Stale Subdomain Verification

S
Written By Threat NG Staff

In cybersecurity, stale subdomain verification is the process of confirming that a subdomain, once active, is no longer in use or connected to the internet. The goal is to identify outdated or decommissioned subdomains so they can be removed from an organization's active asset inventory. This is a crucial step in maintaining a clean and accurate record of an organization's digital footprint.

A stale subdomain poses a significant security risk because it might have a DNS record that still exists but points to a service that has been shut down. This creates an opportunity for attackers to perform a subdomain takeover. Suppose an attacker registers the now-available service and points the DNS record to their own malicious server. In that case, they can hijack the subdomain, use it for phishing, or distribute malware, all while appearing to be a legitimate part of the organization.

The verification process typically involves:

  1. Passive Discovery: Identifying a list of all subdomains, both past and present.

  2. Active Probing: Attempting to connect to each subdomain to see if it responds.

  3. Analysis: Verifying that a subdomain is genuinely offline and not just experiencing a temporary outage.

By regularly performing this verification, security teams can proactively mitigate the risk of subdomain takeovers and reduce their attack surface.

ThreatNG helps with stale subdomain verification by continuously monitoring for subdomains that are no longer active, which allows organizations to remove outdated entries and maintain a clean inventory of assets. It does this by identifying subdomains that are not responding on HTTP/HTTPS.

External Discovery and Assessment

ThreatNG performs purely external unauthenticated discovery to build a comprehensive inventory of an organization's public-facing assets. As part of this, it identifies subdomains that have an IP address but are not actively responding on HTTP/HTTPS, which can suggest they are no longer in use.

Examples of how ThreatNG's assessments help with stale subdomain verification:

  • Subdomain Takeover Susceptibility: This assessment is directly related to stale subdomain verification. ThreatNG uses its external attack surface intelligence, which incorporates Domain Intelligence, to evaluate the subdomain takeover susceptibility. This includes a comprehensive analysis of the website's subdomains, DNS records, and SSL certificate statuses. A subdomain that is not responding on web ports but still has a DNS entry would be flagged as a potential takeover target, highlighting it as a high-priority stale subdomain.

  • Cyber Risk Exposure: This assessment considers parameters from the Domain Intelligence module, including vulnerabilities and exposed sensitive ports. An inactive subdomain with an exposed port or a known vulnerability, even if not running a web service, would still be identified as a risk, preventing it from being overlooked as merely "stale."

Investigation Modules and Intelligence Repositories

ThreatNG's Investigation Modules provide detailed analysis of the discovered subdomains, and the Intelligence Repositories offer valuable context.

  • Subdomain Intelligence: This module identifies subdomains with Empty HTTP/HTTPS Responses. This is a core function for stale subdomain verification, as it helps distinguish between an active subdomain that is misconfigured and a subdomain that is truly offline. ThreatNG also detects other content, such as APIs or Development Environments, which could indicate a subdomain that was once active but has been taken down.

  • Domain Intelligence: This module analyzes DNS records to confirm that an inactive subdomain still has a DNS entry that needs to be removed. The Domain Name Permutations feature can also uncover typosquatted or similar domains that are now stale but could be used by an attacker for malicious purposes.

  • DarCache (Intelligence Repositories): The data in these repositories helps to determine the risk of a stale subdomain. Suppose a subdomain is linked to Compromised Credentials from the DarCache Rupture repository. In that case, it's a critical risk, even if it's inactive, as it may have been compromised before being taken offline.

Reporting and Continuous Monitoring

ThreatNG provides reports like the Inventory report that help an organization maintain a clean list of active assets. The platform's continuous monitoring capability ensures that once a subdomain is identified as stale, it remains on the security team's radar until its DNS records are fully decommissioned. This prevents outdated entries from being forgotten and maintains a current view of the attack surface.

Complementary Solutions

ThreatNG's findings on stale subdomains can be used with complementary solutions to automate and enhance the verification process.

  • DNS Management Platforms: When ThreatNG identifies a stale subdomain with a valid DNS record, its findings can be used to trigger an automated workflow in a DNS management platform. This allows a security team to quickly remove the DNS record, eliminating the risk of a subdomain takeover without manual intervention.

  • Security Orchestration, Automation, and Response (SOAR) Platforms: The discovery of a high-risk stale subdomain by ThreatNG, such as one with compromised credentials, could initiate a playbook within a SOAR platform. This playbook could automatically notify the appropriate IT teams, create a ticket in a project management system, and document the finding, streamlining the remediation process.

  • Threat Intelligence Platforms: The data on stale subdomains can be shared with a threat intelligence platform. This allows the organization to track if an attacker is attempting to register or take over a known stale subdomain, providing early warning of a potential attack.

Threat NG Staff
Previous

Stakeholder Communication
Next

Status Communication