The Internet Facing Velocity Problem

The Internet Facing Velocity Problem

It's probably faster to find a flaw in all IPv4 Assets with Open-source attack and exploit validation tools than it is for someone internal to hunt down the owners, maintainers and appropriate people for remedial actions - The Internet Facing Velocity Problem

This post is mostly framed at big-game infrastructure, but there is no reason why you cant take what you want from it and get your wins.

Think about the process involved in your large organisation to not only orchestrating security assurance and control validation but how to react to 'out of band' actionable information on your assets

Part of the problem for large and medium sized well established organisations is that age old problem of asset visibility, on paper the right thing to do is identify the asset owners and have them commit to a security SLA that everyone is happy with, and all that's left is to let the vuln managment and security assurance process prove it's self  and a little housekeeping as staff move around

However ... that view of how things should work and how things do 'get by' is quite different, those that manage to successfully maintain a functional asset register of systems and owners I take my hat of to you, well done, keep it up, share your tips, for those that eventually drift into a position of fragmented owners or are more and more siloed to supporting specific components in the organisation, eventually you'll not know who owns what or what the things actually is, so I've a few tips that will be no brainers but the main thing is allowing another view of infrastructure security concern - and that basically covers these few simple questions:

  1. Where can I get visibility of DNS changes ?
  2. Where can I get visibility of firewall changes ?
  3. What services are exposed from this information (1 &2)
  4. Can a visitor register against it?
  5. Are there any new known vulnerabilities that would effect this system

So, if you havent gotten a DNS extract from your domains, stop what you're doing and go do that, that's the source, go get that source. if you're thinking about using OSINT tools to enumerate your infrastructure from the outside in, keep in mind that those records aside from the bruteforced are historical, so if they've changed that CNAME might be pointing at an asset you no longer own and doing security on that is problematic. get the DNS records from your registrar, while less important than your primary domains, if you do have any microsites, you may be concerned about reputational damage, microsites are often overlooked and creatives tend to do things thier own way (YEAH, I SAID IT) the problems here are that those sites seldome get updates or participate in security assurance and posture managment, let alone defence, ... and there's a good chance they're on nasty shared hosts, something that a lot of creatives overlook, alright, get those domains

What are those records pointing at ? do you have a preferred cloud provider ? Azure, AWS,Digital Ocean etc... whatever it is, once you've analised those records you'll see the outliars use your favorite whois command to determin location, that's not to say you can sleep safe just because it's on the cloud you use, its more to tune in gracefully, and get the obvious outliars highlighted and off the table

Confirming services, needs a little bit of commandline kung-fu, but not much, what you're doing with this phase is enumerating the asset to see what it's hosting publicly and if there are no concerns, cool, and if there are, react - I would use a tool called nMap for this task, it's perfect for this, if you're not familiar with nMap, it might be best to find someone that is while you steal thier knowledge, if we where in a blind rush i'd say run this sudo nmap -sV -p- -iL targets.txt -oX  this would look at all the records and scan all (TCP) ports from 1 to 65535 in a bid to identify services that the public internet can interact with, UDP has been excluded for speed and at the cost of visibility over UDP services - you'll want to do UDP at some point, it's not the sort of thing that can get done quickly.

another great tool for rapid acknowledgment of systems, is aquatone specifically for webservers or api interfaces, aquatone will take nmap output and try to obtain a screenshot of the assets service, then it will group screenshots by similarity amongst other views that make it really easy to spot the outliars just by scrolling almost like a photogallery, SSO login, Jira, confluence, jenkins ... JENKINS ? JEEEENKIIIINS ?! there, quick win.

At this point we can assume we some good data to explore, the next part is more buy in from the business, and you'll need it, as parental as you can

Let me say this first, it's possible to identify the presence of a bug on all effected hosts accross IPv4 in less than an hour with modern bughunting tools, So if an organisation has a bug, they target the bug, not the organisation, think ransomware, or bughunters, or interner research and security enthusiasts

At the beginning of this post I mentioned a velocity problem and quite a lot of process to get security work done, not because it's not clear, but the effort of completing security tasks in big places is plighted with time constaints, process, proceedure, pressure and relative 'bigger issues', what you will need is agreement that people within your org or associates can indiscriminantly assess internet facing assets as they see fit as your trusted security offencive arm, appsec/redteam/purple/capable - those people, the reason for this is because the internet isnt a nice place and fundimentally boiling it down, who would you rather identify those issues? people you trust or someone 1000000% less attributable online ? once you have that comprehention and support all that's left is some high level operating proceedures

You may chose to not use nMap or aquatone, I dont say this often but Nessus is fine, if you have you'll have some 'free' internet facing scanners you can use, and if you have a copy of nessus pro, that'll do it too, but what you wont get is that manual investigation for some of the dodgy looking webapps, my thoughts on webapp investigations are very much this shallow checklist

If two of those are flagging there's a good chance there wasnt a pentest, and an interesting backstory to why not, but yea sure lets get a pentest !

What i've described is essentially attack surface visibility, there are some commercial offerings out there if you forced me to recommend one i'd say assetnote, mostly because of the team's capability and understanding of discovery, but this post is really more about enabling those capable within your organisation to get that low hanging fruit from off the internet, or atleast challenge it's posture with the goal of improvement

Vulnerability managment, Pentesting and scanning is slow, this space is the perfect starter to a fulfilling meal ... uh, i think i'm hungry... better go eat.

DNS Changelog visibility, JML those records!

*dont forget about cloud assets that may not have DNS records, but you get the idea.