How many services do you run within your infrastructure? Are you perfectly aware of what every one of them is doing? What about old services or decommissioned ones? Is your team aware of your services' digital footprint?
These questions can be difficult to answer. Of course, this will depend on your company's scale, the amount of time your services have been running in the "wild and open" internet, but that's why the infosec community is usually so consistent in addressing security-consciousness, constant security introspection using red and blue or purple teams, and the constant forensic-like analysis of digital traces on the net.
All this is "okay", but what if we take a stand from the skeptic's point of view: is it really that bad or dangerous out there?
Well, there is a vast history of several attacks being successful due to forgetful implementations of services of all kinds. And just to enumerate a few well-known cases:
Tesla's Kubernetes console - This attack was pretty interesting. Attackers discovered a password-less Kubernetes instance deployed on the cloud, and in turn deployed a low-noise Monero cryptocurrency miner to basically earn money with its computing power (Cryptojacking).
British Airways - This attack managed to steal personal customer information including credit card information for a period of 15 days, by modifying a script hosted at BA's baggage claim information page, according to post-mortem research. The script was modified without disturbing the business flow, which made detection even more difficult.
Facial recognition database leak - This was due to a company's database being published openly to the internet for months, with facial recognition information regarding China's surveillance program in the remote region of Xinjiang.
There's undoubtedly more. And if you think this only concerns companies that haven't adopted a strong security workflow, that it wouldn't happen to, let's say, a "security company", well…
- ElasticSearch breach database exposure - This one involved a security firm that left a huge record of vulnerabilities public, including critical details about a vast number of companies.
So whatever your business or occupation, there's a great chance that some piece of information was left open without notice. All this will build up your attack surface and will eventually determine just how interesting your assets are, from an attacker's standpoint.
- Asset discovery process: finding your entry point
- Network asset discovery: scrapping your IP space
- Asset discovery tools: some great additions to your toolbox
- A word on asset space sizing - do these tips apply to you?
Asset discovery process: finding your entry point
Where to start? That's a multiple-choice, multiple-valid-answer question, but for today's post let's keep the options to two main topics: "domain names" and "IP addresses".
Can you relate to this tweet? It's somewhat difficult for the digital entrepreneur to stay ahead of possible problems once your project or business is active, and even harder once it's long gone.
The renewal of domains from my old projects and abandoned start-ups is an expensive hobby that is gradually becoming unaffordable.— Reyk Flöter (@reykfloeter) May 15, 2020
It is not a matter of just paying the domain name registration fees for your defunct efforts. It also involves what information could be used maliciously if you forget every web site you've signed up using that domain name.
One helpful project for gaining insight into where you, or the team using your domain name, has been is "Have I Been Pwned". This will not only let you know when your data has been leaked, it will also surprise you by confirming whether your domain has been used (probably for a long-forgotten website that has already been compromised).
This could also be true if your domain name has expired and somebody else has registered the same name. You may think that's not a problem as the domain name is not in use and the website isn't anymore, but let's emphasize some probable issues with that approach:
An attacker could tweak DNS records regarding your expired domain name to lead users into revealing personal data, like asking users to reset password information via email by pointing the MX record to a "legit" working mail server.
Similarly, a subdomain name could be used to reset login information so the "hijacker" can receive the reset link without any trouble and access whatever information has been placed inside those particular websites.
What about company abduction? Mergers & acquisitions are pretty common in the business scene, and luckily there's a way to check that out using SurfaceBrowser™. In the following image, we're checking out what companies have been acquired, and from an attacker's point of view they offer a completely new way to gain information.Example list of companies acquired by Tesla and visible from SurfaceBrowser™.
Why? because acquired companies are often migrated to the acquiring IT infrastructure, so a vulnerability there may (emphasizing the word "may" here) lead you to use them as a proxy to attack the main target.
There are some public examples of techniques similar to this, which have been used to deceive people and gain control over their data. Here are a couple of them:
You'll also find an interesting read, covering almost all of these subjects in detail, in this link.
There are several things to examine in this situation. Some could be critical and others could be downright extreme—as in the curious case recounted in the New York Times story, "German Military Laptop Sold on eBay Included Classified Missile Information".
The most important thing to note, and which we cannot stress enough about, is that any online record can give clues to attackers, allowing them extra insight into your organization.
Hostname leakage: what can be found on your records
Ever heard of domain names, subdomains, WHOIS or name server leaks? So have the perpetrators!
Despite the fact that people use domain and subdomain names to actually identify the infrastructure (which is good), this exact information could be used to gain knowledge about you and your company's assets and running services.
With SurfaceBrowser™, let's say we found a company we want to analyze. We can look into different options for gathering information about this target, but to quickly pinpoint some of them:
- Subdomains option - By listing subdomains you're getting all names that were in activity at some point in time regarding a company's domain name. This may lead to you discovering interesting services, by looking at keywords such as "monitor", "status", "core", "admin", and others.
Reverse DNS - Even more interesting stuff comes from this section, as this specially overlooked PTR record (Reverse Pointer) maps IPs into hostnames.
It's true that there are almost no updates of PTRs whatsoever, because they're generally only used for mail server purposes or to troubleshoot better network hops, but one of those reasons is especially good for us. In this example you can find things like datacenter racks IPs (which may be nonsense but still worth investigating), IDS rDNS record (which is interesting at least) or network hop names like router names, with link speeds and related stuff (this is awesome information to look into).
IP blocks - Last but not least, IP ranges can give you further insight into how to approach different pieces of information and determine possible attack vectors.
You can see a range of different things such as open ports and unusual IP ranges (such as private ones being announced by hostnames). Quite simply, it's a great way to detect misconfigurations that could lead to unwanted exploitations.
What's next? What else can we do with our network's findings?
We'll check that out in this next section!
Network asset discovery: scrapping your IP space
Network assets tend to be forgotten, due to the service migration occurring over the past few years from on-premises data centers to cloud-based environments.
This could certainly be the case for those companies or individuals that had most of their network devices replaced by virtual appliances, or had them wiped from the roots and just started using software-as-a-service (SaaS) products as a business strategy.
On the other hand, there is a trend toward a "return to premises" in some cases, and so the concepts of "fog computing" and "edge computing" have become more popular. These terms help in understanding what needs to be done when your project needs to make local computations, due to the use of in-place sensors, great amounts of data unlikely to be rapidly transmitted, or other similar reasons.
Either way, there's a chance that at some point in our daily business workflow a network device could be prone to misconfiguration. It happens. IoT devices are spread more and more across corporate and home office implementations, and they usually lack a security configuration check around them (this was especially taken into account by botnet creators, as in for example the Mirai botnet).
To conduct your own threat detection, some interesting services to consider are, but are not limited to:
- Monitoring software identifiable among subdomains
- SNMP, NTP, UPNP, and terminal services-capable equipment (public-facing and open ports, default communities or credentials, vulnerable software versions.)
- Misconfigured administration consoles, insecure administration channels (rsh, telnet, etc.)
- Services running on ports other than standard (usually a "security through obscurity" tactic to keep them hidden).
What happens once we've found something wrong with a service?
Let's imagine we've scanned our network and found an award-winning vulnerability (from a vulnerability management strategy point of view). This is the panacea if you're red teaming your own infrastructure.
We enter our IP space and discover a remotely exploitable vulnerability, an open port that lets an attacker attack our own services or even those of a remote third party across the internet. The SurfaceBrowser™ interface shows us the IP addresses involved, but we'll look at some of the open ports to gain extra information. And UDP/161 looks pretty interesting.
Then we go ahead and check if any of these targets found in our IP space are vulnerable, at least to read-only SNMP amplification attacks due to the use of the "public" community, which is usually the default for every device that has this feature enabled.
snmpwalk -c public -v2c YOUR_DEVICE_IP SNMPv2-MIB::sysDescr.0 = STRING: 3Com Switch 5500 SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.126.96.36.199.3.12 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (123985500) 14 days, 8:24:15.00 SNMPv2-MIB::sysContact.0 = STRING: Courious enough SNMPv2-MIB::sysName.0 = STRING: 5500-SI-PDF4A SNMPv2-MIB::sysLocation.0 = STRING: CND PDF4A SNMPv2-MIB::sysServices.0 = INTEGER: 78 IF-MIB::ifNumber.0 = INTEGER: 56 IF-MIB::ifIndex.14 = INTEGER: 14 IF-MIB::ifIndex.16 = INTEGER: 16 IF-MIB::ifIndex.31 = INTEGER: 31 IF-MIB::ifIndex.4227614 = INTEGER: 4227614 IF-MIB::ifIndex.4227626 = INTEGER: 4227626 IF-MIB::ifIndex.4227634 = INTEGER: 4227634 IF-MIB::ifIndex.4227642 = INTEGER: 4227642 IF-MIB::ifIndex.4227650 = INTEGER: 4227650 IF-MIB::ifIndex.4227658 = INTEGER: 4227658 [...]
This target seems to be feasible to attack, so for the sake of curiosity let's find out how big of an impact these targets could make. For this task we found an interesting tool called Saddam that can be fed with a list filled with all the SNMP-capable IPs found, and check for the amplification factor:Showing amplification attack factor for every target IP (more is better)
As you can see we found three targets with a good amplification factor. One of them is actually quite interesting—it answers 56 times more information than it receives.
What else can be found on other services? Well, we could check the service banners to see if there have been any notable changes, such as version upgrades:
We can even determine what amount of websites are hosted behind one of our servers' IP addresses. If there are multiple hostnames, there's probably one that could allow us to compromise the whole server in case of insufficient isolation between sites. Maybe we can also check related subdomains against interesting common names such as "admin", "status", "monitor" or others:
Once you've taken a look into your own network, you'll find it's hard to stop wondering, 'What else can I check? What additional information may I extract with this tool?'
We hope you're asking yourself these as well as other meaningful questions!
Asset discovery tools: some great additions to your toolbox
Here's a small list of different tools that may help you accomplish the task:
- SurfaceBrowser™ - Our own information-gathering tool used in this article
- Amass - An information-gathering 'Swiss army knife' for your console
- Nmap - One of the best network scanners created with multiple addons
- Attack Surface Intelligence - ASI provides the tools needed to break up and investigate vulnerable points on your attack surface, to prevent malicious attacks.
To complement the tools above, these posts should give you additional options:
- Top 7 subdomain scanner tools - find subdomains in seconds
- Top 5 Nmap online alternatives
- Flan Scan vulnerability scanner
- Banner grabbing - Top tools
A word on asset space sizing - do these tips apply to you?
Sure! Let us give you some insight. This kind of discovery quest is of interest to anyone with devices to take care of and a connection to the internet. What differs is how you approach discovery, what strategy you're going to use, and what's most important for you according to your organizational needs.
The following table summarizes a few worthwhile thoughts in this regard:
While these are generalizations, and some items can be placed across multiple organizational sizes, high levels of complexity for daily tasks should be approaching reality in most cases.
What's the final note on this?
Despite the size, you can and should be making a regular analysis of your digital assets, dig in when there are findings, and dig more when there are not!
Despite the nature of your company's business flow or your personal internet track, leaving some sort of digital footprint is inevitable. For that reason, we must stay one step ahead of the game and try to minimize the security risks associated with that exposure.
Implementing security controls across every system's deployment you make is of great importance, but so is taking into account how to avoid unattended implementations (especially if they're testing implementations being run on the same cloud space).
Whether it's for enterprise security or personal data protection, checking on where information is being placed can sound simple and, sometimes, even annoying, but it has proven to be the most effective way to avoid unwanted comebacks!
Wondering what your next move is toward shrinking your business's exposure to attacks?
Let us introduce to you Attack Surface Intelligence, a product designed to take care of your company's asset discovery concerns. To know more about what SecurityTrails can do for you, please contact our sales team and schedule a call today!