23. 09. 2021 Massimo Giaimo Exposure Assessment, SEC4U

Exposure Assessment: straight to the point!

In this second post on the Exposure Assessment topic we start from the end!

We have just put into production, within our OSINT & Cyber Threat Intelligence SATAYO platform, an internal search engine that aims to simplify the research of evidences within the platform itself. This is a development that has been particularly requested by those organizations that are monitored within the platform and that manage a large number of internet domains.
SATAYO aims to search for information relating to an organization, within the Surface, Deep & Dark Web, starting from these input elements: the organization’s internet domains and some keywords (typically names of services and products, names of top management figures in the organization and so on).

The phrase that best describes the goal of our platform is:

Discover the attack surface, keep it monitored, and manage the exposed data over time. React proactively in order to avoid exploits.

These are some of the objects that the SATAYO platform allows you to discover:

  • hostnames
  • ip addresses
  • detail of the IP blocks available to the organization
  • email accounts
  • similar domains
  • related domains
  • top-level domains
  • vulnerabilities
  • exposed web services
  • active http methods
  • presence of ip and hostnames within the blacklists
  • presence of evidence within paste-like sites
  • correct configuration of the mail servers
  • correct configuration of SSL / TLS
  • evidences in hacking forums
  • evidences in Telegram channels
  • evidences in Whatsapp groups
  • evidences in various social networks
  • evidences in ransomware gang sites
  • evidences in Bug Bounty portals
  • presence of compromised credentials (within an ever-expanding database of over 27 billion accounts!)
  • presence of hard-coded credentials in GitHub projects
  • exposure of interesting metadata in files indexed by search engines
  • and so on!

Surely this allows us to recover, for any domain, an impressive amount of information!
So we have decided to simplify the activities of those who, within a SOC (Security Operation Center) or directly within individual organizations, have the goal of implementing the mitigations or remedies that are suggested within SATAYO.

As mentioned at the beginning of the post we have developed an internal search engine, which allows at this time to search, within all the evidences discovered by SATAYO for all the domains of an organization, for these elements: ip addresses, hostnames, email account, CVE (Common Vulnerabilities and Exposures), name of a data breach.

The search bar has been positioned at the top right and suggests searchable items.

For example, if you want to check if any of the services exposed by your organization have a specific vulnerability, you can search for the specific CVE (in the format CVE-yyyy-xxxxx). About this, it may be useful to know the remote vulnerabilities most exploited by cyber attackers in recent months (source: https://us-cert.cisa.gov/ncas/alerts/aa21-209a):

CitrixCVE-2019-19781arbitrary code execution
PulseCVE 2019-11510arbitrary file reading
FortinetCVE 2018-13379path traversal
F5- Big IPCVE 2020-5902remote code execution (RCE)
MobileIronCVE 2020-15505RCE
TelerikCVE 2019-18935RCE
MicrosoftCVE-2020-0787elevation of privilege
MicrosoftCVE-2020-1472elevation of privilege

If, on the other hand, you want to know if any of the email accounts of your organization are exposed within a specific data breach, simply type the name of the same in the search box. Here you can see an example of a search for a famous data breach, that of the Canva service:

In the coming weeks we will index additional types of data, with the aim of making the activity of our users increasingly easier!

Massimo Giaimo

Massimo Giaimo

Team Leader Cyber Security at Würth Phoenix


Massimo Giaimo

Team Leader Cyber Security at Würth Phoenix

Leave a Reply

Your email address will not be published. Required fields are marked *