Detecting exposed sensitive files

Continuous Automated Red Teaming (CART) helps organizations remain aware of exploitable weaknesses that a threat actor could target. Simply scanning for known Common Vulnerabilities and Exposures (CVE) is not enough as there are many CVE-less attack vectors that can be utilized. Hadrian’s Sensitive File Detection feature finds configuration files and data that could be exploited by a threat actor.

Why sensitive files are being targeted 

Many organizations use web application frameworks and network peripherals because it is faster and easier than building everything themselves. However, many default settings in these frameworks and peripherals expose configuration files or system health data that should not be publicly accessible. This vulnerability leaves systems open to exploitation by malicious hackers who can quickly locate and exploit these exposed files. 

In 2020, during a 24-hour period, 130 million attacks intended to harvest database credentials from 1.3 million sites were detected. During the attacks, attempts were made to download the wp-config.php WordPress configuration file which contains database credentials and connection info, besides authentication unique keys, and salts. 

Increasingly, threat actors conduct wide-scale attacks targeting technologies instead of specific industries or geographic regions. They then search through the data they collect, conducting follow-up attacks themselves or selling the data to ransomware gangs. Credential sales by Initial Access Brokers (IAB) have dramatically increased in the last two years alone.

Securing your digital perimeter against Initial Access Brokers

Blog Post

How Hadrian detects sensitive files

Hadrian continuously scans for new and changing assets using a fingerprinting technique, if there have been modifications in-depth scans are triggered. To detect exposed sensitive files Hadrian’s platform has three core capabilities:

1. Contextual scanning - Matches the scans performed with the environment
2. Broad spectrum detection - The ability to assess the security posture of any infrastructure 
3. In-depth investigation - Comprehensive scanning for exposed sensitive files 

Contextual scanning

To maximize the effectiveness of our scans, Hadrian’s platform performs different scans based on the characteristics of the technology. For example, the platform will search for specific subdirectories based on the type of content management system detected. If a website is built on WordPress and hosted at "example.com/wp-website/," Hadrian will scan the "wp-website/" path for known files instead of limiting the scan to "example.com/." 

This intelligent scanning approach is further enhanced by our AI, which helps identify pages that may potentially contain sensitive information. Contextual scanning ensures that we conduct the right scans at the right time, reducing unnecessary traffic and potential false positives that could be generated.

Continuous Threat Exposure Management: The Hacker’s Perspective

Blog Post - Rogier Fischer, CEO

Broad spectrum detection

To accurately assess the security posture of an organization's attack surface, Hadrian’s platform can perform the full gamut of tests. Enabled by our platform’s modular architecture, the contextual scanning described above can trigger any number of different tests. This can include generic tests, such as scanning for exposed backup files like ZIP or SQL files which can contain sensitive data and pose a significant security risk if publicly accessible.

In addition, Hadrian can also perform highly targeted tests, such as identifying which development frameworks have been used to build a website. If Django is being used, for example, Hadrian’s platform will attempt to use ​​debug mode to search for misconfigured settings in web applications that could be exploited. Being able to run a broad spectrum of tests enables Hadrian to identify every potential risk in any infrastructure.

In-depth investigation

Conducting a wide range is only part of the picture, Hadrian’s platform can also interpret many different files that it finds and trigger further testing. For example, if a.json is identified Hadrian initiates an audit to verify whether there are any known CVEs associated with the contents. If any risks are found, Hadrian investigates further, verifying if there is evidence of exploitation for similar risks within our database.

The platform can also test for different permutations of tests to uncover weaknesses. In the WordPress example above, an administrator may have created a copy of the wp-admin/admin.php file called wp-admin/admin2.php that contains sensitive information. By triggering further testing and conducting permutations of scans Hadrian can identify risks that would not be found by standardized tests. 

Prioritizing and remediating sensitive files 

Once Hadrian's platform identifies a risk, it goes through a verification process to reduce false positives. By analyzing the contents of the exposed files, Hadrian can assess the severity of each risk accurately. For instance, if a configuration file contains database credentials, it will be assigned a higher severity level compared to a file containing only system health data. This severity level empowers customers to prioritize their actions based on the potential impact of each risk.

The key to Hadrian’s platform is its ability to accurately identify every risk and attach an appropriate severity level to each. This allows our customers to easily prioritize their security efforts and improve their overall security posture. To see the platform in action, request a demo from our experts.