Why Network Discovery Is the Foundation of a Secure Digital Environment

Network discovery is foundational to a well-managed and secure digital environment. Unfortunately, most organizations struggle to identify and detail every device, or even most devices, within their environments, whether physical or virtual. There are many purpose-built approaches to network discovery, but, they are often specific to a vendor’s primary solution, such as configuration management databases (CMDBs), vulnerability scanners, and security incident and event monitoring systems (SIEMs).

Let’s take a look at what is required for effective discovery. Organizations need a complete understanding of assets within the environment so that they can:

  • Evaluate and assign customized treatment levels for devices based upon business criticality
  • Identify unmanaged or unknown devices
  • Identify vulnerabilities, such as outdated or at-risk software and OS version
  • Evaluate at-risk devices by proximity or communication during an IOC event

Multiple discovery methods are required to achieve discovery’s necessary detail and inclusiveness for adequate situational awareness. Each approach has its strengths and weaknesses, but individually they won’t provide the fidelity required for sufficient operational understanding. Discovery approaches include passive discovery, authenticated discovery, dark space scans, and agent-based discovery.

Passive Discovery 

This has two methods of information gathering to identify the existence of devices and their locations. The first method is to “sniff” traffic live on the wire using a span/mirrored port or tap to observe packets passing on the network. This method can identify the existence of a device and capture packet metadata that can be fingerprinted. However, probes must be implemented on every monitored network, end-to-end visibility is often not possible, and the depth of data is limited.

The second method of passive discovery is to leverage network devices, like firewalls and routers, to gain visibility of devices captured in logs communicating within the environment. This is a good starting point because you know what’s “talking” on the network(s) and can leverage other methods for further prosecution for expanded discovery context. Both methods ensure network performance disruption is imperceptible. 

Authenticated Discovery 

This method leverages login credentials of managed devices. It’s typical of vulnerability scanning applications like Nessus or Qualys. Authentication credentials allow for detailed information about devices, such as vendor, OS, service pack versions, registry, file system, processes, memory, and more. In addition, the level of details from managed devices provides asset role and functionality information. Still, it gives no visibility into unmanaged devices, such as unauthorized entities, many IoT endpoints, and guest devices.

In the past, penetration testers leveraged authenticated discovery scans to capture credentials from the packet streams of the scanner as it connects to a managed device. Modern access methods have made this vulnerability obsolete, but many remain concerned about this attack vector.

Dark Space Scans 

While this doesn’t leverage credentials, it does explore a network environment’s “dark spaces.” They discover the “unknown” and “unmanaged” elements. This approach leverages ping sweeps and TCP/UDP port scans to contact ranges of IP addresses soliciting a response. Once a response is established, the devices are swept for a full range of port numbers to identify active ones. Systems can infer, or “fingerprint,” the services running and, subsequently, the device’s function from active port identification.

Dark space scans will often also query SNMP MIBs using GET NEXT scans to mine as much information as available. ARP caches are also sometimes queried if available. Dark space scans are excellent at discovering that “something” exists on a network and can provide reasonable “guesses” to their function. They don’t require endpoint agents or authentication credentials. However, information derived from these scans is limited, and if the traffic generated is not closely metered, it can severely disrupt the connectivity of fragile devices.

Agent-Based Network Discovery 

This requires installing an agent on every device under management. Like authenticated discovery, these scans can uncover detailed information about devices, such as vendor, OS, service pack versions, registry, file system, processes, and memory and even detect malware. Also, like authenticated discovery, they are only effective on devices under management. Unfortunately, agent-based discovery is cumbersome to deploy.

An agent must be deployed on every device under management, which is not trivial in even medium-sized companies. In addition, the agents can slow down endpoint performance and are not available for all types of platforms. This method is typically used in endpoint detection and response (EDR) solutions, SIEMs, and CMDBs. 

Network Discovery is Crucial

All security audits, re-architecture, incident investigations, and threat hunting begin with the question, “What is in the environment that I’m looking at now?” These activities require that the practitioner know what devices, operating systems, business services, subnetworks, and data paths exist where they’re focusing. Network Discovery is crucial and foundational to a well-managed network and, in particular, security.

The source of understanding an organization’s vulnerabilities and risks is to know what assets are in the environment, what business value those assets represent, and where they are located. Discovery has to be discrete in a customer’s environment. It can’t disrupt communications devices and it must not trigger security alarms. The different methods used in concert allow the discovery process to be unobtrusive and thorough. You always have to know your environment.

For more on how network discovery and protecting your organization, contact the UncommonX team to request a demo of our XDR platform and talk about your specific security needs.

About the Author

At the center of our U.S.-based Security Operations Center (SOC) is a distinctly skilled team of security architects, engineers, analysts, and data scientists. Each is an expert in their respective field and dedicated to protecting our customers 24/7.