OSINT Top Ten: Number 1 - Domain Information
Coming in at number one of our OSINT Top Ten is Domain Information which includes all Domains, Subdomains, Certificates, Emails, and Permutations/Look-Alikes (Company Names, Domains, and Emails). This area of investigation is ranked highest because it includes some of the most critical internet-facing assets of your organization. It is essential to inventory and monitor everything on this front to properly manage your attack surface, online brand integrity, service delivery, and get ahead of any possible threats/risks/exposures to customers/partners.
Getting an accurate count of your active domains and their respective certificates is always a good starting point. Getting a hold of all the subdomains (domains that are spun up from your root/domain) is a logical next step. At this point, you should ensure that they are all properly monitored and hardened. If not properly checked and maintained for accuracy/uptime, these only add to your attack surface footprint for malicious users to exploit. For example, an unchecked/not monitored subdomain can be susceptible to a “Subdomain takeover” (when a malicious user can ‘takeover’ the subdomain and all associated data present).
Certificate inventory and monitoring for new certificates added to your site/domain is another crucial task. Expired certificates issued to active subdomains pose a considerable risk, and malicious actors will check for such things. “Expired certificates” can lead to all of the following:
Reduction in user trust as the site is indicated as “insecure” as displayed in most browsers.
User fraud and identity theft risk from “man-in-the-middle” attacks
Brand and reputation damage as users experience having a warning message displayed within their browsers upon visiting the site.
Disruption or breaking of online applications or services
Awareness of email addresses generated from domain names is also critical. We recommend monitoring these emails and respective permutations to manage social engineering risks and other types of malintent proactively.
Organization and domain name permutations are also just as important. Permutations, especially in domains, are substitutions, additions, and homoglyphs (characters or glyphs with shapes that appear identical or very similar). You must be aware of these permutations to identify possible domains that bad actors can use in a phishing/spoofing attack.
