Introducing Subdomain Monitoring
One of the first tasks a hacker takes when attacking a target is enumeration — i.e. finding target resources that may be successfully attacked. The more targets and information gained, the better for the attacker.
DNS plays a big role in enumeration. Subdomain enumeration is easy, quick and often reveals subdomains which are long forgotten and therefore probably less well protected. These kinds of subdomains increase the number of potential attack avenues a hacker might take to successfully breach your infrastructure.
In order to mitigate this, Tutela now has Subdomain monitoring functionality. Tutela passively monitors DNS traffic, and records any subdomains of interest encountered. A subdomain of interest is any subdomain of a domain which is configured under Data Leak, Phishing Detection, & Domain Management. For example, in the screenshot below we have already configured cybersift.io as a domain which should be monitored:
Once configured, Tutela will silently start monitoring DNS for any related subdomains. Anytime a subdomain is detected, you will receive an email, and the results are listed under Analyze > External Domain Management as shown below:
All external subdomains should be enumerated in a couple of days (so expect a number of email alerts while Tutela discovers any existing subdomains).
At this stage, you will probably see results for subdomains you use frequently and already know about, however you might also be surprised and receive a number of “forgotten” subdomains which are still visible to an attacker but have been forgotten by your infrastructure and security teams.
Entries without a corresponding IP address are subdomains which have not been resolved anytime recently (in the past 1 year) and hence can be considered as “dead”. However, it is still useful for Tutela to note these domains due to the next stage
Monitoring changes in IP addresses
For any subdomain detected and listed above, Tutela also monitors the corresponding IP addresses the domain resolves to. Should a new IP address be detected, you will also be notified. This is useful for scenarios such as :
- Subdomain takeover, where a forgotten domain is re-registered by an attacker
- DNS spoofing / cache poisoning
- DNS record hijacking
In view of the above, it is easy to understand why Tutela records “dead” subdomain which have not been used for the past year. If you are alerted to a new IP address found for one of the previously “dead” subdomains, this is arguably of more concern than a new subdomain alert.
Conclusion
Tutela’s subdomain monitoring feature is ready to use and already enabled for those of you who have already signed up for the service. It allows you to discover blind spots in your monitoring, and preempt any problems that may arise from forgotten or unknown subdomains while alerting you as quickly as possible to a variety of DNS attacks
