5 min reading Mon Sep 06 2021
How to get a view on your digital footprint?
Last week I wrote an introduction on what your digital footprint is and why it matters.
But how do you generate that view? While there are a lot of different takes and approaches on this question, I'll provide you with resources to get you started. Each step below will provide you with some new information on your digital footprint and can be used to go to the next step, or iterate back to previous steps to further expand the data. Over time you'll create your own approach and methodology on mapping your company's digital footprint.
Step 1: List your domains
It all starts with having an overview of your domains, like company.com, company.org, etc... Usually all this information can be easily extracted from your DNS. In some cases your domains might be managed completely outside your zone of control (yikes!), and you'll have to request the A or AAAA records from the party, or parties, managing your domains. If you do, do request to have an overview of all associated IP addresses and other DNS records as well, like CNAME and PTR (other domains and subdomains), MX (mail servers), NS (nameserver records, which may provide links to other DNS's containing your information), etc... You might have to iterate over different nameservers to get a complete picture of your domains.
If for some reason you do not have access to your DNS there are some simple tools that might help you like dig, host, DNSEnum, dnsmap, and AMASS. And when you really want to find all domains; you can scrape the TLD's (Top Level Domains) and their databases to find all existing domains containing your company's name for example. If you're lucky (or unlucky?), you might even uncover active phishing domains.
Step 2: List your subdomains
Next step is to start enumerating your subdomains. This is quite easy if you received a full output of your DNS. If not, but you do have a list of all your domains handy, your subdomains can be enumerated with some readily available tools like AMASS, subfinder, cert.sh, massdns, altdns, etc ... More details on these techniques are described in this blogpost. The list of subdomains will help you to understand the extent of your digital footprint, and get a view of all your websites and applications (given that there is one active on the subdomain).
Step 3; List your IP addresses
Not everything on the internet is linked to a (sub)domain, or contains a web application. Think about your email servers, VPN, access for third parties, etc...
When you have extracted the information from your DNS you will also have gathered a lot of IP addresses. Go ahead and search for them into WHOIS databases and, depending on where in the world your IP addresses are issued; RIPE, APNIC, ARIN, LACNIC, or AFRINIC.
Through these resources you'll be able to determine to which IP Range, and owner, the IP addresses belong. This will provide you with the insight whether it belongs to your organisation, a hosting provider, or other. Next to this, your IP address will be part of a range of IP addresses. It warrants the effort to extend your digital footprint mapping to these IP addresses as well to determine if they contain resources belonging to your organisation as well (especially when the IP range is hosted with third parties).
Step 4; Expand to your third parties
You've reached a point where you have a good view on which domains, subdomains, and IP addresses are hosted by your organisation and which are hosted by third parties. You can start mapping these items to those third parties. In a next step, assign contact persons to those external companies. In case you discover something requiring rectification you immediately know who to contact. Don't have this information? Have a chat with your colleagues in procurement, HR, or sales and marketing, chances are they set up a website without informing the IT department.
Step 5; Enumerate your assets, list your services, and get a rough idea on the risks
Using a portscanner such as NMAP will also enumerate all services running on these IP addresses. It will allow you to quickly find web applications but also whether it is running an email server, DNS, FTP, or maybe even some unauthorized services (RDP, VNC, Telnet, ...). Take care to only portscan IP addresses belonging to your organisation.
Next, the Eyewitness tool can help to determine which subdomains contain an active website, and even create a screenshot for a quick look without having to manually type these in your browser. This provides direct and invaluable information on what is actually hosted on that (sub)domain.
Free versions of Qualys or Tenable Nessus, or the open source tool Greenbone Vulnerability Management (previously OpenVAS) can start generating a list of known vulnerabilities on all the IP addresses, domains, and subdomains you previously researched. Using this list you can quickly start remediating outdated systems and systems with critical vulnerabilities out on the open, remember, these are exposed assets after all!
Finally, with the free to use Qualys SSLabs you can generate a risk based view on all your SSL certificates. Do they contain weak ciphers? Do they use deprecated cryptographic protocols? Will they expire soon?
Step 6; Iterate
During each step above you'll likely encounter new IP addresses, domains, or subdomains. Each time it is recommended to iterate over the previous steps as you might find even more information. For example, the output of your certificates might yield more subdomains, or the IP range of a certain asset contains company branded websites you didn't even find a DNS entry for. Or what about DNS entries pointing to an IP address that has been reassigned to another company altogether ...?
It takes quite some effort, and a collection of tools, to generate an overview of your digital footprint. But it can be very worthwhile as it can uncover issues you didn't even know about. Websites you thought no longer existed, domains assigned to IP addresses owned by other parties, or even a list of vulnerabilities exposing you to some potential intruders you'd rather keep out. Be sure to repeat this process every so often since your digital footprint is constantly changing!
Jimmy is the founder, CEO and CTO of Ceeyu. Prior to founding Ceeyu, Jimmy was responsible for cybersecurity programs at large financial institutions and consulting company EY. Jimmy started his career as a security engineer. His duties included installing and managing firewalls, scanning infrastructure for vulnerabilities, and performing pen testing and ethical hacking.