Authorizing scope for Randori attack and vulnerability validation

Edit online

Overview

As a Recon Premium or Attack customer, you control the scope of what is authorized for Randori's attack actions to execute against. This can be done manually in the UI, or you can create Authorization Policies to auto-authorize Detections that meet the criteria you would like. This article explains how to set up your authorization, as well as provides a few Authorization Policy examples for common auto-authorization scenarios. It is highly recommended that you authorize as much as possible, both publicly and internally, to derive the most value out of Randori and to make the experience as authentic as possible.

See our article on Attack Safety Considerations for more information on how Randori develops and maintains its library of attack actions.

How To Authorize

  • Authorizing by Policy

    Authorizing by Policy allows you to ensure any new Detections identified on your attack surface that you own are automatically authorized for penetration testing. Randori removes entities that are no longer responding after a certain amount of time, and, should those entities be re-discovered, authorizing by Policy ensures they will be re-authorized for penetration testing. You can leverage network blocks, hostnames, identified ports, paths and more filters to ensure you are authorizing entities that are owned by your organization. Your Authorization Policies can be found within your settings as shown below:

    AuthorizationSettingsMenu

    Edits to policies occur on a 30-minute cadence. If you edit, create, enable, disable, or delete a Policy, it will take 30 minutes before you see these changes in your platform. Additionally, disabling or deleting a Policy will remove the Authorization Status for that Policy unless it was authorized by another Policy or manually.

    See the Example Authorization Policies section below for examples of the most common authorization policies to add.

  • Authorizing Manually

    As you review your attack surface, it is likely you will see entities you know are yours and just don’t feel like creating a Policy at the time. These entities can be authorized manually with the click of a button. However, it is still recommended to authorize by Policy. Should the entity go undiscovered after several scans, it will fall off of your attack surface. Upon return, the entity will not retain its previous Authorization Status and you may find yourself re-authorizing entities you have already reviewed.

Filter Detections by How They Were Authorized

You can identify the Policy or Policies that Authorized a Detection, as well as if it was authorized "manually” via the Authorization Source column found on the Detections Page.

In order to search on this column, you are required to use the Policy ID when filtering for all Detections authorized by a particular Authorization Policy. This Policy ID can quickly be identified by clicking on the name of the Policy found in the Authorization Source Column on the Detections page, or by pulling up the Policy Details from the Authorization Policy page under Settings.

AuthroizationSource

If you want to search for all “manually” authorized Detections, use “MANUALLY-AUTHORIZED" as the Policy ID

To actually perform the search, click “Configure View” on the Detections page, add a rule for “Authorization Source”, and paste the copied Policy ID value (or type MANUALLY-AUTHORIZED). After applying this view, you will be able to see Detections authorized by the specific Policy. In the image below, you’ll see an example searching for Detections authorized either by the Policy authorize all webernets.online or manually authorized:

FilterAuthorizationSource

Reviewing Your Manually Authorized Detections

It is strongly recommended that you continue to review all of your Detections that are only authorized via Manual to ensure you intend for them to remain authorized. To do this, filter your Detections page looking for Detections where Authorization Source CONTAINS MANUALLY-AUTHORIZED and then filtering out Detections that are also authorized by one of your Authorization Policies by also doing Authorization Source DOES NOT CONTAIN [Policy ID] as shown here:

ManuallyAuthorizedDetections

If you find detections you no longer wish to have authorized, simply check them off (in bulk), click the MORE menu at the top right of the Detections table, and select Unauthorize. This will remove all MANUAL authorization status, though if Authorized by a Policy as well the Detection will remain authorized until you update, disable, or delete the Policy that is also authorizing it.

UnauthorizeManualDetections