Key Points
When Intruder’s Security Research Engineer, Daniel Thatcher, was asked to dive into attack surface management at DTX Europe, he showed how easily attackers can find what’s exposed to the internet – and how you can monitor and protect your own attack surface.
Here we’ll talk about the external attack surface – everything on the internet that an attacker can target to try and compromise your data. Companies often don't know what their attack surface is, and it can be hard to stay on top of all your servers, exposed services, cloud resources and SaaS accounts with developers constantly spinning stuff up. So, let’s dive in and see why.
Untracked attack surface
We looked at 3,000 organizations and ran basic asset discovery to see what they had exposed to the internet, and our results were a bit worrying. We found that only 21% of their internet facing assets were tracked as part of vulnerability management programs, which means that 79% weren't.
We filtered down for just domains with the word "admin" in them, and that 21% of assets being tracked dropped to 17%, which is even more scary. However, while companies don't always have the best grip on what they've got exposed to the internet, unfortunately, attackers do. We'll discuss how, but first, what happens as a result of this disparity?
Breaches in the headlines
Unfortunately, this disparity leads to breaches. For example, the Capita breach earlier this year left a lot of council data exposed in an unsecured S3 bucket. Recently, Wiz researchers found a token in GitHub that got access to an Azure storage bucket for Microsoft, leaking 38 terabytes of private data, including 30,000 internal Teams messages.
The Australian telecoms giant Optus left PII exposed to the internet. This may not immediately jump out as an attack surface issue – the exposed data wasn't from a cloud storage bucket, but from an unauthenticated API. However, you can be pretty sure their security team didn't know the API was out there without authentication, giving away customer details.
SMBs are in the crosshairs too
While we see these headlines made when enterprise gets breached, it’s not just big businesses that need to worry. As enterprises invest in security, it's becoming more costly for attackers to target them – so they’re now targeting smaller businesses with less security. Here’s a quote from TrendMicro's report on LockBit, the most prevalent current strain of ransomware:
“The majority of LockBit’s victims have been either small or medium-size businesses (SMBs) - 65.9% and 14.6% respectively, with enterprises only comprising 19.5%.” Ransomware Spotlight, LockBit, TrendMicro
TrendMicro saw 80% of LockBit attacks were targeting small or small to medium sized businesses, with only 20% of victims being from the enterprise sector. Unfortunately, whatever size you are, you need to be on top of your attack surface.
What do attackers look for?
IP ranges owned by a company can be very useful for an attacker. If an attacker is looking to target you, they can monitor these IP ranges for new services or servers being spun up, and instantly jump on them knowing that they're going to be yours and likely hold some of your data if exploited.
Domains and subdomains are useful to attackers as well – DNS provides a useful list of your assets for an attacker to enumerate. In some organizations, it’s easy for people to create new domain names, or even buy new domains, notifying attackers of new assets.
As we saw with Wiz's investigation into Microsoft, source code repositories can often contain secrets and leak a lot of data. They can also often contain references to internal systems, and give some understanding of how your services work, which is useful for attackers in launching further attacks.
You're likely using SaaS products, for example for email or file sharing – these are also great targets for an attacker. So are your cloud assets, which include not just misconfigured storage buckets as we’ve seen, but also other cloud services and APIs.
Enumerating wider
The enumeration process that an attacker will perform starts with known assets. If an attacker wants to target your company, they might know you own “example.com” and a particular IP range. They'll first try to go "wider" from this start point, finding other IP ranges you own or other domains you own.
Where real company data is used in the following examples, we’re using Uber. They have a public bug bounty program, and allow and encourage this enumeration. Nothing sensitive is going to be shown – we haven't dug so deep that you can compromise them from this!
IP range ownership
When you have an IP range on the internet, the fact that you own it is public information by design. An attacker can look up your IP ranges in one of many services that provide a searchable format for this data, such as Hurricane Electric’s service, Robtex, or BGPView.
Mergers and acquisitions
Mergers and acquisitions can also be a useful source for an attacker - a company like Uber buys and absorbs smaller companies, and they may be softer targets. Security is often not a priority for smaller companies, and recent acquisitions may not have been brought in line with the larger company’s security standards. They’re not hard to find either – Uber wants everyone to know “we bought this company”.
Analytics IDs
Analytics IDs are a clever technique that’s often overlooked. BuiltWith’s relationships service can be used to correlate these IDs across websites. In the screenshot below you can see that this service has found a number of analytics IDs used on “uber.com”, and then shows other websites which also use these same analytics IDs on the righthand side. If two websites use the same Google Analytics ID, they are reporting into the same Google Analytics account, and are likely related.
Certificate transparency
Certificate transparency provides a public log of every certificate issued. This means all the information on newly issued certificates, including domain names, is publicly available. crt.sh is a service which lets anyone search for this information, and can be very powerful in finding new domains. CertStream demonstrates an interesting use of certificate transparency, providing a real-time stream of newly-issued certificates. Attackers can monitor this service, or setup similar monitoring themselves, to allow them to quickly start targeting new domains found in these certificates.
In recent years, some bug bounty hunters have also taken to scanning the IPv4 ranges used by cloud providers to find certificates, and provide themselves with a searchable list of the domain names in these certificates.
Wide spidering
A technique sometimes called “wide spidering” can also be useful for discovering new assets. A spider is a program that will automatically browse websites to discovery content. By configuring the spider to have a wide scope, for example considering anything with “uber” in the domain name, to be a target, an attacker can often discover new assets. The spider can also be left to run for much longer than a human would be willing to manually click around these websites to search for new content.
This screenshot is from five minutes into this process, and you see there's already a few interesting things in there.
Diving deeper
The next step for an attacker is to search deeper into what they’ve found. The assets found during the previous steps essentially provide seeds for deeper investigation to find more assets.
Internet scan databases
One of the most popular methods for discovering new assets is internet scan databases, such as Shodan, Censys, ZoomeEye, and hunter.how. These scan the entire IPv4 range of the internet to find exposed services, and then present these services in a searchable format.
These databases also help attackers who aren’t specifically targeting your company to find your vulnerable services easily. An attacker who has an exploit for a critical vulnerability can use internet scan databases to quickly find vulnerable services and exploit them, even if they don’t know who owns the service.
Public datasets
Datasets like those provided by SecurityTrails, Rapid7’s Project Sonar and DNSDumpster collect data from multiple sources, some of which may not otherwise be available to an attacker. These can be used to discover more domains and subdomains belonging to an organization without active enumeration.
You can also use gau to easily find URLs from a given domain and its subdomains. The screenshot below shows this tool being run against "uber.com" and the (very) truncated output. This allowed not only new subdomains to be found, but also content on those subdomains.
Of course, there’s also Google, who present everything on the internet in a searchable format available to everyone. Searching Google for the copyright text found on Uber's homepage brings up more assets deeper into the search results.
Public source code
Developers may be publishing source code on platforms like GitHub or GitLab, which is searchable directly on these platforms, as well as by using tools such as the github-search scripts, and through other websites such as grep.app. This will often contain references to internal systems that, which can be useful to an attacker in future attacks.
Just guess
If these techniques don't work, there's always simply guessing. Subdomain brute forcing is the art of saying “does this subdomain exist” repeatedly and very fast. There are many tools which can achieve this, such as sublist3r and dnsx.
These tools need a wordlist to provide the list of likely subdomain names. AssetNote's "best DNS" wordlist is pretty typical of what people are using. It's got about 10 million lines in it, and in their words, “you'll find that you discover some pretty obscure subdomains using this wordlist”, which in our experience has been true.
Don’t forget email
If you're using Microsoft 365 or Google for your email, all your email accounts have a public login portal that attackers can target. Both of these services allow an attacker to test which accounts are actually valid, meaning they can build up a large list of email addresses using a tool like O365Enum. Once they have this list, they can test all of the enumerated email addresses for common passwords, for example by using MSOLSpray. In larger organizations, the chances that at leastone user is using a weak password is quite high.
SaaS apps
Also, don't forget SaaS applications. Some of these applications make it easy for an attacker to check whether a company is using them. For example, the screenshot below shows Uber’s login portal for Box, which we found easily by manually guessing. Not only can an attacker try to guess account passwords on these apps, but knowing which apps a company uses can help create convincing phishing emails.
Stay ahead of the hackers
With all the above techniques, you might be wondering how easy is this to do? Do you need 10 years of experience or can a 13-year-old do it? Unfortunately, it's nearer the latter. Attackers have all these different ways of finding what you have exposed to the internet. So what's our advice?
Perfect is the enemy of good
Start with finding all your assets now – do 10% of the perfect solution and build on it. Learn more about asset discovery tools.
Let everyone do their jobs
Ensure that everyone in the company who creates infrastructure can do it in a secure way. This should include reducing barriers to make this secure way the path of least resistance, for example by automating getting visibility on new systems rather than requiring users to tell you.
Make your data work for you
Somewhere in your company there is some record of what exists. Make sure that you’re aware of all the cloud accounts in use, and that you’re pulling in data from them all. Try to keep a record of which SaaS applications are in use, and who has access to what.
The goal posts are always moving
Ongoing monitoring is a necessity. Members of your organization will be spinning up new infrastructure and services, and registering for new applications. On top of this, the threat landscape is always changing and new vulnerabilities are always being found. Continuous monitoring is a necessity to keep on top of it all.
How can you manage it all?
Get professionals like Intruder to help. Choose our Premium plan or bolt ons, and we’ll take a look at your assets, find what's out there, and approach them like an attacker to let you know what can be done.
We'll connect into your cloud accounts to bring anything in your cloud into our vulnerability management service. We can give you alerts on any changes and anything spun up or down. And we'll provide data and remediation advice to help you protect your attack surface. Why not try Intruder for free for 14 days and see how we can help protect your attack surface?