Progressive Footprinting

P
Written By Threat NG Staff

In cybersecurity, progressive footprinting is a reconnaissance technique in which information about a target organization or system is gathered in stages, with each stage building upon the knowledge gained in the previous one.

Here's a breakdown of how it works:

  1. Initial Reconnaissance: The process starts with gathering basic information that is publicly accessible. This might include:

    • Organization's website and associated domain names

    • Publicly available IP addresses

    • DNS records

    • Social media profiles

  2. Iterative Expansion: The information gathered in the first stage is then used to discover more detailed and potentially sensitive information. This can involve:

    • Scanning for open ports and services on discovered IP addresses

    • Identifying subdomains and related websites

    • Analyzing website code and structure

    • Gathering employee information from online sources

  3. Deepening Investigation: As the process progresses, the level of detail and potential intrusiveness may increase. This could involve:

    • Identifying specific software versions and vulnerabilities

    • Attempting to gain access to publicly accessible files or directories

    • Mapping network infrastructure

Key Characteristics:

  • Staged Approach: Information gathering is not a single event but a series of steps.

  • Knowledge-Driven: Each step is guided by the information obtained in the previous step.

  • Increasing Granularity: The process moves from general information to more specific and detailed data.

  • Attacker Mimicry: Progressive Footprinting reflects how attackers often gather information before launching an attack.

Purpose:

  • Progressive Footprinting helps attackers or security professionals comprehensively understand a target's systems and potential weaknesses.

  • For attackers, this information can be used to plan and execute attacks.

  • It can be used for security professionals to identify vulnerabilities and improve security posture.

ThreatNG is a powerful platform designed to give organizations a comprehensive understanding of their external security posture. It achieves this through a combination of several key capabilities:

External Discovery

  • ThreatNG's strength starts with its external discovery. It uses a "seedless" approach and can perform purely external unauthenticated discovery using only a domain and organization name.

  • This is a significant advantage because it eliminates the need for you to have a pre-existing inventory of all your external assets. ThreatNG automatically maps your external footprint, discovering assets you might not know about.

External Assessment

ThreatNG provides detailed external assessments to pinpoint potential vulnerabilities:

  • Web Application Hijack Susceptibility: ThreatNG analyzes your web applications to find weaknesses that could allow attackers to take control.

    • For example, it assesses login pages for vulnerability to credential stuffing and checks for Cross-Site Scripting (XSS) vulnerabilities by analyzing the parts of a web application accessible from the outside world.

  • Subdomain Takeover Susceptibility: It assesses the risk of attackers taking over your subdomains.

    • This involves comprehensively analyzing your website's subdomains, DNS records, and SSL certificate statuses.

  • BEC & Phishing Susceptibility: ThreatNG evaluates your vulnerability to Business Email Compromise (BEC) and phishing attacks.

    • It considers factors like public sentiment, financial data, the risk of domain impersonation (using Domain Intelligence), and compromised credentials on the dark web.

  • Brand Damage Susceptibility: ThreatNG assesses the risk to your brand's reputation.

    • It analyzes your attack surface, digital risk, ESG violations, public sentiment, financial information (like lawsuits and SEC filings), and the potential for domain impersonation.

  • Data Leak Susceptibility: ThreatNG evaluates your risk of data leaks.

    • It examines your cloud and SaaS exposure, dark web presence (for compromised credentials), domain intelligence, and financial/legal disclosures.

  • Cyber Risk Exposure: ThreatNG calculates your overall cyber risk.

    • This includes analyzing certificate issues, subdomain headers, vulnerabilities, and exposed ports.

    • It also considers sensitive data in code repositories, cloud and SaaS exposure, and compromised credentials.

  • ESG Exposure: ThreatNG assesses your vulnerability to Environmental, Social, and Governance (ESG) risks.

    • It analyzes media sentiment and financial findings to identify potential ESG-related issues.

  • Supply Chain & Third-Party Exposure: ThreatNG helps you understand risks from your vendors.

    • It identifies the vendor technologies and assesses your cloud and SaaS exposure.

  • Breach & Ransomware Susceptibility: ThreatNG evaluates your likelihood of experiencing a data breach or ransomware attack.

    • It considers your attack surface, dark web activity (ransomware events, gang activity, and compromised credentials), and financial disclosures (SEC Form 8-Ks).

  • Mobile App Exposure: ThreatNG analyzes your mobile apps for security issues.

    • It discovers your apps in marketplaces and examines them for exposed credentials, security keys, and platform-specific identifiers.

  • Positive Security Indicators: Importantly, ThreatNG also identifies and highlights your security strengths, such as the presence of Web Application Firewalls or multi-factor authentication.

Reporting

ThreatNG delivers a variety of reports to meet different needs:

  • Executive summaries

  • Technical reports

  • Prioritized risk lists

  • Security ratings

  • Inventory reports

  • Ransomware susceptibility reports

  • SEC filings analysis

These reports are enhanced with a built-in knowledge base that provides:

  • Risk levels for prioritization

  • Reasoning behind the findings

  • Recommendations for remediation

  • Links to further information

Continuous Monitoring

ThreatNG continuously monitors your external attack surface, digital risks, and security ratings, providing ongoing awareness of your security posture.

Investigation Modules

ThreatNG's investigation modules provide powerful tools for in-depth analysis:

  • Domain Intelligence: This module offers a wealth of information about your domains:

    • Domain Overview (digital presence, bug bounty programs, SwaggerHub instances)

    • DNS Intelligence (DNS records, domain name permutations, Web3 domains)

    • Email Intelligence (email security presence, format predictions, harvested emails)

    • WHOIS Intelligence (WHOIS analysis)

    • Subdomain Intelligence (extensive details about subdomains, technologies used)

    • IP Intelligence (IP information)

    • Certificate Intelligence (TLS certificates)

    • Social Media (organization's posts)

  • Sensitive Code Exposure: This module discovers public code repositories and identifies exposed credentials, API keys, and other sensitive information.

    • For example, it can find hardcoded AWS credentials in a GitHub repository.

  • Mobile Application Discovery: This module discovers your mobile apps in marketplaces and analyzes them for security vulnerabilities.

    • For instance, it can detect hardcoded API keys within a mobile app.

  • Search Engine Exploitation: This module helps you assess how easily information can be exposed through search engines.

    • It analyzes website control files (like robots.txt and security.txt) and identifies potential search engine attack surfaces.

  • Cloud and SaaS Exposure: This module identifies your cloud services, potential cloud impersonations, exposed cloud storage, and SaaS applications.

  • Online Sharing Exposure: This module identifies your presence on code-sharing platforms.

  • Sentiment and Financials: This module provides insights into lawsuits, layoff chatter, SEC filings, and ESG violations.

  • Archived Web Pages: This module helps you discover archived versions of your web pages and data.

  • Dark Web Presence: This module tracks mentions of your organization on the dark web, ransomware activity, and compromised credentials.

  • Technology Stack: This module identifies the technologies you use.

Intelligence Repositories

ThreatNG uses a wealth of intelligence repositories to enrich its analysis:

  • Dark web data

  • Compromised credentials

  • Ransomware information

  • Vulnerability data

  • ESG violation records

  • Bug bounty programs

  • SEC filings

  • Mobile app data

Working with Complementary Solutions

ThreatNG integrates with other security tools to enhance your overall security posture:

  • SIEM (Security Information and Event Management) systems: You can feed ThreatNG's findings into your SIEM to correlate external risks with internal events.

    • For example, if ThreatNG detects compromised credentials, your SIEM can monitor for suspicious logins.

  • Vulnerability Management Tools: ThreatNG's external vulnerability assessments complement internal scanning.

    • For example, ThreatNG might identify an exposed web application, and your vulnerability scanner can then perform a deeper analysis.

  • SOAR (Security Orchestration, Automation, and Response) Platforms: You can use ThreatNG's data to automate security responses.

    • For instance, if ThreatNG detects a potential phishing domain, your SOAR platform can block it.

  • Identity and Access Management (IAM) Systems: Integrate ThreatNG's compromised credential detection to trigger actions like password resets.

ThreatNG is a valuable solution for proactive security management because it provides comprehensive external visibility, detailed risk assessments, and seamless integration.

Threat NG Staff
Previous

External Exposure Contextualization
Next

Attacker-Centric Asset Inventory