Outdated Subdomains
In cybersecurity, an outdated subdomain refers to a subdomain that is no longer actively maintained, updated, or in use by an organization. While the primary domain may be current and secure, these forgotten or neglected subdomains can present significant security risks.
The danger of an outdated subdomain lies in the fact that it is often running old, unpatched software, such as an obsolete version of a Content Management System (CMS), web server, or e-commerce platform. Because they are not actively monitored, these subdomains become a prime target for attackers.
Hackers can use outdated subdomains for a variety of malicious purposes:
Website defacement: Attackers can exploit a vulnerability to alter the content of the subdomain's website.
Malware injection: They can inject malicious code to distribute malware to visitors.
Redirecting users: Attackers can redirect users to phishing sites or other malicious destinations.
Data breaches: An outdated subdomain might be connected to an old database that still contains sensitive information, which can be a target for a data breach.
Even if an outdated subdomain is not actively being used for malicious purposes, its existence can still be a risk. It may have weak security configurations, exposed ports, or deprecated headers that make it a soft target for attackers to gain a foothold on a company's network.
ThreatNG helps manage risks from outdated subdomains by providing a comprehensive, outside-in view of an organization's attack surface. It identifies and assesses these neglected assets, which are often running old software, and flags them as potential security risks.
ThreatNG's Role in Discovering and Assessing Outdated Subdomains
External Discovery is ThreatNG's starting point, as it performs unauthenticated, external discovery to find an organization's digital assets without relying on internal connectors. This process is crucial for uncovering subdomains that are no longer linked to the leading site but are still live and accessible.
The External Assessment capabilities then analyze these discovered assets for specific vulnerabilities and risks.
Web Application Hijack Susceptibility: This assessment analyzes parts of a web application that are externally accessible to identify potential entry points for attackers. For example, if a company's old, forgotten subdomain like archive.companyname.com is running an outdated content management system (CMS) with a known vulnerability, ThreatNG would detect this and flag it as a potential hijack risk.
Cyber Risk Exposure: ThreatNG considers parameters covered by its Domain Intelligence module, such as vulnerabilities and sensitive ports, to determine cyber risk exposure. A great example is an outdated subdomain like old-dev.companyname.com that's running an old web server version with a known vulnerability and has an exposed sensitive port; ThreatNG would factor this into its cyber risk score.
Using ThreatNG's Investigation Modules to Mitigate Risks
ThreatNG’s Investigation Modules provide the tools to delve deeper into discovered subdomains and the associated risks.
Subdomain Intelligence: This module analyzes various aspects of a subdomain, including its HTTP responses, security headers, and the server technologies it's using. For instance, it can reveal that an outdated subdomain legacy-portal.companyname.com is using deprecated security headers or is hosted on an insecure platform, indicating a security risk. It can also identify known vulnerabilities associated with the technologies in use on the subdomain.
Archived Web Pages: ThreatNG can find archived versions of an organization's web presence. This can help identify and shut down old pages or entire subdomains that have been forgotten but still exist online, preventing attackers from using them to compromise a website or redirect users to malicious sites.
Ongoing Monitoring, Reporting, and Intelligence Repositories
Continuous Monitoring is a core capability of ThreatNG. It ensures that the external attack surface is constantly being checked for new or changing risks related to outdated subdomains.
Reporting provides a clear, prioritized view of the risks found, helping an organization focus on the most critical issues. A report might show outdated-blog.companyname.com as a high-risk subdomain due to an exposed sensitive port and an unpatched vulnerability, which helps the IT team prioritize remediation efforts.
ThreatNG's Intelligence Repositories (DarCache) provide valuable context for the findings.
Vulnerabilities (DarCache Vulnerability): This repository provides context on vulnerabilities, including their real-world exploitability. If an outdated subdomain is running a technology with a known CVE, DarCache can provide details on how critical that vulnerability is, helping to inform the risk assessment.
Verified Proof-of-Concept (PoC) Exploits (DarCache eXploit): By linking directly to PoC exploits on platforms like GitHub, referenced by CVE, ThreatNG accelerates the understanding of how a vulnerability on an outdated subdomain can be exploited. This information is invaluable for security teams to assess the real-world impact and develop effective mitigation strategies.
Synergies with Complementary Solutions
ThreatNG's capabilities can work with complementary solutions to provide a more holistic security posture.
Vulnerability Management Platforms: When ThreatNG identifies a vulnerable, outdated subdomain, the information could be automatically fed into a vulnerability management platform. This would allow for the creation of a remediation ticket and tracking the patching process until the risk is mitigated. For example, if ThreatNG discovers that test-site.companyname.com has a critical vulnerability, it could create a ticket in a vulnerability management platform for the IT team to investigate and patch the issue.
Security Orchestration, Automation, and Response (SOAR) Platforms: If ThreatNG finds a high-risk, outdated subdomain, a SOAR platform could automatically trigger a playbook. This could include steps like sending a notification to the security team, opening a ticket in an IT service management system, and running an automated scan to confirm the vulnerability's existence.
