Shadow IT is one of the most neglected problems of companies. As time goes by and as a result of digital Diogenes, dozens of services and assets that could expose important corporate information are becoming indexed and accessible on the Internet. These are services that, if not properly inventoried and controlled, could become the gateway to our networks. This problem is exacerbated by the high internal bureaucracy and attempts to skip certain administrative steps in order to go into production earlier (Does this sound familiar?). From Zerolynx we see very often how certain departments end up contracting, for example, external hosts to save time when publishing a new service that, internally, would involve them going through a series of flows, audits and controls. Obviously, skipping these processes is irresponsible and leads to consequences, so therefore awareness is a key tool. Unfortunately, these things end up happening and it is our responsibility to fight against them.
Given this fact and after verifying that it was something quite common in the market, we decided to incorporate into our Corporate Digital Footprint service a previous phase of recognition of digital assets, remarkably similar to that carried out in the intrusion services by our Red Team colleagues. In this phase, we conduct both an automated detection of the assets and a manual identification task that allows us to cover a broader plan and also carry out a first analysis of said assets.
During this asset analysis recognition, we identify which of them are vulnerable or susceptible to being vulnerable. For example, although it might seem common to find a link from a client subdomain exposed where the server technology appears in the headers, as well as the version and software of the service used, this can pose a risk. Here is a real case that illustrates what we are talking about: some time ago during the analysis of a client's assets, we identified and reported an VPN access interface with an obsolete version. Within months of the discovery, our client contacted us to discuss an ad in Raid Forums about remote access to their company and noted that the origin of such access was related to the link we had previously notified.
We must not forget that an important key to contribute to the reduction of the attack surface is the application of digital hygiene measures. Given the huge amount of digital assets that companies currently have, not all of them may be under their control, giving the opportunity to third parties to take advantage and obtain profit. From the exploitation of the vulnerabilities, the acquisition of domains that were owned by the company (once they are not renewed) or even the use of these as a means to perform illicit acts on their behalf (taking advantage of redirects from one apparently lawful site to another). All this has consequences such as undermining their reputation and causing other indirect damages, like the loss of trust by suppliers or customers.
Sometimes measuring the level of risk is complex, but we must always take into account the magnitude of the evidence identified and its probability of occurrence. Analysts know that this second part is the most complicated. Nowadays, finding individuals motivated to break access and break into our customers' systems is not that complicated. Therefore, although sometimes the risks we identify may be low, it is always advisable to analyse, mitigate and correct them for what they may mean tomorrow.
The truth is out there!
Noelia Baviera, Intelligence Analyst