Earlier this year, the first part of this article was published. It’s a good place to start to learn why you want to understand your company’s attack surface. Websites and online databases tend to over-share – you should aim to limit this. But some information is necessary or even mandatory to make available – contact information, financial statements, technical details to enable the company website to work. These types of information cannot be removed, but you then need to be aware of them and work to avoid that information being used to attack your company.
Understand your attack surface and use that information to mitigate and reduce your risk.
A quick recap
An attacker will always seek to increase the likelihood of a successful attack. A crucial factor in this regard is understanding the company’s internal setup and defenses, which will determine the target, strategy, and method of attack. This type of information, intelligence, is a collection of data points gathered in the first phase of a (cyber)attack: reconnaissance.
By collecting and mapping publicly available (‘open source’) information about the company’s attack surface, you acquire knowledge which may be utilized in a quantitative risk assessment, ensuring better estimates of the frequency of loss events. This area is often referred to as Open Source Intelligence (OSINT).
Measurements make you capable of reducing the uncertainty of risk. These publicly available data are relevant for your risk assessment, like how the number of machines that have received timely security updates is important in your risk assessment. And you are measuring that, aren’t you?
So, you need to do three things. In this article, you will get links to some practical and easy-to-use tools to map your attack surface – to do reconnaissance!
- Map your attack surface
- Analyze and understand the attack surface in tandem with the risk level
- Reduce the likelihood that information is exploited
Read more in the first part of this article.
A word of advice!
There are many good and obvious reasons to why you are NOT ALLOWED to access other companies’ and people’s IT infrastructure via the internet. ONLY conduct tests on yourself and your company, and ONLY with written permission from management. It is your responsibility to understand what you can and cannot do. In Denmark, however, you can browse publicly available databases and services freely.
Examples: www.cvr.dk, www.google.dk and wwww.skraafoto.kortforsyningen.dk
Down the rabbit hole
When mapping your (company’s) attack surface, there are many different types of information to look for, including:
- Content on the company website
- Business databases
- Social Media (company and employee)
- Technical information from online tools
- Google and other search engines
There is a plethora of tools to collect open-source information. Learn about a tool and understand the consequences of using it – before you use it. Some tools are quite intrusive, and you may inadvertently break local laws. This is your responsibility!
Content on the company website
Start by opening your company website and look around. When you browse and look at information, always keep in mind:
- Is this obsolete?
- Is this relevant only to our existing customers?
- Is the level of detail too great?
- Could this information be combined with other types of information [to be exploited]?
Start with the “Contact Us” pages and “Organization”. Is the level of detail too great? Are e-mail addresses and mobile phone numbers listed for student assistants? Is that necessary?
In financial statements, sometimes big projects are required to be mentioned because they are a risk to the company. You might find that the project to migrate to SAP in a hosted solution is listed. There’s no way around this, but be aware that anyone now knows a bit of internal information about your company. That information can be used in spear phishing attacks and other types of social engineering.
Look at open job postings. Are there any openings in IT, and do they list which types of technologies are relevant? Try to minimize internal information online. Don’t give the attacker a head-start by publishing that operational IT staff is required to have deep knowledge of a specific IT monitoring system. This type of information is oftentimes also easily accessible from existing employee LinkedIn profiles, though. More on social media later.
Manuals and product specifications are also interesting to attackers. This type of information should be restricted to those who need it: your existing customers. There is no need to explain to an attacker how to correctly communicate with your web application through an API or screenshots on how to manage user permissions in your application.
One thing is browsing your website – another is using Google and other search engines to “look behind the scenes”. Not all content is directly accessible, but Google helps. So much so that the term “Google Dorking” or “Google hacking” has been coined. There’s a database with “dorks” here.
It can be used to find actual security holes, but here we will explore four examples of search strings that you can use to find information you might normally not see:
site:amazon.com “password”
Pages from the domain amazon.com are returned on the search that contains the word “password”. You could search your own website for “Social Security Number”, login, database, and other interesting keywords.
site:amazon.com filetype:pdf
Returns a list of all indexed PDF files on a website. PDF files are designed for information sharing, but Office documents should be avoided as a rule of thumb. They often contain a lot of metadata you don’t want published (like the internal name of the print server if it has been printed). Filetypes that can be listed with this search include (at least): pdf, docx, doc, xlsx, xls, pptx, ppt, and txt.
site:amazon.*.com
This search will list sites that have Amazon as a subdomain. In other words, you might find online services that Amazon uses as an outsourced service. Test your own company – maybe you’ll find companyname.servicenow.com or companyname.salesforce.com?
“Amazon” “references” -site:amazon.com
This search has a minus before the site, which excludes results from amazon.com. This can be used to find mentions of “Amazon” and “references” on other sites [than amazon.com]. You could find your company listed as a reference with suppliers. This information could also be used for social engineering, like in this friendly call:
“Hi, is this the reception? This is Peter from Peter’s Plumbing speaking. There is an issue with the CEO’s personal washroom. I’m sending a guy over in 30 minutes called Jake. He’s new here, and doesn’t know his way around your company as me and my other guys – can you lead him to the CEO’s office, please, so the CEO can … you know … go … haha”
Public websites or databases
Rules, regulations and legislation that support businesses and enable transparency are a great source of information. In Denmark, we have the Central Business Register www.cvr.dk from which you can find the name and home addresses of a company’s management, board of directors and founders. Current and ceased associations for affiliated people can be drilled down. Another similar resource is www.proff.dk with a bit of extra information and visualizations of company structures.
Information that can be used for physical threats or social engineering is readily available on maps.google.com / Google Street View and Skråfoto in Denmark.
Social Media (company and employee)
Companies and employees often post many details on social media, including pictures from inside the company. You might check if your company has an employee handbook or information security policy that mentions limitations for employees. That might help get “over-sharing” removed. Don’t forget to check www.youtube.com for tours around your company, product demonstrations or help videos. Any leaks of internal information?
Happy hunting: www.instagram.com, www.linkedin.com, www.snapchat.com,
www.tiktok.com, www.facebook.com etc.
Technical information from online tools
In the first part of this article, we cover www.shodan.io. It’s a great resource to check IP addresses and host names in your infrastructure. Get a one-time-cost membership and get started.
www.dnsdumpster.com is a good place to start when looking at your domain and what things might be publicly available. Be aware that this database may contain obsolete information as it is not updated daily. Recheck any information from other places like Shodan, which have date-stamps for scans. DNSDumpster shows information about nameservers, MX, SPF, TXT and A -records. These will tell you a few things about which online services and technologies are in use and which services your company publishes. Your subdomains listed on DNSDumpster are probably not the full list, so you might want to check out other sub-domains lists like the one on www.virustotal.comlike in the following example – see the section “Siblings”: VirusTotal – Domain – www.bbc.co.uk
www.punktum.dk for .dk domains, www.who.is or other similar services can be used to find out e.g., who is listed as the registrar of your domain. This is also social engineering fodder.
www.viewdns.info has many different tools for DNS queries. Use the “Reverse Whois Lookup” and search for “*@yourcompany.com” to see which other domains you might have registered to an e-mail address on your domain.
Create a free account on www.builtwith.com and look up which technologies your company website is built with. Maybe you’ll find components that haven’t been updated in a while or other surprises.
On www.internet.nl (or its Danish equivalent www.sikkerpånettet.dk), you can have a series of configuration tests done in one search to your domain. It outputs information about things you might want to fix, like DMARC, DKIM, SPF for mail and HTTPS security for your website. It describes each test and gives an explanation of why it is important. It gives you an overall percentage score which you can use as input in your quantitative risk assessments.
www.wigle.net is a collection of WiFi networks that have been mapped. Find your business on the map, and maybe there’s a Wi-Fi network emitted from the OfficeJet printer in some office that you didn’t know about that could be targeted.
www.archive.org scans the internet and saves copies of websites. You can browse your own website snapshots back in time and find data that has since been deleted.
The Australian security researcher, Troy Hunt, started www.haveibeenpwned.com and was the sole operator for years. The site collects large lists of billions of data records that have been published from data breaches over time. You can look up an e-mail address and see which breaches it has been part of. All data is anonymized, but two things are particularly interesting:
- You can add your company domain name and get an alert if any e-mail from your domain shows up in a future data breach.
- You can look up any e-mail and get an idea of which other websites that person has had or still has an account on. The information that the CEO’s mail, which was in an investment site breach two years ago, is now a part of your attack surface.
There are thousands of tools and databases online that can be used to uncover your attack surface. Some are command-line Linux tools that require technical skills, while others are easy to use. Some cost money, others are free. If you start searching Google for more tools first, you are likely to run into some malicious tools, so start with a list from an OSINT researcher like Nixintel’s OSINT Resource List.
That should get you started in understanding your attack surface. Consider if you might subscribe to online services that automatically keep an eye on your attack surface so you don’t have to spend all your time in the rabbit hole.
Closing remarks
You should use the information you learn from your investigation as input to your risk assessment which will help you target mitigation to where it matters.
Your findings could prompt you to make changes – a couple of examples:
- A policy update for service providers prohibiting them from using your company as a reference customer on their website
- Changes to reduce information revealing web server versioning information
- Policies to disallow Office documents on your website and procedures for removing metadata from PDF documents
- Procedure changes for reception staff to validate caller identities and to not give out any seemingly harmless internal information
- Website cleanup of obsolete information and reduction in information about company organizational structures
The ACI Quantitative Assessment Platform (qAp) can help you create fast quantitative risk assessments and WHAT-IF-analyses. Your knowledge of your attack surface is raw input to enrich and reduce the uncertainty of your risk assessment.
Launching 2023! Stay tuned!