Digital Footprint Discovery, Mapping, and Scoring
Understanding your organization’s digital footprint is the starting point to defending not only your organization’s online presence, but its entire Internet-facing infrastructure. However, simply knowing what exists in that infrastructure and presence is not enough – in order to truly secure the entire space, security teams must map every connection.
Today’s organizations boast massive digital footprints across wide swaths of the Internet. It is imperative that security teams understand that footprint in order to protect it. Indeed, from web services to cloud hosting infrastructure to microservices that may not appear on any official IT lists, if it is on the Internet, threat actors can find it and potentially exploit it.
Although much of that footprint may not be directly vulnerable to hacks, the very nature of how the Internet works allows anyone with the right know how to find these entities and use them either directly in an attack or as a template to establish their own fraud operations.
Footprinting involves three steps – discovery, mapping, and scoring – and is the first step in securing an organization’s online presence. Using the data from these steps, security teams can verify the security of the organization’s partners and establish threat models to defend against fraud networks which seek to use the organization’s name and brands illicitly.
The first step in securing an organization’s digital footprint is through discovery. This is the process of identifying and cataloguing an organization’s Internet-facing infrastructure, as well as any accounts used by the organization or its personnel. Anything that a potential threat actor can find online contributes to the organization’s digital footprint, and anything that is part of the digital footprint is potentially part of the organization’s attack surface.
What is this infrastructure? Well, it means essentially everything that touches the Internet – domains, TLS certificates, open ports, services, hosts, cloud providers, etc. All of these things, due to the nature of how the Internet functions, are open source, and all are discoverable using relatively simple tools.
Just because something is discoverable does not necessarily make it part of the attack surface. However, simply knowing about its existence can assist a threat actor in exploiting some vulnerability somewhere along the attack chain.
Security teams must seek out every possible piece of exposed information available on the internet, no matter how innocuous it may seem, because even an exposed email address belonging to the wrong person can set in motion powerful attacks.
Discovery also allows teams to find fake infrastructure and imposter accounts. Whereas knowing about real infrastructure helps to secure, finding fake infrastructure prevents fraud and other illicit activities from affecting the organization by association.
Now that the team has discovered this information, how can it make sense of all the data? First, they have to map it out and find all of the connections. From network diagrams showing any links to Internet-facing servers to databases which drive web services to executive social media accounts, all of these data points are likely connected in one way or another.
Threat actors spend a majority of their time conducting discovery and mapping tasks in order to understand the best avenues for attack. Therefore, in order to remain one step ahead of any attacker, security teams must do the same.
These maps do not have to be complex charts showing even the most dubious connections. Rather, they should be as simple as possible in order to convey every possible avenue of attack at even the quickest glance. Threat models such as attack trees can enumerate how these maps may be attacked, the maps only have to show what might be attacked and how it connects to other pieces of the puzzle.
At this point, it is not enough to solely concentrate on the organization’s infrastructure. Today’s business climate demands that organizations work closely with several 3rd party services, and, as we see constantly, those 3rd parties can serve as the weak link in a robust cybersecurity operation.
Therefore, security teams must score themselves and any other entity with which they come into contact. It is one thing for the organization to have a problem, but to trust a 3rd party vendor requires that that vendor have secure infrastructure and operations.
Scoring takes everything listed above and assigns values to each data point in order to gain a detailed understanding of where specific weaknesses lie, as well as which points require priority focus and attention. Scoring should be simple, extensive, and, most of all, accurate.
The scoring phase looks at specific issues which affect each point. For example, with domains and TLS certificates, it is not enough to know they exist and how they connect to other parts of the infrastructure. Scoring looks at each aspect of those data points, such as configurations, administration, access, etc to determine the asset’s overall risk to the organization. This goes as far as to look into other domains on shared infrastructure to determine if those hosts are malicious or not.
Scoring is arguably the most intensive process of all three, simply due to the many factors and related research which teams must complete in order to gain a full picture of the organization’s overall digital footprint.
All the Tools You Need in One Place
Virtually every step of the cyber kill chain involves a threat actor conducting discovery, mapping, and scoring for anything he or she may find. Therefore, security teams must do the same.
Even with all the great frameworks, such as Mitre Pre-ATT&CK, and threat models to help guide the process and make sense of all the data points, a robust tool which can discover and map infrastructure automatically is necessary, especially with the sheer amount of data that exists on the Internet today. With DigitalStakeout’s Scout and Footprint tools, the task of discovering, mapping, and scoring your organization’s digital footprint, as well as that of your 3rd party partners and threat actor infrastructure, has never been simpler.
Get a Demo to learn more.