Security Solutions

7 mins

Behind Enemy Lines: Hacker Insights on Asset Discovery

Melvin Lammerts
Melvin Lammerts
Hacking Manager at Hadrian
Growing up in the Netherlands, Melvin started hacking at a young age. Originally from HackerOne, he joined Hadrian as a hacker in November 2021 when the company was just a few months old. His main interests are attack surface mapping techniques and automating complex vulnerability checks.

According to Forrester, organizations often underestimate their external-facing assets by a staggering 30%. By underestimating these assets, organizations inadvertently expand their attack surface, providing a growing amount of opportunities for threat actors. In our interview with ethical Hadrian hacker Melvin we dive into the tools used to discover assets - from port scanners, vulnerability scanners and OSINT to AI. As well as exploring sectors most susceptible to cyber threats and emerging asset discovery trends in the hacker community. Prepare to explore the front lines exposing a landscape brimming with vulnerabilities. 

Graph showing that on average organisations underestimate their external-facing assets by a staggering on average.

How do hackers typically gather information about their potential targets?

The most common method we employ is to determine the domains associated with a specific company or organization. In many cases, an organization is part of a larger group that encompasses multiple brands.

Our approach involves identifying the domains belonging to both the main organization and its subsidiary brands. We utilize techniques such as random and brute-force searches to discover subdomains and expand our understanding of the organization's assets.

By uncovering these additional domains, we increase the attack surface and gain a broader perspective for potential targeting.

What are some common sources of information that hackers use to help facilitate that process? 

One approach we utilize is OSINT (Open Source Intelligence), which involves leveraging existing information available on the internet to gather insights about our targets. Google is one of the commonly used aggregators for conducting OSINT activities.

Another valuable source of information is GitHub, where many organizations have their code repositories. By exploring these repositories, we can potentially discover additional details. It's important to note that this doesn't directly provide vulnerabilities or exploit opportunities, but it contributes to building a more comprehensive understanding of the target.

By combining data from various sources, including Google and GitHub, we can piece together information to create a more complete picture of the target, which aids in our assessments and investigations.

Generally, what is the most challenging part - finding the vulnerability or exploiting it? 

It depends. The level of vulnerability in an organization depends on its maturity and awareness of its assets. If an organization is not mature and lacks knowledge about its own infrastructure, it becomes easier to identify vulnerabilities. This is because they may have outdated servers or services that are more susceptible to exploitation.

However, in a company that prioritizes security and has established measures in place, it becomes more challenging to find vulnerabilities. In such cases, you may need to search for obscure assets that the organization itself may not even be aware of or identify complex vulnerabilities that are harder to exploit.

How do hackers assess the value or importance of an asset before targeting it?

To gain context and identify potentially valuable domains, you can consider certain factors. For instance, analyzing the actual domain name or its super domain can provide insights. 

If keywords like "admin" or "backend dashboard" are present, it suggests that the domain might control other services, making it worth investigating. On the other hand, domains with keywords like "static" or "contents" typically point to static hosting servers where valuable information may not be found.

Another parameter to consider is the server's location. It could indicate its significance if the domain is hosted on AWS, Azure, or any major cloud environment. This aspect is more relevant in recent times when organizations often utilize cloud platforms.

But, if the domain originates from the organization's home country or appears to be associated with a private ID, it may be more interesting as it could indicate the use of a dedicated server.

By examining these factors, you can gather contextual information to prioritize your investigations and identify potentially valuable domains.

Could you share some of the latest trends or techniques emerging in the hacker community?

In my opinion, we will witness a growing number of AI-based tools being utilized to assist in attacks. Previously, the available tools required specific input information to generate attack materials. For instance, teaching tools demanded details like the target organization's name, employee names, and positions.

However, I anticipate a future where AI-powered tools won't rely on such additional parameters. You would simply provide the organization you wish to target, and the AI system would leverage existing language models and information to swiftly generate the desired attack materials. This advancement would be particularly advantageous for the purpose of discovery. I have personally utilized such tools, especially for tasks like domain generation and domain permutations.

By leveraging an AI system, you can request the generation of sample domains based on an organization's existing domains. This enables testing for potential domains they might have. I believe there will be a significant surge in the development of tools based on these advancements in the future.

These tools can be likened to assistants that augment your existing knowledge and streamline various tasks and operations. However, it is important to note that they are not foolproof. For example, if you need a piece of code written, you now have the option to seek assistance from AI. Nonetheless, you will still need to review, debug, and customize the code to align with your specific requirements.

The AI system does not completely replace you or someone else; it serves as a valuable tool to aid you. Ultimately, it is essential to understand that it is just a tool, and its benefits can only be fully realized if you possess the knowledge and expertise to utilize it effectively.

Are there any particular industries or sectors that are more vulnerable to asset discovery?

I believe the energy sector is particularly at risk - the reason why is because it is highly vulnerable due to its reliance on scattered and outdated systems. These systems often end up being exposed on the internet when they shouldn't be. This vulnerability extends to other sectors that rely on similar types of devices, such as manufacturing. When these systems are accessible on the internet, they become easy targets for hackers. It's crucial to avoid such exposure.

Another issue is data retention and how data is stored, served, and accessed. With the increasing number of IoT devices and interconnected technologies. Ransomware attacks, for instance, have been on the rise in industries that possess sensitive and confidential data, like healthcare. The abundance of data and the availability of web applications for registration purposes create additional storage locations for such information. In the past, this data might have been harder to aggregate, and it might have been limited to physical records or kept within the confines of a particular hospital.

What are the best practices that organizations can adopt to protect their assets from being discovered and exploited by hackers?

I believe the key solution lies in not exposing your servers unnecessarily. So, it's important to ensure that the services you have are internal-only and accessible, for example, through a VPN. This is a good practice to follow. Essentially, minimize the assets you have online.

Another way we can help is by understanding the assets that are exposed and keeping track of them. It's crucial to ensure that these assets are not running on unusual ports and that they do not have any vulnerable services running. At Hadrian, we help our customers by providing a solution that monitors their infrastructure. If any issues arise, we immediately verify if they are a risk to our customer and notify users.

To uncover more hacker insights, read thoughts from Head of Hacking Olivier on the GoDaddy attacks.

To explore the challenges organizations face trying to manage their external facing assets and the best practices to do so, discover our e-book here.

Book a demo

Get started scanning in 5 minutes

We only need your domain for our system to get started autonomously scanning your attack surface.

Book a demo