Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Attack Prepositioning Detection

Attack Prepositioning Detection

Section titled “Attack Prepositioning Detection”

5 automated security scanners

Domain Pre registration Identification

Section titled “Domain Pre registration Identification”

Purpose: The Domain Preregistration Identification Scanner assists security teams in identifying potential typosquatting and lookalike domains that could be used for malicious activities. By detecting these patterns, organizations can improve their cybersecurity posture.

What It Detects:

  • Typosquatting Variants: Identifies domains with characters replaced by similar-looking alternatives (e.g., “0” for “o”, “1” for “i”), where a character is omitted, and domains with repeated characters.
  • Common Prefixes and Suffixes: Detects security keywords like “-secure” and “-login” in the domain names and looks for common prefixes and suffixes used in malicious registrations.
  • TLD Variations: Checks if the domain is registered using different top-level domains (TLDs) to evade detection.

Inputs Required:

  • domain (string): The primary domain to analyze, such as acme.com.

Business Impact: Identifying potential typosquatting and lookalike domains is crucial for protecting organizations from malicious actors who may use these deceptive tactics to launch attacks or phish sensitive information. This enhances the overall security posture by enabling proactive measures against cyber threats.

Risk Levels:

  • Critical: The scanner identifies domains that are exact matches or very close substitutes of well-known and trusted brands, posing a high risk of user confusion and potential damage to reputation.
  • High: Domains with common typosquatting patterns or those mimicking legitimate services can lead to unauthorized access or data theft if not detected early.
  • Medium: Lower severity findings may include domains using similar but less critical suffixes or prefixes that could still be considered suspicious, warranting further investigation.
  • Low: Informational findings might involve domains with uncommon typosquatting elements that require minimal action unless they show signs of increased malicious activity.
  • Info: These are generally benign and do not pose immediate risks but can serve as indicators for ongoing monitoring or future analysis.

Example Findings:

  1. A domain “acm3.com” which is a substitution of the character ‘e’ with ‘3’, potentially misleading users to a malicious site.
  2. A domain “mybankonline.info”, suggesting association with a bank but using a non-standard TLD, raising concerns about phishing or spoofing.

Subdomain Staging Discovery

Section titled “Subdomain Staging Discovery”

Purpose: The Subdomain Staging Discovery Scanner is designed to identify potential indicators of an attacker staging for a future attack by detecting DNS record preparation, subdomain infrastructure setup, and certificate pre-acquisition activities. This includes the detection of new subdomains, anomalous DNS records, SSL/TLS certificates issues, misconfigured HTTP security headers, and unauthorized port usage.

What It Detects:

  • New Subdomain Creation: Detection of recently created or newly configured subdomains that may suggest preparatory actions for future attacks.
  • DNS Record Preparation: Analysis of TXT, MX, NS, CAA, and DMARC records for anomalies or suspicious configurations, including broad permissions in SPF records.
  • Certificate Pre-Acquisition: Inspection of SSL/TLS certificates for recently issued or self-signed ones linked to new subdomains, highlighting outdated protocols and weak cipher suites.
  • HTTP Security Headers: Examination of HTTP responses for proper configuration of security headers like Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options.
  • Port Scanning and Service Fingerprinting: Identification of open ports that might indicate services being set up for staging, including unauthorized or unusual services.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com) - This is the essential input needed to perform DNS record analysis, HTTP header checks, TLS/SSL certificate inspection, and port scanning.

Business Impact: This scanner helps in identifying potential attack vectors early on, allowing for proactive measures to be taken against ongoing attacks or suspicious activities that could lead to breaches. It contributes significantly to maintaining a robust security posture by detecting unauthorized access points and misconfigurations that might otherwise go undetected until it’s too late.

Risk Levels:

  • Critical: Conditions where broad permissions in SPF records (v=spf1.*[+\-~?]all) are allowed, indicating potential unrestricted sending privileges for new subdomains which could lead to severe security breaches.
  • High: Presence of outdated SSL/TLS protocols (e.g., TLSv1.0, TLSv1.1) and weak cipher suites (e.g., RC4, DES, MD5), which are vulnerable to attacks and can be exploited by adversaries.
  • Medium: Missing or improperly configured HTTP security headers that do not enforce secure practices, potentially exposing systems to various risks such as man-in-the-middle attacks and data leakage.
  • Low: Open ports on non-standard services could indicate development or testing activities but are generally less critical unless they serve specific purposes like providing APIs or other network services.
  • Info: Informational findings about new subdomains, DNS records, and certificate details that provide baseline information for security audits and compliance checks.

Example Findings:

  • A newly created subdomain staging123.example.com with a DMARC record allowing no action (v=DMARC1; p=none), indicating potential preparatory actions against the main domain.
  • An SSL/TLS certificate issued for testsubdomain.example.com using TLSv1.0 and supporting weak cipher suites, posing significant security risks.
  • A port 25 open on a server that is not configured to handle email traffic but remains accessible, potentially allowing unauthorized access or data exfiltration.

Passive DNS Surveillance

Section titled “Passive DNS Surveillance”

Purpose: The Passive DNS Surveillance Scanner is designed to analyze a domain’s passive DNS data in order to detect potential attack prepositioning indicators. This tool helps security teams identify suspicious activities and vulnerabilities by analyzing subdomain usage, DNS changes, and the age of the domain.

What It Detects:

  • Subdomain Analysis: Identifies subdomains with common names like “admin,” “vpn,” “mail,” etc., which may indicate malicious activity. The scanner also estimates the number of new subdomains created within the last 30 days based on the total subdomain count.
  • DNS Changes: Estimates the frequency of DNS changes over the past 30 days, which can be a sign of domain hijacking. Additionally, it identifies domains sharing the same IP address, indicating potential shared hosting or compromised servers.
  • Domain Age: Estimates how long the domain has been active based on DNS SOA records, helping to identify recently registered domains that may be under attack.

Inputs Required:

  • domain (string): The primary domain to analyze (e.g., acme.com)

Business Impact: This scanner is crucial for security teams as it helps in identifying potential malicious activities and vulnerabilities associated with a domain’s passive DNS data. It enables proactive measures to be taken against phishing, malware distribution, and other cyber threats.

Risk Levels:

  • Critical: The scanner may flag domains with an extremely high number of new subdomains or frequent DNS changes as critical risks, indicating potential unauthorized access or malicious activities.
  • High: Domains showing a significant increase in the frequency of DNS changes or sharing IP addresses with multiple domains are considered high risk, suggesting possible compromise or hijacking.
  • Medium: The scanner may flag domains with subdomains that match common suspicious patterns as medium risk, indicating potential surveillance for malicious purposes.
  • Low: Domains showing a normal number of subdomains and DNS changes without any clear indicators of compromise are considered low risk but should still be monitored closely.
  • Info: Informational findings include the total count of subdomains and days since first seen, which provide basic insights into domain activity but do not carry significant risk unless accompanied by other indicators.

Example Findings:

  • A domain with numerous new subdomains named “admin,” “mail,” or similar could indicate potential unauthorized access attempts.
  • A domain showing a spike in DNS changes over the past month might be under active manipulation, potentially for malicious intent.
  • Recently registered domains that show no significant activity beyond initial registration may be targets of ongoing attacks or surveillance.

Email Infrastructure Preparation

Section titled “Email Infrastructure Preparation”

Purpose: The Email Infrastructure Preparation Scanner is designed to identify and assess potential misconfigurations and vulnerabilities in an organization’s email infrastructure. This includes verifying the setup of MX records, SPF (Sender Policy Framework) configurations, DKIM (DomainKeys Identified Mail), and evaluating the domain’s reputation for trustworthiness. These aspects are crucial for safeguarding against unauthorized access, email spoofing, and ensuring the integrity of outgoing emails.

What It Detects:

  • MX Record Configuration: Ensures that MX records correctly point to valid mail servers.
  • SPF (Sender Policy Framework) Configuration: Verifies that SPF records are properly configured to specify authorized mail server permissions.
  • DKIM (DomainKeys Identified Mail) Configuration: Confirms that DKIM records are set up for email signing, providing authentication and integrity verification.
  • Sender Reputation Building: Analyzes the domain’s reputation using threat intelligence feeds such as Shodan, VirusTotal, CISA KEV, and AbuseIPDB.
  • Threat Indicators in Email Infrastructure: Identifies potential threats or vulnerabilities within the email infrastructure based on real-time indicators like specific CVEs, malware types, phishing attempts, and credential harvesting activities.

Inputs Required:

  • domain (string): The primary domain to be analyzed, such as acme.com.

Business Impact: Proper configuration of MX records, SPF, and DKIM is essential for maintaining a secure email environment that resists unauthorized access and spoofing attempts. Misconfigurations can lead to significant risks including data breaches and brand reputation damage.

Risk Levels:

  • Critical: Improper or missing MX, SPF, or DKIM configurations that result in complete loss of email functionality or direct exposure to high-risk threats.
  • High: Incorrect configuration allowing potential unauthorized access or misattribution of emails, which can lead to significant security incidents.
  • Medium: Suboptimal settings that might be exploited by less sophisticated attacks but are still considered risky based on organizational policy and threat landscape.
  • Low: Minor deviations from best practices that do not pose immediate risks but should be addressed for continuous improvement in email security posture.
  • Info: Informal findings indicating areas for awareness or future consideration to enhance the robustness of the email infrastructure without immediate concern.

Example Findings:

  1. A domain has an incorrect MX record pointing to a non-functional server, leading to email delivery failures and critical impact on business communications.
  2. An SPF configuration that does not include necessary mail servers, making the domain vulnerable to sender policy abuse and potential email spoofing attacks.

Certificate Transparency Monitoring

Section titled “Certificate Transparency Monitoring”

Purpose: The Certificate Transparency Monitoring Scanner is designed to analyze domain certificates for potential security risks by checking against known attack prepositioning indicators using data from crt.sh. It helps in identifying suspicious issuers, typosquatting domains, and bulk registrations that could pose a threat to the integrity of digital certificates.

What It Detects:

  • Suspicious Issuers: Identifies certificates issued by Let’s Encrypt or ZeroSSL, which may be associated with legitimate domains but can sometimes indicate potential risks.
  • Typosquatting Domains: Detects domain names that are similar to the target domain within a Levenshtein distance threshold of 2 characters, potentially indicating typosquatting attacks.
  • Bulk Registrations: Identifies domains with multiple certificates issued by the same issuer, suggesting potential bulk registration activities aimed at evading detection or creating a false sense of legitimacy.

Inputs Required:

  • domain (string): The primary domain to be analyzed, which is essential for querying and analyzing certificate data related to this domain.

Business Impact: This scanner plays a crucial role in enhancing the security posture by proactively identifying potential threats such as typosquatting and bulk registrations that could lead to unauthorized access or fraudulent activities. It helps organizations and cybersecurity teams stay informed about risks associated with digital certificates, enabling them to take appropriate preventive measures.

Risk Levels:

  • Critical: Identifies suspicious issuers like Let’s Encrypt or ZeroSSL on domains without a legitimate association.
  • High: Detects domain names that are similar to the target domain within a Levenshtein distance of 2 characters, indicating potential typosquatting attacks.
  • Medium: Flags domains with multiple certificates issued by the same issuer, suggesting bulk registration activities.
  • Low: Informational findings may include cases where the scanner confirms legitimate use or rare occurrences that do not pose significant risk.
  • Info: Provides basic details about certificate issuance and does not directly contribute to high-risk scenarios but is useful for informational purposes.

Example Findings:

  • A domain with certificates issued by Let’s Encrypt might be flagged as a critical issue if it appears unrelated to the organization’s operations.
  • A target domain with typosquatting domains similar within 2 characters, such as “exmaple.com” or “acme.co,” would be marked as high risk due to potential phishing and unauthorized access attempts.