Updated on: May 21, 2024
In a recent interview with SafetyDetectives, Ariana Mirian, Senior Security Researcher at Censys, shared insights about her journey and the crucial work done by Censys in the field of internet security. Mirian, who began her career in security at the University of Michigan, has leveraged her extensive research background to contribute significantly to Censys’s mission of mapping the internet for better security. She explained the importance of internet-wide scanning and its role in identifying vulnerabilities and tracking security trends. Mirian also discussed the ethical considerations of scanning frequency and intensity, emphasizing the balance between obtaining accurate data and maintaining good internet stewardship.
Could you start by telling us a bit about yourself and your journey to becoming a Senior Security Researcher at Censys?
As with a lot of life, it was a bit of serendipity. I found myself working at a security lab at the University of Michigan starting my sophomore year, mostly to try something new out. Little did I know this would spark a deep interest in security, measurement, and using research to dive into the intersection of them both. As such, at the end of my undergraduate career, I chose to get my Ph.D in 2023 in Computer Science and Engineering at the University of California – San Diego, which has one of the top internet measurement programs and where my thesis ended up focusing on how we can use large scale internet measurement to better prioritize security processes across a number of domains. Shortly after, I joined Censys, where I am able to apply everything I learned from my time at Michigan all the way to now to help better the internet.
Can you explain what Censys does and how it contributes to the field of internet security?
Censys empowers security teams with the most comprehensive, accurate, and up-to-date map of the internet to defend against attack surfaces and hunt for threats. No other solution on the market scans as frequently, with the same breadth, depth or accuracy as Censys. Our foundational internet data, combined with our powerful attribution engine, empowers teams to identify and mitigate exposures as they occur. You can’t protect what you can’t see, and our mission is clear: to be the one place to understand everything on the internet.
What is internet-wide scanning and why is it crucial for today’s security landscape?
Security professionals rely on internet-wide scanning as a source of comprehensive internet studies. This has become a powerful research and intelligence tool, drastically improving the collection and analysis of data. While the concept is relatively new, scanning is used to identify vulnerabilities, track security trends and enable comprehensive reports that enhance our understanding of the internet’s security landscape.
The goal is to shed light on the internet’s attack surface and the various risks and vulnerabilities that increase the potential for data breaches, information leaks or asset destruction. This includes a wide range of issues, from simple technology misconfigurations to Common Vulnerabilities and Exposures (CVEs), which share publicly disclosed (and often headline-grabbing) cybersecurity vulnerabilities.
How often do you think an organization should be scanned to ensure security without overwhelming their systems?
This is a great question. As ethical scanners, ultimately, we’re asking ourselves, “How often do we scan before it becomes harmful?”. We don’t want to contribute to too much internet noise, but also the best way to find things on the internet is to, well, scan for them.In an ideal world, if it’s a small sample, we’re able to increase our scanning frequency to obtain better internal data and results.
One way to adhere to ethical scanning is that we do have a “block list” that we adhere to, which means if someone tells us they don’t want to be scanned, we respect their wishes On the flip side, organizations can also block us, and we’re currently trying to determine how long it takes an organization or individual to question our scans and ultimately block us, which might tell us whether we should change the cadence of our scanning or not. Ethical scanning is about finding the right balance that keeps organizations safe but also allows them to have ownership of their systems, and this is an ever evolving question.
How intense does your scanning need to be in order to balance the best results with good Internet stewardship?
At the end of the day, “Good internet stewardship” requires a plan from an ethical lens. To get the best results and access to the most data, an ethics-led approach ensures that scanning activities respect privacy, prevent data misuse and don’t negatively impact network performance.
In contrast, the absence of an ethical approach can have serious consequences, ranging from privacy violations and systems disruption to legal repercussions. The key question here is: what does being a good internet citizen look like?
To balance this, we currently scan the most common ports about once a day, using as minimal packets as possible to elicit a response. This allows us to see the state of the internet, which also respecting that folks might not want to see multiple scans per day from us. As mentioned before, this is an ever-evolving question that we are constantly asking ourselves as well!
What are the key elements that should be included in the guidelines for ethically compliant internet scanning?
Clearly, scanning is a complex process with the potential to reach billions of public IP addresses, services and devices. For most organizations, the following guidelines help define responsible and ethical internet scanning:
- Consider the greater impact. Security researchers should focus on the potential impact of their scanning activities on various stakeholders, including Internet Service Providers and owners of remote systems. For example, a scan for an uncommon service on a given port is more likely to be considered abnormal and flagged by external parties as suspicious.
- Maintain an accessible communication plan. To demonstrate that a scanning process has meaningful objectives, research teams should clearly state their scanning intention and goals to eliminate confusion. Any organization using internet scanning should coordinate its activities in advance with relevant IT leaders and administrators. By better communicating intent, this establishes trust between researchers and vendors. Should a vulnerable system appear during a scan, this also allows researchers to communicate any abnormalities directly with security and IT teams.
- Avoid redundant scanning. As internet scanners seek to centralize data collection and share real-time results, this allows repetitive scanning efforts to decrease drastically, reducing overall traffic levels and minimizing the impact on internet infrastructure and resources.
How do you see the practice of internet scanning evolving over the next five years?
This is such an interesting question, because the internet is ever changing, so my predictions actually might be out of date sooner rather than later! The one thing that interests me most with internet scanning right now is trying to find things where you don’t expect them. For example, our mental model of the world was that HTTPS was almost always run on port 443, but that doesn’t seem to be the case! If we expand our mental model to say “Protocols can run on any port” what other interesting, hidden facets of the internet might we find in the process?