Seedless Discovery

S
Written By Threat NG Staff

In cybersecurity, Seedless Discovery is a methodology for identifying and mapping an organization's digital assets and potential attack surface from an external, unauthenticated perspective without relying on pre-existing internal knowledge, credentials, installed agents, or direct network connections. It's akin to how a threat actor would initially probe and map a target organization before launching an attack.  

Here's a detailed breakdown of the concept:

Core Principles:

  • External Viewpoint: Seedless discovery operates entirely from the outside, mimicking an attacker's visibility. It focuses on what is exposed to the public internet.

  • No Internal Footprint Required: Unlike traditional asset discovery methods, which often require access to internal networks, system credentials, or the deployment of agents, seedless discovery functions independently.

  • Autonomous Exploration: The process is largely automated, with the discovery engine autonomously exploring and mapping the digital landscape associated with the target organization.

  • Focus on Attack Surface: The primary goal is to identify all externally reachable assets that malicious actors could exploit.

  • Continuous Monitoring: Seedless discovery is often implemented as a constant process, as the external attack surface is dynamic and constantly changing.

Key Techniques Involved:

  • Open Source Intelligence (OSINT) Gathering: This is the foundational step. Seedless discovery engines collect publicly available information related to the target organization, including:

    • Domain Name System (DNS) Enumeration: Identifying all registered domains and subdomains associated with the organization. This includes active DNS records (A, AAAA, CNAME, MX, NS, TXT, etc.) and potentially historical records.

    • WHOIS Data Analysis: Examining domain registration information to identify ownership details, contact information, and other related domains owned by the same entity.  

    • Certificate Transparency (CT) Log Monitoring: This involves tracking newly issued SSL/TLS certificates, which can reveal previously unknown domains and subdomains associated with the organization.

    • Web Crawling and Link Analysis: Exploring publicly accessible websites to discover more linked assets, applications, and infrastructure.

    • Search Engine Reconnaissance: Identifying publicly indexed information and potential exposures through search engine queries.

    • Social Media Analysis: Identify official and related social media profiles and potentially glean information about associated web properties.

    • Business Registries and Public Records: Mining publicly available business information for related entities and online presences.

  • Active External Probing: Once the initial set of assets is identified through OSINT, the seedless discovery engine actively probes these assets to gather more information:

    • Port Scanning: Identifying open TCP and UDP ports on discovered IP addresses, revealing the services and applications exposed to the internet.

    • Service Fingerprinting: Determining the type and version of software and services running on open ports (e.g., web servers, mail servers, databases).

    • Web Application Scanning (Lightweight): Performing basic checks on web applications to identify publicly accessible login pages, APIs, and potential entry points. This is typically less intrusive than a full vulnerability scan.

    • Network Infrastructure Mapping: Inferring network topology and identifying potential pathways an attacker might exploit.

    • Cloud Infrastructure Discovery: Identifying publicly exposed cloud resources (e.g., S3 buckets, Azure Blob Storage, Google Cloud Storage) based on naming conventions, DNS records, and service responses.

  • Data Analysis and Attribution: The collected data is then analyzed to:

    • Attribute Assets to the Organization: Accurately link discovered assets back to the target organization, even if they are not immediately apparent.

    • Classify Assets: Categorize assets based on their type (e.g., web server, mail server, API endpoint, cloud storage).

    • Identify Potential Risks: Highlight publicly exposed services, outdated software versions, misconfigurations, and other indicators of potential vulnerabilities.

    • Map Relationships: Understand the connections between different assets and how they contribute to the attack surface.

Benefits of Seedless Discovery:

  • Comprehensive External Visibility: Uncovers the entire external attack surface, including shadow IT and forgotten assets that internal scans might miss.  

  • Attacker's Perspective: Provides a realistic view of what an attacker can see and potentially exploit.  

  • No Internal Access or Disruption: Operates without requiring access to internal networks or systems, minimizing disruption and complexity.

  • Identification of Unknown Assets: Effectively discovers assets that are not documented in internal inventories.

  • Continuous Monitoring Capabilities: Facilitates ongoing monitoring of the evolving external attack surface.  

  • Independent Validation: Offers an unbiased assessment of external exposure, independent of internal configurations and knowledge.

Limitations:

  • Limited Internal Context: Lacks detailed information about discovered assets' internal workings and criticality.

  • Potential for False Positives/Negatives: While sophisticated, OSINT and external probing can sometimes lead to misattributions or missed assets.  

  • Depth of Analysis: External probing is generally less in-depth than authenticated internal vulnerability scanning.  

In cybersecurity risk management, seedless discovery is crucial in providing organizations with a foundational understanding of their external exposure. This information is vital for:

  • Attack Surface Management (ASM): Identifying, analyzing, and mitigating risks of externally facing assets.  

  • Threat Intelligence: Understanding how the organization appears to potential attackers.

  • Vulnerability Management: Prioritizing remediation efforts based on external exposure and potential exploitability.  

  • Security Auditing and Compliance: Providing an independent view of external security posture.

  • Mergers and Acquisitions: Assessing the external attack surface of target companies.

Seedless discovery is a powerful and increasingly essential technique in cybersecurity for gaining a comprehensive, outside-in view of an organization's digital footprint and proactively managing external risks. It complements traditional internal security measures by providing a critical perspective on what is visible and potentially vulnerable on the internet.

ThreatNG offers robust capabilities to enhance an organization's external risk management. It provides valuable insights and solutions to proactively identify, assess, and mitigate potential threats.

External Discovery

ThreatNG's strength lies in its ability to perform purely external unauthenticated discovery without using connectors. This "seedless" approach identifies an organization's external assets from an attacker's perspective, providing a comprehensive view of the attack surface.

  • This is incredibly helpful because it eliminates the need for organizations to have prior knowledge of all their external-facing assets.

  • It can discover forgotten or shadow IT assets that could be vulnerable entry points.

External Assessment

ThreatNG provides a wide range of external assessment capabilities, delivering detailed insights into various risk areas:

  • Web Application Hijack Susceptibility: ThreatNG analyzes externally accessible parts of web applications to pinpoint potential entry points for attackers.

    • For example, it assesses a website's login page for susceptibility to credential stuffing or its vulnerability to Cross-Site Scripting (XSS) attacks.

  • Subdomain Takeover Susceptibility: ThreatNG evaluates the risk of unauthorized parties taking over subdomains by analyzing subdomains, DNS records, and SSL certificate statuses.

    • For instance, it can identify subdomains with outdated DNS records that could be exploited for subdomain takeovers.

  • BEC & Phishing Susceptibility: ThreatNG assesses the likelihood of Business Email Compromise (BEC) and phishing attacks by analyzing sentiment, financials, domain intelligence (including domain name permutations), and dark web presence (compromised credentials).

    • For example, ThreatNG can identify lookalike domains that could be used for phishing or detect compromised email credentials that could facilitate BEC attacks.

  • Brand Damage Susceptibility: ThreatNG assesses the risk of damage to an organization's brand by analyzing attack surface intelligence, digital risk intelligence, ESG violations, sentiment, financials (lawsuits, SEC filings, negative news), and domain intelligence.

    • For example, it can detect negative social media sentiment or the registration of domains that could be used for brand impersonation.

  • Data Leak Susceptibility: ThreatNG analyzes external attack surface and digital risk intelligence, dark web presence (compromised credentials), domain intelligence, sentiment, and financials to determine the risk of data leaks.

    • It can discover exposed cloud storage or code repositories containing sensitive information.

  • Cyber Risk Exposure: ThreatNG considers domain intelligence parameters like certificates, subdomain headers, vulnerabilities, and sensitive ports to determine cyber risk exposure.

    • It also factors in code secret exposure by discovering code repositories, determining their exposure level, and investigating their contents for sensitive data.

    • Additionally, it evaluates cloud and SaaS exposure and considers compromised credentials on the dark web.

    • For instance, ThreatNG can identify exposed ports that could be exploited for network attacks or detect hardcoded credentials in code repositories.

  • ESG Exposure: ThreatNG evaluates an organization's vulnerability to environmental, social, and governance (ESG) risks by analyzing external attack surface and digital risk intelligence, sentiment, and financial findings.

    • It examines media coverage sentiment and financial analysis to highlight competition, consumer, employment, environment, and safety-related offenses.

  • Supply Chain & Third-Party Exposure: ThreatNG derives this from domain intelligence (enumeration of vendor technologies), technology stack, and cloud and SaaS exposure.

    • It can identify third-party technologies an organization uses and assess their security posture.

  • Breach & Ransomware Susceptibility: ThreatNG calculates this based on external attack surface and digital risk intelligence, including domain intelligence (exposed sensitive ports, exposed private IPs, and known vulnerabilities), dark web presence (compromised credentials and ransomware events and gang activity), and sentiment and financials (SEC Form 8-Ks).

    • For example, it can detect compromised credentials on the dark web or identify potential ransomware vulnerabilities.

  • Mobile App Exposure: ThreatNG evaluates an organization's mobile apps' exposure by discovering them in marketplaces and analyzing their contents for access credentials, security credentials, and platform-specific identifiers.

    • It can identify hardcoded API keys or other sensitive information within mobile apps.

  • Positive Security Indicators: ThreatNG doesn't just focus on the negative! It also identifies and highlights an organization's security strengths, such as the presence of Web Application Firewalls or multi-factor authentication, providing a balanced view of the security posture.

Reporting

ThreatNG provides various reporting options to cater to different audiences and needs.

  • These reports include executive summaries, technical details, prioritized lists of risks, security ratings, inventory reports, ransomware susceptibility assessments, and even analysis of U.S. SEC filings.

  • ThreatNG embeds a knowledge base to provide context, reasoning, recommendations, and reference links to make these reports even more useful. This empowers organizations to understand and address identified risks effectively.

Continuous Monitoring

ThreatNG continuously monitors external attack surfaces, digital risks, and security ratings. This proactive approach informs organizations about changes in their external risk posture and enables them to respond swiftly to emerging threats.

Investigation Modules

ThreatNG offers powerful investigation modules that provide in-depth information for detailed risk analysis:

  • Domain Intelligence: This module provides a comprehensive view of domain-related information, including:

    • Domain Overview (digital presence, bug bounty programs)

    • DNS Intelligence (domain record analysis, domain name permutations, Web3 domains)

    • Email Intelligence (security presence, format predictions, harvested emails)

    • WHOIS Intelligence (WHOIS analysis, other domains owned)

    • Subdomain Intelligence (extensive analysis of subdomain characteristics and technologies)

    • IP Intelligence (IPs, shared IPs, ASNs, country locations, private IPs)

    • Certificate Intelligence (TLS certificates, associated organizations)

    • Social Media (posts from the organization)

  • Sensitive Code Exposure: This module discovers public code repositories and uncovers exposed credentials, API keys, and other secrets.

    • For example, it can identify a GitHub repository containing hardcoded AWS credentials.

  • Mobile Application Discovery: This module discovers mobile apps in marketplaces and analyzes their content for sensitive information.

    • For example, it can find hardcoded API keys within a mobile app.

  • Search Engine Exploitation: This module helps users investigate an organization’s susceptibility to exposing information via search engines.

    • It includes Website Control Files analysis (robots.txt, security.txt) and Search Engine Attack Surface assessment.

  • Cloud and SaaS Exposure: This module identifies sanctioned and unsanctioned cloud services, impersonations, exposed cloud buckets, and SaaS implementations.

  • Online Sharing Exposure: This module identifies an organization's presence within online code-sharing platforms.

  • Sentiment and Financials: This module provides information on organizational lawsuits, layoff chatter, SEC filings, and ESG violations.

  • Archived Web Pages: This module identifies various archived files and data related to the organization's online presence.

  • Dark Web Presence: This module tracks organizational mentions, associated ransomware events, and compromised credentials on the dark web.

  • Technology Stack: This module identifies the technologies used by the organization.

Intelligence Repositories

ThreatNG leverages intelligence repositories to provide context and enhance risk assessments. These repositories include data on:

  • Dark web activity

  • Compromised credentials

  • Ransomware events and groups

  • Known vulnerabilities

  • ESG violations

  • Bug bounty programs

  • SEC filings

  • Mobile apps

Working with Complementary Solutions

ThreatNG's capabilities can work seamlessly with various complementary security tools:

  • SIEM (Security Information and Event Management) systems: ThreatNG's external attack surface and threat intelligence data can be fed into a SIEM to provide a more comprehensive view of an organization's security posture.

    • For example, ThreatNG could alert a SIEM about exposed credentials, and the SIEM could correlate that with login attempts.

  • Vulnerability Management Tools: ThreatNG's vulnerability assessments can complement internal vulnerability scanning by providing an external attacker's perspective.

    • For instance, ThreatNG might discover an exposed web application, and a vulnerability scanner could perform a detailed scan for specific vulnerabilities.

  • SOAR (Security Orchestration, Automation, and Response) Platforms: ThreatNG's threat intelligence and assessment data can be used to automate security responses.

    • For example, a SOAR platform could automatically blocklist malicious IPs identified by ThreatNG.

  • Identity and Access Management (IAM) Systems: ThreatNG's compromised credential detection can be integrated with IAM systems to trigger password resets or multi-factor authentication enforcement.

By providing comprehensive external visibility, in-depth risk assessments, and actionable intelligence, ThreatNG empowers organizations to proactively manage their external attack surface and strengthen their overall security posture.

Threat NG Staff
Previous

Zero-Input Discovery
Next

Rogue Mobile Applications