We carry out lots of attack surface assessments, parts of which involve investigating information that has been unintentionally disclosed.
To help OPSEC people I thought it might be useful to go over some of the key things that can be found using domain and company names.
So let’s dive in and look at the domain name. From this we can find:
This will provide you with further layers of information to examine and scrutinise.
From the company name there is plenty to find:
If we look at the impact of these disclosures there are some key attacks that can be carried out, although this is not exhaustive, it does demonstrate how innocuous disclosures can have a bigger impact when combined.
Whilst this overly simplifies the situation, we can expand on this with other examples:
This diagram shows what can be obtained from just two starting points: The company and domain name.
Click image to enlarge. Opens in new tab.
This is just a start, but hopefully should get you on the right track to understanding what information can be found, and as importantly, where you can apply technical or procedural control to either limit the exposure or be aware of the impact of the exposure.
It is crucial to understand your entire attack surface and importantly recognise that this extends way beyond your technical attack surface. Tools alone won’t be able to provide you all of the information.
Some key suggested steps to take
Naturally there is much, much more that can be found. Its important to recognise that your threat actors only need start with one or two pieces of information and can deduce a huge amount of information. Isn’t it worth trying to emulate the reconnaissance phase of the Mitre ATT&CK matrix to see what your threat actors see?
The post OSINT. What can you find from a domain or company name first appeared on Pen Test Partners.