Alex Rodriguez, Security Analyst at MorganFranklin Consulting
Knowing your organization’s digital footprint, what information it is exposing to the internet, is paramount to the success of any security program. One of the first steps attackers take when crafting an attack is performing information gathering or understanding the target organization’s external footprint. By understanding its digital footprint and the risks associated with the information exposed, an organization can increase awareness and visibility to potential threats and improve security.
This article will discuss five different ways of examining an organization’s network digital footprint.
Maltego is an open-source intelligence (OSINT) gathering framework that helps visualize an organization’s digital footprint. Maltego gathers information from publicly available sources, performs link analysis on that information, and creates a visual map of how they interconnect. Organizations can leverage Maltego to gain a visual representation of their external network, and potentially discover rogue assets that are vulnerable to leaking sensitive information or becoming compromised.
Maltego works by inputting a domain name or IP address that an organization owns. Once entered, it can help identify servers that were deployed, forgotten, or left in default configurations. Misconfigured or vulnerable assets are often targeted by threat actors and can lead to a compromise. Understanding an organization’s digital footprint can assist in the identification of potential hidden risks such as rogue devices or misconfigurations that can be exploited by attackers.
By using search engines, organizations can gain an idea of what information is publicly available that can be leveraged by malicious actors. Search engines can be used to gather information about an organization such as open ports, employee data, login portals, logs, or even how websites looked in the past.
Google allows one to create advanced search operators using specific terminology or filtering. These operators are often referred to as Google dorks. Organizations can discover previously unknown publicly accessible information including old backups, log files, cleartext credentials, or even private SSH keys. Malicious actors can take advantage of this information to conduct targeted attacks.
The search queries shown above provide a starting point for Google dorks. They are not intended to represent all sensitive information that could be found, but rather give one an idea of how to look. Concerns that an organization’s data might be exposed in a search engine index can be addressed by leveraging advance search queries like Google dorks to view possible data leaks and determine one’s external network footprint.
Shodan.io is a search engine that allows users to search through internet-connected devices. Shodan works by continuously scanning the internet, enumerating devices, and probing them for open ports or services. Organizations can leverage Shodan to discover devices it owns that are publicly available.
One can perform searches based on hostname, port, IP address, or any combination of queries. An example would be searching for open remote desktop protocol. Remote desktop protocol or RDP is a technology that allows a user to remotely access another computer from over the internet or any other network. Exploiting exposed RDP services has become a favorite option for threat actors to gain an initial foothold. The attack vector provides attackers with remote access over victims’ machines, making it an attractive option for cyber criminals interested in stealing data or spreading ransomware.
Checking if an organization has been a part of a data breach is also another crucial aspect in determining an organization’s digital footprint. Previously compromised accounts can allow attackers to launch targeted attacks using compromised credentials. End users are known to recycle passwords with slight permutations, making attacks such as brute-forcing effective. Haveibeenpwned (HIBP) is a recommended service for organizations to use. HIBP can identify whether email addresses belonging to a domain that an organization owns has been a part of a data breach. HIBP also has the option to opt in for notifications, alerting those subscribed if their organization has been apart of a recent data breach.
Scripting is another way to identify an organization’s digital footprint. One can leverage scripting to automate the review of an organization’s digital footprint. By scripting and leveraging multiple APIs including some of the software and services mentioned in this article, one can periodically scan an organization’s perimeter to check on any possible new rogue devices, misconfigurations, or even data leaks that might have occurred.
In addition, creating a custom script would facilitate reviewing various datasets, accessing services and search APIs, and pulling data from different sources. Scripting would remove the effort of manually visiting multiple services and allow one to automate the task of checking external network assets and the organization for security weaknesses.
How MorganFranklin Can Help
Knowing what information is publicly available can aid in identifying vulnerabilities that could be exploited by threat actors. Organizations can improve visibility and uncover potential security flaws by implementing some of the strategies and understanding their exposure as discussed in this article.
MorganFranklin’s attack and penetration services can help your organization gather information about your network while accessing its security. Surfacing a variety of potential risk that may lead to costly losses. We can assist your organization in identifying weaknesses within your systems and the opportunities they present for threat actors.