Hidden Subdomains
In cybersecurity, a hidden subdomain is a subdomain that is not publicly linked or easily discovered through standard methods like DNS lookups or website crawling. They are often created for specific, non-public purposes.
Attackers can use hidden subdomains for malicious activities such as:
Phishing campaigns: Hosting fake login pages on a subdomain that looks legitimate, like "https://www.google.com/search?q=secure-login.example.com," to trick users into providing their credentials.
Command and Control (C2) servers: Establishing a clandestine communication channel for malware to receive commands and exfiltrate data.
Hosting malicious content: Using the hidden subdomain to store malware or exploit kits without the main domain's reputation being immediately affected.
Staging attacks: Preparing a malicious payload or a new attack vector on a secluded part of a network before launching the main attack.
Organizations sometimes use hidden subdomains for legitimate reasons, like development or testing environments, internal company portals, or private API endpoints. However, if these subdomains are not adequately secured, they can become a significant security risk.
ThreatNG helps with hidden subdomains through its extensive external discovery, assessment, and investigation capabilities. It identifies and manages these potentially risky assets from an attacker's perspective, without needing internal access.
How ThreatNG Helps with Hidden Subdomains
ThreatNG's External Discovery capabilities find an organization's digital assets, including subdomains, without authentication or connectors. This is the first step in uncovering hidden subdomains that are not publicly linked but are still live and accessible.
ThreatNG's External Assessment analyzes the discovered subdomains for various risks.
Subdomain Takeover Susceptibility: It checks for potential subdomain takeovers by analyzing subdomains, DNS records, and SSL certificate statuses. For example, if a company like "ExampleCorp" had a subdomain like "jobs.examplecorp.com" that was used for a past hiring campaign and is now forgotten, ThreatNG could detect if the CNAME record for this subdomain is pointing to a service that is no longer in use, leaving it vulnerable to a takeover.
Web Application Hijack Susceptibility: ThreatNG identifies potential entry points for attackers by analyzing parts of a web application that are accessible from the outside. For instance, it could flag a hidden subdomain like "dev-portal.examplecorp.com" if it has an exposed login page with weak security headers, making it susceptible to hijacking.
Cyber Risk Exposure: The platform considers factors like certificates, subdomain headers, and vulnerabilities to assess an organization's cyber risk exposure. An example would be if a hidden subdomain "old-blog.examplecorp.com" is running on an outdated version of WordPress with known vulnerabilities; ThreatNG would flag this as a risk.
Investigating Hidden Subdomains with ThreatNG
ThreatNG's Investigation Modules provide the tools to delve deeper into discovered subdomains.
Subdomain Intelligence: This module provides detailed information on subdomains, including HTTP responses, security headers, and the technologies running on them. You can use this to check if a hidden subdomain, such as "internal-wiki.examplecorp.com", is hosted on an unsecured cloud service or has deprecated headers, which indicates a security risk.
DNS Intelligence: It analyzes DNS records and performs domain name permutations to find hidden or malicious subdomains. ThreatNG can detect malicious subdomains, such as "examp1ecorp.com" (using a homoglyph), or permutations like "support-examplecorp.net" that redirect to phishing sites.
Certificate Intelligence: This module helps you find subdomains that are associated with an organization's certificates, which can help uncover subdomains that are not otherwise discoverable. For instance, a certificate for "examplecorp.com" might also list a subject alternative name for "api.staging.examplecorp.com," revealing a hidden staging environment.
Monitoring, Reporting, and Intelligence Repositories
Continuous Monitoring is key, as ThreatNG continuously monitors the external attack surface to catch any new or changing subdomain risks.
Reporting provides a clear, prioritized view of the risks found, allowing an organization to focus on the most critical issues. For example, a report might show "old-crm.examplecorp.com" as a high-risk subdomain due to an exposed sensitive port and a known vulnerability.
ThreatNG's Intelligence Repositories (DarCache) are constantly updated with threat data.
Vulnerabilities (DarCache Vulnerability): This repository provides context on vulnerabilities, including their exploitability and potential impact. If a hidden subdomain is running a technology with a known CVE, DarCache can provide details on how critical that vulnerability is.
Compromised Credentials (DarCache Rupture): This can help determine if any exposed credentials on a hidden subdomain have been compromised. For example, if a dev environment on a hidden subdomain has hardcoded credentials that are found in a data breach, DarCache would flag it.
Synergies with Complementary Solutions
ThreatNG's capabilities can work with other solutions to provide a more comprehensive security posture.
Security Information and Event Management (SIEM) Solutions: ThreatNG can feed its discovery and assessment data into a SIEM. For example, ThreatNG might find a new, hidden subdomain and flag it as a potential risk. This information could be sent to a SIEM, which could then correlate this finding with network traffic logs to see if there have been any attempts to access or exploit that subdomain.
Endpoint Detection and Response (EDR) Solutions: If ThreatNG identifies a malicious hidden subdomain used for a phishing attack, it could integrate with an EDR to automatically quarantine any endpoints that have accessed that URL, preventing malware from spreading.
Vulnerability Management Platforms: While ThreatNG identifies vulnerabilities on the external attack surface, it could work with a dedicated vulnerability management platform to manage the remediation workflow for those findings. For example, ThreatNG might discover a vulnerable version of a web server on a hidden subdomain, and that finding could be automatically sent to the vulnerability management platform to create a ticket for the IT team to patch the server.
