Attribution Confidence Score

CyberSecurity Asset Management (CSAM) provides the "Attribution Confidence" score for assets discovered through an EASM discovery. This score helps you understand which assets belong to your organization or domain because it clearly distinguishes between the true and false positives encountered in some situations of EASM discoveries.

Go through the following sections to learn more about the "Attribution Confidence" Score:

- Attribution Confidence Score Overview 

- Rules for Attribution Confidence Score Assignment

- Tags Associated with Attribution Confidence Score and Reporting

Attribution Confidence Score Overview 

The "Attribution Confidence" score indicates confidence in the asset’s attribution to your organization. It is based on the correlation of multiple data facets retrieved from the different sources queried during EASM discovery. The possible values are High, Medium, and Low. 

When the "Attribution Confidence" score is high, the asset belongs to your organization or domain, but when it's Low, it's not straightforward to infer if the asset belongs to your organization or domain. 

You can use the "Attribution Confidence" search criteria to find assets with high, medium, or low "Attribution Confidence."

- You can group the EASM assets using Group Assets by > External Attack Surface > Attribution Confidence.

Search Criterion - Attribution Confidence.

You can view the "Attribution Confidence" score from the External Attack Surface tab on the Asset details page.

Attribution Confidence score from the External Attack Surface tab.

Attribution Confidence Score Logs

Clicking the Attribution Confidence Score log allows you to view the attribution confidence score log. The logs include the rules and execution details based on which the attribution score is marked as High, Medium, or Low.

Confidence Score Logs.

The following is the list of rules based on which the Attribution Confidence Score is assigned to the EASM-discovered assets. The rules run in sequence and when the attribute associated with the EASM-discovered asset matches with the attributes from the catalog, the rest of the rules are skipped. You can see Matched, Not Matched, and Skipped statuses on the Attribution Confidence pop-up accordingly. 

Rules for Attribution Confidence Score Assignment 

The ASN, Asset Domain, Domain from Shodan, Certificate Subject Common name, ASN from IpWhoIs, Organization from IpWhoIs, any domain from IpWhoIs, Customer Organization, and Organization Name from Shodan attributes are compared with the attributes from the EASM-discovered asset and then the High, Medium, or Low Attribution  Confidence Score is assigned to the asset based on some preset calculations. 

As mentioned earlier, the rules run sequentially, and if all nine rules are not matched, then the Attribution  Confidence Score is marked as Low.  

Rule Sequence

Rule 

Execution Details (Rule matched condition)

Attribution Confidence Score

1

Shodan ASN Rule

ASN <ASN> from the Shodan banner is present in the catalog.

High

2

Discovery Path Domain Rule

Domain <domain name> is present in the catalog.

High

3

Shodan Hostname Rule

Domain <domain name> from the Shodan banner is present in the catalog.

High

4

Certificate Common Name Rule

Certificate subject common name <common name> is present in the catalog.

High

5

IpWhoIs ASN Rule

ASN <ASN> from IpWhoIs is present in the catalog.

High

6

IpWhoIs Organization Rule

Organization <org.name> from Shodan is present in the catalog.

High

7

IpWhoIs Domain Rule

Domain <Domain name> from IpWhoIs is present in the catalog.

High

8

Shodan Organization Search Rule

Organization <org.name> from Shodan present in the catalog.

Medium

9

Catalog Organization Rule

Organization <org. name> is present in the catalog.

Medium

10

Low Confidence Rule

Nothing related to this asset is present in the catalog.

Low

Tags Associated with Attribution Confidence Score and Reporting

During the "Attribution Confidence" calculation or scoring process, the "EASM Confidence Low", "EASM Confidence Medium", and "EASM Confidence High" tags are created and assigned to the assets. Upon the subsequent EASM scans, the tag assignment changes accordingly if the "Attribution Confidence" changes.

When the report is downloaded from the Inventory > Assets page, the tags column includes these tags. The same applies to the EASM reports.