23. 09. 2021 Massimo Giaimo Exposure Assessment, SEC4U

Exposure Assessment: Straight to the Point!

In this second post on the Exposure Assessment topic we’ll start from the end!

We’ve just put into production, within our OSINT & Cyber Threat Intelligence SATAYO platform, an internal search engine that aims to simplify the search for evidence within the platform itself. This is a development that has been particularly requested by those organizations which are monitored within the platform and which manage a large number of internet domains.
SATAYO aims to search for information relating to an organization, within the Surface, Deep & Dark Web, starting from these input elements: the organization’s internet domains and some keywords (typically names of services and products, names of top management figures in the organization, and so on).

The phrase that best describes the goal of our platform is:

Discover the attack surface, keep it monitored, and manage the exposed data over time. React proactively in order to avoid exploits.

These are some of the objects that the SATAYO platform allows you to discover:

  • host names
  • IP addresses
  • details of the IP blocks available to the organization
  • email accounts
  • similar domains
  • related domains
  • top-level domains
  • vulnerabilities
  • exposed web services
  • active HTTP methods
  • presence of IP and host names within the blacklists
  • presence of evidence within paste-like sites
  • correct configuration of mail servers
  • correct configuration of SSL / TLS
  • evidence in hacking forums
  • evidence in Telegram channels
  • evidence in WhatsApp groups
  • evidence in various social networks
  • evidence in ransomware gang sites
  • evidence in Bug Bounty portals
  • presence of compromised credentials (within an ever-expanding database of over 27 billion accounts!)
  • presence of hard-coded credentials in GitHub projects
  • exposure of interesting metadata in files indexed by search engines
  • and so on!

Surely this allows us to recover, for any domain, an impressive amount of information!

So we decided to simplify the activities of those who, within an SOC (Security Operation Center) or directly within individual organizations, have the goal of implementing the mitigations or remedies that are suggested within SATAYO.

As mentioned at the beginning of this post we have developed an internal search engine, which allows at this time to search through, within all the evidence discovered by SATAYO for all the domains of an organization, for the following elements: IP address, host name, email account, CVE (Common Vulnerabilities and Exposures), and name of a data breach.

The search bar has been positioned at the top right and suggests searchable items.

For example, if you want to check if any of the services exposed by your organization have a specific vulnerability, you can search for the specific CVE (in the format CVE-yyyy-xxxxx). In fact, it may be worth just knowing the remote vulnerabilities most exploited by cyber attackers in recent months (source: https://us-cert.cisa.gov/ncas/alerts/aa21-209a):

VendorCVEType
CitrixCVE-2019-19781arbitrary code execution
PulseCVE 2019-11510arbitrary file reading
FortinetCVE 2018-13379path traversal
F5- Big IPCVE 2020-5902remote code execution (RCE)
MobileIronCVE 2020-15505RCE
MicrosoftCVE-2017-11882RCE
AtlassianCVE-2019-11580RCE
DrupalCVE-2018-7600RCE
TelerikCVE 2019-18935RCE
MicrosoftCVE-2019-0604RCE
MicrosoftCVE-2020-0787elevation of privilege
MicrosoftCVE-2020-1472elevation of privilege

If, on the other hand, you want to know whether any of the email accounts in your organization are exposed within a specific data breach, simply type the name of the same in the search box. Here you can see an example of a search for a famous data breach, that of the Canva service:

In the coming weeks we’ll index additional types of data, with the aim of making this activity increasingly easier for our users!

Massimo Giaimo

Massimo Giaimo

Team Leader Cyber Security at Würth Phoenix

Author

Massimo Giaimo

Team Leader Cyber Security at Würth Phoenix

Leave a Reply

Your email address will not be published.

Archive