OSINT for Digital Asset Discovery
OSINT(Open Source Intelligence) can be used by attackers to identify assets and gather other useful information before the attack is initiated. Asset discovery takes a constructive approach which allows companies to recognize prior risk areas. In order to collect data types and the gain to make better decisions on business development, the discovery of digital assets is necessary. It is easy to understand what assets are used to classify the instruments that need vigilance in order to reduce and avoid interruptions.
Digital asset discovery is very important for Shadow IT as well. Shadow IT is a general term that refers to any technologies used by employees without the permission of the IT department, whether it’s an application or computer software for smartphones, mobile devices, laptops, and etc. That’s why digital asset management (DAM) is essential and very crucial for organizations for mapping their attack surface.
What is OSINT?
OSINT stands for open source intelligence, relating to any information legitimately collectible by a person or organization from the Internet. In fact, this means information contained on the Internet, however, all information from the free and open public is legally known as OSINT.
What is OSINT used for?
By collecting open sources of information on a given target a possible victim may be profiled to better understand its capabilities and reduce the search field for potential vulnerabilities. The attacker may use the information generated to create a model of a threat and develop a plan of attack without directly engaging the target. That’s why companies or organizations need to know what information is publicly available to hackers and learn which OSINT data is critical and sensitive for them in order to harden their security.
Why is OSINT important for your organization?
Effective OSINT gathering is essential to organizations to detect potential fraud, phishing scams, and digital asset discovery. OSINT can help you to identify:
- Data leaks: A data leak is the exposure of confidential or sensitive data. When this kind of data is published via the Internet, OSINT can identify these leaks.
- Security gaps: The gap analysis process should include describing the scope and identifying security vulnerability.
- Attack surface: An attack surface is the total number of vulnerabilities that can be exploited.
Digital asset discovery by using OSINT
Attack Surface Analysis includes mapping out and checking the components of a system for security vulnerabilities. Attack Surface Analysis focuses on an application to identify the areas of risk, to notify developers and safety specialists of the parts of the application that are vulnerable to an attack, to find ways of mitigating this, and to figure out when and how the Attack Surface is changing. Domain names, subdomains, IP addresses, etc. in other words every data opened to the digital world is a part of the attack surface.
Simply, a digital asset is any content that’s stored digitally. The most common types of digital assets’ format are,
- Social Media Accounts,
- HTML Documents,
- 3rd Party Applications,
- Marketing content
Finding the domain name (if it is not already known) can be done easily by a Google
search. Nevertheless, if you know a little about the domain name, but cannot remember
it exactly, then Netcraft (www.netcraft.com) will help you.
A WHOIS search will help you find information about a particular domain in the public database such as expired date, present registrar, registrant records, etc. To be able to check WHOIS records the following tools can be used.
Domaintools – WHOIS (https://whois.domaintools.com/):Searched can be done easily by entering a domain name or IP address. Besides, different search options are available such as reverse IP, related domains on those IPs, etc.
WHOIS (https://www.whois.com/whois/): You can track the ownership and holding of the domain name with the WHOIS domain search.
Neustar UltraTools (https://www.ultratools.com/whois): You can learn about who owns the domain, where it was registered, when it expires, how to contact the domain owner, and more.
A domain is a related domain whether the supplied domain name begins or ends with a provided domain name or the domains that are managed by the same organization. WHOIS tools can be used for related domains as well. Another tool that can be used is Whoxy.
Whoxy (https://www.whoxy.com/): Whoxy is a domain search engine where its API lets you quickly lookup a domain name’s WHOIS data. If you have accessed information such as the owner name through the whois registrar, you can also access other domains acquired with this owner by entering this information on Whoxy. In this case, you will most likely access other linked domains of the institution.
SpyOnWeb (https://spyonweb.com/example.com): SpyOnWeb.com takes information from public sources and then structures it to search for the places that are likely to belong to the same user easily and conveniently. The following data is extracted from their web crawler: IP address, Google Adsense Identifier, Google Analytics ID.
Subdomains are basically an addition to a domain (root/main domain), but at the end of the day, they become a completely independent site. Finding vulnerable subdomains is very important to attackers because developers often do not manage subdomains well after the initial release. In addition, subdomains have a login form on them, and login forms are always the focus of attackers.
Pentest Tool (https://pentest-tools.com/home): Taking account of the comprehensive reports that it provides and the ability to download those reports, Pentest-tools offers two free scans daily. You can easily use it-type the name of your domain and press search. Depending on the number of domains that you will find, you will get the report in a short time.
Security Trails (https://securitytrails.com/): Security Trails has 12 years of historical DNS records and is available free of charge for users. It also lists along with the hosting and mail providers all subdomains of a root domain. The list can be too long, but the good thing is, you get more data than other resources. Because it includes historical information. In addition, the filter option is always available to shorten the list and obtain more results that are detailed.
Sypse (https://spyse.com/tools/subdomain-finder): Spyse’s Subdomain Finder tool provides you with the ability to search domain subdomains of any database. Sypse provides several resources and the premium version is available for accurate performance. The effects of the free edition alone can nevertheless be very useful.
DNS refers to the large information system, which covers all sites on the Internet and contains IP addresses, domain names, and hosting information, as well as other registration information. The DNS records serve as DNS server instructions, so you know the domain names are connected to each IP address. Records are not configured properly such as a mail server with an MX record, but no SPF, DMARC, DKIM records can let the pentester exploit the system through the pen testing process. Such vulnerabilities can cause email spoofing etc.
DNSdumpster (https://dnsdumpster.com/): DNSdumpster is a free domain analysis platform for finding domain-related hosts. Visible hosts are essential elements in the security evaluation process from the viewpoint of the attackers.
MXToolbox (https://mxtoolbox.com/): The MX search is made directly against the authoritative domain name server, so MX records should be updated instantly.
Hackertarget (https://hackertarget.com/): It is an online vulnerability scanner to map the attack surface and identify vulnerabilities.
Discovering SSL certificates
Certstream (https://certstream.calidog.io/): CertStream is an intelligence feed that provides you with real-time alerts from the Certificate Transparency Log network that helps you to create tools that respond in real-time to new certificates that are released.
Discovering social media accounts
Urlscan (https://urlscan.io/): urlscan.io is a free website analysis and scanning tool. When the URL is sent to urlscan.io, an automatic mechanism is used to navigate to the URL in the same manner as a regular user.
Network infrastructure and passive scanning
Shodan (https://www.shodan.io/): Shodan is a network security monitor and search engine focused on the internet of things. It is often referred to as a ‘search engine for hackers’ as it allows you to find and discover different types of devices connected to a network such as servers, routers, webcams, and more. Shodan allows you not only to detect devices and devices that are connected to the Internet but also to visually analyze them by printing out scanning tools such as Nmap through the Scanhub service. Besides, Shodan easily can answer questions such as which ports of the organization are open, which services are running on it, what are their versions, etc.
Some useful Shodan links;
Zoomeye (https://www.zoomeye.org/doc): ZoomEye is a Cyberspace Search Engine recording information of devices, websites, services, and components.
Cencys (https://censys.io/): Censys helps discover, manage, and remediate risks in your digital landscape.
Finding Phishing Domains
DNSlytics (https://dnslytics.com/domain-typos): This tool shows all domains with one character difference of the given domain name.
NormShield (https://services.normshield.com/phishing-domain-search):NormShield’s Phishing Domain Detection generates word combinations from your domain name with specific algorithms and searches these generated names among all domain name databases. With this service, you can identify possible phishing domain names registered for cyber attacks.
Discovering blocked IPs
IPVOID (https://www.ipvoid.com/):IPVOID is a tool for discovering details about IP addresses including IP block check, whois lookup, dns lookup, ping, and more.
Spam Check (https://www.solarwinds.com/engineers-toolset/use-cases/spam-blacklist-check):You can test the source IP addresses of recently received spam to determine which website black checks are most effectively blocking spam. You can also see which DNS servers are needlessly blocking IP addresses of email servers you need to receive email from.
Older Versions of the Websites
Wayback Machine (https://archive.org/web/): With Wayback Machine, the previous versions of any web page can be accessed. It is possible to gather information if there was a security vulnerability in the old version.
Hunter.io: With hunter.io, corporate users whose e-mail addresses have been disclosed and the e-mail format of the institution can be learned.
Have I Been Pwned (https://haveibeenpwned.com/): Have I Been Pwned helps you to identify several data violations to decide if your email address is affected.
SOCRadar can help
OSINT plays an important role in identifying the outward-looking digital assets of companies.
OSINT can be a process that can be carried out manually, but it is not sustainable for companies. For this reason, there is a need for systems that detect digital assets in an automated manner and monitor the changes in these assets. In other words, companies should actively manage the attack level.
SOCRadar’s AttackMapper module detects all digital inventory open to the internet by taking only the main domain addresses from the companies.
Through SOCRadar’s advanced internet-wide monitoring algorithms, AttackMapper provides security teams with direct visibility into all internet-facing technological assets in use as well as assets attributed to IP, DNS, Domain, and cryptographic infrastructure.
With SOCRadar® Community Edition, you’ll be able to:
- Discover your unknown hacker-exposed assets
- Check if your IP addresses tagged as malicious
- Monitor your domain name on hacked websites and phishing databases
- Get notified when a critical zero-day vulnerability is disclosed