Attribution Confidence Score
CyberSecurity Asset Management (CSAM) provides the "Attribution Confidence" score for assets discovered through an EASM discovery. This score helps you understand which assets belong to your organization or domain because it clearly distinguishes between the true and false positives encountered in some situations of EASM discoveries.
Go through the following sections to learn more about the "Attribution Confidence" Score:
- Attribution Confidence Score Overview
- Rules for Attribution Confidence Score Assignment
- Tags Associated with Attribution Confidence Score and Reporting
Attribution Confidence Score Overview
The "Attribution Confidence" score indicates confidence in the asset’s attribution to your organization. It is based on the correlation of multiple data facets retrieved from the different sources queried during EASM discovery. The possible values are High, Medium, and Low.
When the "Attribution Confidence" score is high, the asset belongs to your organization or domain, but when it's Low, it's not straightforward to infer if the asset belongs to your organization or domain.
You can use the "Attribution Confidence" search criteria to find assets with high, medium, or low "Attribution Confidence."
- You can group the EASM assets using Group Assets by > External Attack Surface > Attribution Confidence.
You can view the "Attribution Confidence" score from the External Attack Surface tab on the Asset details page.
Attribution Confidence Score Logs
Clicking the Attribution Confidence Score log allows you to view the attribution confidence score log. The logs include the rules and execution details based on which the attribution score is marked as High, Medium, or Low.
The following is the list of rules based on which the Attribution Confidence Score is assigned to the EASM-discovered assets. The rules run in sequence and when the attribute associated with the EASM-discovered asset matches with the attributes from the catalog, the rest of the rules are skipped. You can see Matched, Not Matched, and Skipped statuses on the Attribution Confidence pop-up accordingly.
Rules for Attribution Confidence Score Assignment
The ASN, Asset Domain, Domain from Shodan, Certificate Subject Common name, ASN from IpWhoIs, Organization from IpWhoIs, any domain from IpWhoIs, Customer Organization, and Organization Name from Shodan attributes are compared with the attributes from the EASM-discovered asset and then the High, Medium, or Low Attribution Confidence Score is assigned to the asset based on some preset calculations.
As mentioned earlier, the rules run sequentially, and if all nine rules are not matched, then the Attribution Confidence Score is marked as Low.
|
Rule Sequence |
Rule |
Execution Details (Rule matched condition) |
Attribution Confidence Score |
|
1 |
Shodan ASN Rule |
ASN <ASN> from the Shodan banner is present in the catalog. |
High |
|
2 |
Discovery Path Domain Rule |
Domain <domain name> is present in the catalog. |
High |
|
3 |
Shodan Hostname Rule |
Domain <domain name> from the Shodan banner is present in the catalog. |
High |
|
4 |
Certificate Common Name Rule |
Certificate subject common name <common name> is present in the catalog. |
High |
|
5 |
IpWhoIs ASN Rule |
ASN <ASN> from IpWhoIs is present in the catalog. |
High |
|
6 |
IpWhoIs Organization Rule |
Organization <org.name> from Shodan is present in the catalog. |
High |
|
7 |
IpWhoIs Domain Rule |
Domain <Domain name> from IpWhoIs is present in the catalog. |
High |
|
8 |
Shodan Organization Search Rule |
Organization <org.name> from Shodan present in the catalog. |
Medium |
|
9 |
Catalog Organization Rule |
Organization <org. name> is present in the catalog. |
Medium |
|
10 |
Low Confidence Rule |
Nothing related to this asset is present in the catalog. |
Low |
Tags Associated with Attribution Confidence Score and Reporting
During the "Attribution Confidence" calculation or scoring process, the "EASM Confidence Low", "EASM Confidence Medium", and "EASM Confidence High" tags are created and assigned to the assets. Upon the subsequent EASM scans, the tag assignment changes accordingly if the "Attribution Confidence" changes.
When the report is downloaded from the Inventory > Assets page, the tags column includes these tags. The same applies to the EASM reports.