 1, further comprising determining, based on DNS records, whether a particular internet-facing asset includes a mail server, a DNS name server, or both.
  - 16. The method of claim 1, further comprising port scanning the at least one internet-facing asset to determine whether the at least one internet-facing asset includes a web server.

17. A computer-readable storage device storing instructions that, when executed by a processor, cause the processor to perform operations including:
- receiving a seed at a computing device, wherein the seed includes an identification of a domain name system (DNS) name server, an identification of a whois contact, an autonomous system number (ASN), a domain name, a host name, an Internet Protocol (IP) address, or a combination thereof;
  
  retrieving first data based on the seed, the first data indicating a plurality of first internet-facing assets, wherein the first data includes first domain name system (DNS) data, first border gateway protocol (BGP) data, first whois data, or a combination thereof, a plurality of first internet-facing assets related to the seed;
  
  retrieving second data based on at least one of the first plurality of internet-facing assets, the second data indicating a plurality of second internet-facing assets, wherein the second data includes second DNS data, second BGP data, second whois data, or a combination thereof, a plurality of second internet-facing assets related to at least one of the plurality of first internet-facing assets;
  
  generating a graphical user interface (GUI) that includes a list of internet-facing assets related to the seed, wherein the list identifies differences between the plurality of first internet-facing assets and the plurality of second internet-facing assets; and
  
  accessing, by the computing device, via one or more proxy servers, at least one internet-facing asset of the plurality of first internet-facing assets or the plurality of second internet-facing assets to simulate requests from different geographic regions, different domains, different user agents, or a combination thereof.
- View Dependent Claims (18, 19)
- - 18. The computer-readable storage device of claim 17, wherein accessing the at least one internet-facing asset via the one or more proxy servers includes scanning the at least one internet-facing asset using an anonymous request that originates from a proxy server of the one or more proxy servers.
  - 19. The computer-readable storage device of claim 17, wherein the operations further include:
    - receiving input via the GUI, the input indicating that a particular internet-facing asset is to be added to a scanning list;
      
      scanning the particular internet-facing asset; and
      
      generating an alert in response to determining, based on scanning the particular internet-facing asset, that the particular internet-facing asset violates a policy.

20. An apparatus comprising:
- a processor; and
  
  memory storing instructions that, when executed by the processor, cause the processor to perform operations including;
  
  receiving a seed at a computing device, wherein the seed includes an identification of a domain name system (DNS) name server, an identification of a whois contact, an autonomous system number (ASN), a domain name, a host name, an Internet Protocol (IP) address, or a combination thereof;
  
  retrieving first data based on the seed, the first data indicating a plurality of first internet-facing assets, wherein the first data includes first domain name system (DNS) data, first border gateway protocol (BGP) data, first whois data, or a combination thereof, a plurality of first internet-facing assets related to the seed;
  
  retrieving second data based on at least one of the first plurality of internet-facing assets, the second data indicating a plurality of second internet-facing assets, wherein the second data includes second DNS data, second BGP data, second whois data, or a combination thereof, a plurality of second internet-facing assets related to at least one of the plurality of first internet-facing assets;
  
  generating a graphical user interface (GUI) that includes a list of internet-facing assets related to the seed, wherein the list identifies differences between the plurality of first internet-facing assets and the plurality of second internet-facing assets; and
  
  accessing, by the computing device, at least one internet-facing asset of the plurality of first internet-facing assets or the plurality of second internet-facing assets via a plurality of proxy servers to simulate requests from different geographic regions, different domains, different user agents, or a combination thereof,wherein each of the plurality of proxy servers belongs to a different domain, is located in a different geographic region, is associated with a different user agent, or a combination thereof.

21. A method comprising:
- receiving a request to identify a plurality of internet-facing assets associated with a seed, wherein the seed includes an identification of a domain name system (DNS) name server, an identification of a whois contact, an autonomous system number (ASN), a domain name, a host name, an Internet Protocol (IP) address, or a combination thereof;
  
  identifying, based upon the seed, a first internet-facing asset;
  
  identifying, based upon the first internet-facing asset, a second internet-facing asset; and
  
  generating a graphical user interface (GUI), the GUI including a list of the first internet-facing asset and the second internet facing asset, wherein the GUI includes a display of a discovery path between the seed and an internet-facing asset selected from the list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
RiskIQ, Inc. (Microsoft Corporation)
Inventors
Pon, David K., Manousos, Elias, Kiernan, Chris, Adams, Ben, Chiu, Megan, Edgeworth, Jonas
Primary Examiner(s)
Nguyen, Minh Chau

Application Number

US14/520,029
Publication Number

US 20160112284A1
Time in Patent Office

1,533 Days
Field of Search

709220-224
US Class Current
CPC Class Codes

H04L 43/045   for graphical visualisation...

H04L 43/10   Active monitoring, e.g. hea...

H04L 61/4511   using domain name system [DNS]

H04L 63/1408   by monitoring network traff...

System and method of identifying internet-facing assets

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of identifying internet-facing assets

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links