Managing all your assets: Tackling the ‘unknown unknowns’ problem

Evaluating your internet-facing asset exposure is not as straightforward as it once was. CSO reports that as many as 73% of CISOs today link security incidents to unknown or unmanaged assets. For security professionals, discovering and monitoring all internet-facing assets is crucial, with comprehensive domain and subdomain mapping key to reducing the attack surface. Of course, defining the assets in your attack surface management strategy is a dynamic process.

Forgotten subdomains, shadow IT, and unmonitored internet-facing assets create critical vulnerabilities that attackers actively exploit. They may be unknown to you, but if discovered by a cyberattacker, they could potentially offer a way into corporate networks and sensitive information. For attackers, out of sight doesn’t mean out of mind.

What constitutes internet-facing asset exposure?

Although most individuals make use of the internet and related assets almost constantly - on their smartphone, at home, and in the workplace - it’s important to remember that there are still some digital assets that are strictly on-premise. For example, some internal IT hardware, whether it’s a physical server for file storage or a simple workplace printer, may be connected to an internal network but not the public internet, greatly reducing their risk of being used as a vector for a cyberattack.

Even so, the majority of digital solutions used by businesses today are internet-facing assets. It’s been estimated that major global organizations could have thousands of digital assets connected to the internet. One study suggests that the top 35 banks alone each use as many as 7,500 of them.

Internet-facing asset exposure encompasses every one of these digital solutions that could serve as a potential entry point for a cyberattacker. This includes web apps, APIs, cloud services, third-party integrations, subdomains, forgotten servers - essentially, anything that is accessible via the public internet.

The risks of unknown or forgotten internet-facing assets

Even if organizations are aware of their increasing number of internet-facing assets, do they really know how many they are working with, what other solutions they connect to, and what sensitive data they can access? For many businesses, unfortunately, they do not. The "unknown unknowns” that reside in their corporate network could pose a substantial cybersecurity risk, serving as unguarded entry points for attackers.

The threats posed by dangling DNSs, subdomain takeovers and other abandoned services are not hypothetical. They have already been used by numerous cyberattackers to leverage your brand’s reputation as part of a malicious effort to bypass perimeter security, move laterally through your network, steal sensitive data, or carry out any number of other exploits.

How domain and subdomain mapping works

Today, many businesses have an online presence - a website you can visit to find out more about the organization, use to purchase goods and services, or make contact with a particular department. As such, they will have a domain - the primary web address - and multiple subdomains - separate sections of the primary domain.

However, it is easy for businesses to forget about some of their sub-domains. Perhaps they created a new subdomain in support of a short-lived event and then abandoned it. Perhaps they revamped their website and decided to create some new sub-domains and discard others. Perhaps it links to a service that they no longer supply. Regardless, any subdomain connected to the company - known or unknown - represents a potential channel for attackers to exploit.

As such, domain and subdomain mapping has become crucial to reducing internet-facing asset exposure. Domain and subdomain mapping works by checking all the DNS records stored on your domain’s name servers. The complete set of domains and sub-domains gathered during the mapping process represents a company’s external attack surface.

This is, of course, not a one-and-done process. Keeping your domain and subdomain mapping up to date is essential for preventing subdomain takeovers, issuing patches and ensuring compliance.

Common scenarios causing internet-facing asset exposure

There are various situations where organizations are likely to increase their internet-facing asset exposure. With many of them, a lack of visibility underpins the risk, with security teams unable to safeguard an asset if they aren’t aware of its existence.

Some of the main scenarios that can lead to forgotten or unknown public-facing assets include:

Mergers & acquisitions (M&As): Because they force the rapid integration of two separate digital environments, M&A activities create significant cyber risks. The acquiring company will inherit all of the target company's unknown and unmanaged assets. Conflicting security standards can also create issues.
Cloud migrations: Once again, speed can be the enemy when moving to the cloud. Migrating to the cloud, if carried out too quickly, risks misconfiguration rearing its head. There can also be security problems when organizations lack a central inventory for any applications transitioning to the cloud. This is when assets are forgotten and poor security settings can go unnoticed.
Developer-created environments: Because modern development practices emphasize speed, they can lead to the creation of unmanaged, short-lived, or shadow IT assets. Tools meant for internal use only may be inadvertently exposed and new features may be accidentally abandoned instead of being formally deprovisioned.

Real-world attack examples

Many cyberattacks dependent on internet-facing asset exposure may not begin with a complex, zero-day exploit, instead starting with the utilization of some long-forgotten solution. While the principles of exploiting forgotten assets remain the same, recent attacks demonstrate that the threat has shifted from a single unpatched server to large-scale, automated exploitation of cloud misconfigurations and third-party service sprawl.

One of the most damaging examples of subdomain hijacking to have occurred recently is the so-called “SubdoMailing campaign.” This was an exploit targeting thousands of brands, including the likes of MSN, McAfee, and Marvel, throughout 2024. Attackers identified dangling CNAME records, a type of dangling DNS, used by these companies, took over the relevant subdomains, and used them to send millions of fraudulent, phishing, and ad-fraud emails. A simple DNS cleanup following the decommissioning of a third-party service could have prevented the cyberattacks at source.

Another security incident involving internet-facing asset exposure that took place last year targeted Mercedes-Benz. This time, the exposed asset was an employee authentication token made publicly accessible on an internal but misconfigured GitHub code repository. Fortunately, researchers spotted the issue before widespread malicious exploitation took place, but the developer misconfiguration could have led to significant financial and reputational damage for the car manufacturer.

The role of continuous discovery vs. point-in-time assessments

Not too long ago, security teams could gain a pretty clear picture of their company assets through point-in-time assessments. A snapshot of the number and type of digital assets that made up a corporate network at a given moment in time was enough to implement the necessary safeguards. However, as the pace of digital adoption has increased, many businesses have moved towards continuous discovery, automating the process of domain and subdomain mapping across an organization's entire digital presence in real-time.

With continuous discovery, automated scanning and monitoring delivers an accurate inventory of all the assets that make up an organization’s attack surface. Dangling DNS records are highlighted as soon as they appear. New developer environments are immediately brought under security control. M&A-inherited assets are identified so they can come under standardized protocols.

Continuous attack surface management gives businesses 24/7 oversight into their internet-facing asset exposure. Visibility is the first step to securing a company’s assets, but point-in-time mapping becomes outdated as soon as the assessment finishes. And that’s exactly when a cyberattacker could make their move.