Subdomain Redirection Investigation

S
Written By Threat NG Staff

In cybersecurity, subdomain redirection investigation is the process of examining and analyzing how a subdomain forwards traffic to another URL. This investigation is crucial for uncovering potential security risks that can arise when a subdomain is not pointing to its expected destination.

The core purpose of this investigation is to:

  • Verify legitimacy: Determine if the redirection is intentional and benign, such as a company forwarding an old product page to a new one, or if it is malicious.

  • Identify malicious redirects: Uncover instances where a subdomain is being used to secretly route users to a different website, such as a phishing site, a malware-laden page, or a competing brand's website.

  • Detect subdomain hijacking: Look for signs that an attacker has taken control of a subdomain's DNS records to manipulate its redirection, a standard method for launching attacks that appear to originate from a trusted source.

  • Uncover outdated or forgotten assets: Identify subdomains that have been neglected and are redirecting to old or insecure content, which can be a liability.

The investigation typically involves technical analysis of DNS records, HTTP response headers, and the content of the destination URL. It is a proactive security measure that helps organizations maintain control over their digital presence and protect their users from deceptive or harmful redirects.

ThreatNG helps with subdomain redirection investigation by providing a complete, external-facing view of an organization's digital assets. It identifies and analyzes redirections from an attacker's perspective, without requiring any internal access.

How ThreatNG Helps with Redirection Investigation

ThreatNG's External Discovery is the initial step, as it finds an organization's subdomains without needing connectors or authentication. This is vital for uncovering all subdomains, including those that are inactive or redirecting to unexpected places. ThreatNG's External Threat Alignment maps an organization's security posture to external threats, identifying vulnerabilities and exposures in a way an attacker would.

ThreatNG's External Assessment capabilities analyze discovered subdomains for various risks. The Subdomain Takeover Susceptibility assessment incorporates Domain Intelligence to evaluate a website's susceptibility to subdomain takeover. This includes a comprehensive analysis of the website's subdomains, DNS records, and SSL certificate statuses. For example, if an old subdomain like careers.example.com is redirecting to a third-party career site that is no longer in use, ThreatNG could detect this and flag it as a takeover risk. An attacker could then register that third-party service and point the subdomain to a malicious site.

Using ThreatNG's Investigation Modules to Mitigate Risks

ThreatNG's Investigation Modules offer the tools to analyze the redirects and their sources in detail.

  • Subdomain Intelligence is a key module that provides insight into subdomain redirects. It identifies various factors, such as HTTP Responses and Header Analysis, which can reveal redirects. The Content Identification feature also looks for "Potential Redirects". This allows you to identify all subdomains that are redirecting to new URLs or other subdomains, ensuring that the redirection or forwarding is secure and expected. For instance, if blog.examplecorp.com is redirecting to wordpress.com/examplecorp-blog, ThreatNG can analyze the redirect path to ensure it's safe.

  • Archived Web Pages can uncover if a page has been archived with "Potential Redirects". This can help you find old subdomains that might be redirecting to a malicious or outdated page, which poses a security risk.

Ongoing Monitoring, Reporting, and Intelligence Repositories

Continuous Monitoring is a core capability that constantly checks an organization's external attack surface, digital risk, and security ratings. This ensures that any new or changing subdomain redirects are immediately flagged for investigation.

ThreatNG's Reporting capabilities, such as the technical and prioritized reports, allow you to view and manage findings effectively. A report can highlight a risky subdomain redirect and provide a risk level to help you prioritize your security efforts.

The Intelligence Repositories (DarCache) can also provide additional context. The Vulnerabilities repository offers a holistic and proactive approach to managing external risks by understanding their real-world exploitability. If a subdomain is redirecting in an unsecured way due to a known vulnerability, ThreatNG can provide details on the vulnerability and its potential impact.

Synergies with Complementary Solutions

ThreatNG's capabilities can work with other solutions to provide a more comprehensive security posture.

  • Security Orchestration, Automation, and Response (SOAR) Platforms: When ThreatNG identifies a suspicious subdomain redirection, a SOAR platform can automatically trigger a playbook. This playbook could include steps like sending a notification to the security team and creating a ticket for further investigation. For example, if ThreatNG detects that a subdomain is redirecting to a known phishing site, the SOAR platform could automatically generate an alert and initiate a takedown request.

  • Threat Intelligence Platforms (TIPs): ThreatNG's findings on malicious redirects can be used to enrich a TIP. If ThreatNG discovers a new domain used for a malicious redirect, this information can be shared with the TIP to be added to blocklists. This provides a proactive defense against similar threats in the future.

Threat NG Staff
Previous

Subdomain Hijacking
Next

Subdomain Redirection Risk