Active Subdomain Discovery

In the context of cybersecurity, Active Subdomain Discovery is a fundamental reconnaissance technique used to systematically identify and map out an organization's publicly exposed web assets. It is a proactive process that involves more than just guessing subdomains; it requires sending network requests to confirm that a subdomain is genuinely live and responsive.

This process is critical for building a comprehensive understanding of a company's attack surface. Instead of relying on passive information or stale records, an active discovery method sends direct probes to potential subdomains. This could involve trying to connect via common protocols like HTTP and HTTPS, or even attempting other services to see if a host responds.

The goal is to go beyond the primary domain (e.g., example.com) to find all related subdomains (e.g., blog.example.com, shop.example.com, dev.example.com). Each active subdomain represents a potential entry point for an attacker and may host different applications, services, or configurations with their unique vulnerabilities.

By performing active subdomain discovery, a security team can:

• Enumerate Assets: Create an up-to-date and accurate inventory of all subdomains that are currently active and viewable on the internet.

• Identify Shadow IT: Discover unauthorized or forgotten web servers and applications that were deployed outside of official IT processes, which often pose significant security risks.

• Prioritize Security Efforts: Focus vulnerability scanning, penetration testing, and other security assessments on the assets that are confirmed to be live and accessible to the public.

• Maintain Attack Surface Visibility: Continuously monitor for new subdomains as they are deployed, ensuring that the security team's knowledge of the organization's online footprint is always current.

ThreatNG helps with active subdomain discovery through a combination of its core capabilities, which enable a security professional to find and analyze an organization's publicly accessible assets.

External Discovery and Assessment

ThreatNG performs purely external unauthenticated discovery to find an organization's digital assets without needing internal credentials or connections. This process is the foundation for active subdomain discovery. It finds subdomains that are actively responding on HTTP/HTTPS, which signals a viewable web presence that requires further security review. ThreatNG's external assessment capabilities then analyze these discovered subdomains for various risks.

Examples of how ThreatNG's assessments help with active subdomain discovery:

• Web Application Hijack Susceptibility: ThreatNG assesses this by analyzing a web application's parts that are accessible externally to identify potential entry points for attackers. This helps confirm which discovered subdomains are live applications and should be prioritized for security.

• Subdomain Takeover Susceptibility: The platform evaluates the risk of subdomain takeovers by analyzing subdomains, DNS records, and SSL certificate statuses. This is a crucial step in active discovery, as it helps determine if a seemingly "inactive" or misconfigured subdomain is vulnerable to being hijacked.

• Cyber Risk Exposure: ThreatNG's Domain Intelligence module checks for exposed certificates, subdomain headers, vulnerabilities, and open ports. This helps you understand which of your discovered subdomains pose the highest cyber risk. For instance, if a subdomain has an expired certificate or an open sensitive port, it’s flagged as high-risk, a direct result of the discovery process.

• Mobile App Exposure: ThreatNG evaluates an organization's mobile apps by discovering them in marketplaces and analyzing their contents. This is an extension of active discovery, revealing a different type of asset—a mobile app—that might have exposed credentials or identifiers.

• Code Secret Exposure: The platform discovers public code repositories and checks them for sensitive data like API keys, credentials, and configuration files. This helps you find subdomains that are part of a development or staging environment that have accidentally exposed sensitive information. An example would be discovering a subdomain pointing to a public GitHub repository that contains a hard-coded API key.

• Search Engine Exploitation: ThreatNG identifies an organization's susceptibility to exposing information through search engines. This can uncover forgotten subdomains that are indexed by search engines and contain sensitive data like login pages, user data, or vulnerable files.

Investigation Modules and Intelligence Repositories

ThreatNG's investigation modules and intelligence repositories provide the detailed context needed to make the active subdomain discovery process effective.

• Domain Intelligence: This module is a core part of the discovery process. It includes

• DNS Intelligence, which analyzes domain records, identifies vendors and technologies, and performs domain name permutations to find typosquatted or similar domains that could be used for phishing.

  • Example: ThreatNG might discover secure-portal.example.com which is an active subdomain, but it would also identify secures-portal.com (a permutation) attackers could use that.

• Subdomain Intelligence: This module provides a detailed look into the discovered subdomains, including HTTP responses, headers, server technologies, and ports.

  • Example: When a security professional discovers crm.example.com, this module would show that the subdomain is running a specific CRM software, helping them understand its function and potential vulnerabilities.

ThreatNG's Intelligence Repositories (DarCache) provide valuable context that enriches the discovery process.

• DarCache Vulnerability: This repository provides information on vulnerabilities, including those actively exploited, which allows you to prioritize scanning on discovered subdomains that host vulnerable software.

• DarCache Compromised Credentials: If a subdomain is discovered, a check against this repository can reveal if credentials associated with that subdomain have been exposed on the dark web, raising its risk score.

Reporting and Continuous Monitoring

ThreatNG provides comprehensive reports (Executive, Technical, Prioritized, etc.) that summarize the findings of the subdomain discovery and assessment. The continuous monitoring feature ensures that once a baseline of active subdomains is established, the system constantly checks for new ones or changes to existing ones. This is crucial for maintaining a real-time view of the attack surface as it evolves.

Complementary Solutions

ThreatNG's data can be used with other cybersecurity solutions to enhance an organization's security posture.

• Vulnerability Scanners: Once ThreatNG's discovery and assessment capabilities identify a new active subdomain with a risky configuration, that subdomain can be automatically fed into a vulnerability scanner. This allows the scanner to run a deeper, more detailed check for specific software vulnerabilities.

• Security Information and Event Management (SIEM) Systems: The findings from ThreatNG can be sent to a SIEM. This allows security teams to correlate the discovery of new external assets with internal network activity, providing a holistic view of a potential attack.

• GRC Platforms: ThreatNG's ability to map findings to GRC frameworks like PCI DSS means that the results of active subdomain discovery can directly inform an organization's compliance efforts. The discovered subdomains and their associated risks can be used to prove compliance or identify areas that need immediate attention to meet regulatory requirements.