Active Digital System Discovery

[realslimslack]

Note: all sections are required.

Active Digital System Discovery

The name should indicate which digital artifacts are in play, and what actions are applied to those artifacts.

OR Public Digital System Discovery

Digital Artifacts

What are the relevant D3FEND Digital Artifacts to this new technique, please propose new artifacts if you cannot find them in D3FEND.

MAPS -> Digital System
MAPS -> Digital Artifact
EVALUATES -> Application

Definition

One or two-sentence definition in the style of other d3fend techniques.

Discovery and identification of internet-facing systems systems and applications in an automated manner. Active scanning includes interaction with the system or application to gather more data about them.

How it works

Section explaining how the technique works.

Active Digital System Discovery entails the systematic import or consistent scanning of network segments and domains to identify orphaned, incorrectly inventoried, or otherwise unknown systems or applications. Active Digital System Discovery can be performed by tracing referenced systems in application code, directory fuzzing, forced browsing, or other enumeration techniques.

Output from this technique can be used to enrich asset inventories, dependency maps, vulnerability management efforts and other related D3FEND Techniques.

Considerations

What should people know about this technique, pros/cons, pitfalls etc.

• Scanning and probing techniques using mapping tools can result in side effects to information technology (IT) and operational technology (OT) systems.
• Forced Browsing entails discovering systems that are not directly referenced by an application. Caution should be exercised when using this technique on applications that may be connected to resources owned by other organizations than the one expecting to be tested.
• There are several reconnaissance ATT&CK techniques that are emulated by performing this type of discovery, such as T1592.

References

High-quality publicly available technical documents.

https://www.cisa.gov/news-events/news/cyber-hygiene-web-application-scanning
https://www.praetorian.com/blog/content-discovery-understanding-your-web-attack-surface/

[netfl0]

Apologies this fell to the back-burner, we've been trying to keep up with pull requests.

The description & references appear to focus on discovering Web Servers.

My inclination is to narrow this technique to Active Server Discovery as a type of Network Node Inventory.( A Digital System might comprise many servers for example)

[realslimslack]

@netfl0 No worries, I had on my list of things to do to create a PR for this and I also have not gotten around to it (thanks for the reminder).

The gist of this was related to Attack Surface Management, which could involve scanning a cluster of digital systems that comprise a single web application, for example if on page load an application calls server/domain/subdomain "A" for page content and server/domain/subdomain "B" for authentication, both of those things should be discovered during scanning and used as input for attack surface inventorying.

Alternatively, to your point, those web-accessible endpoints (domains, API endpoints, etc) could be considered network nodes depending on the context. Either way works. The goal is just to have a technique related to actively scanning an attack surface to monitor newly exposed resources, which can then be used to improve asset inventories, dependency maps, etc. The "Active" keyword meaning it should be doing this continuously, not just once a month for example.

[realslimslack]

For contrib:
Connor Slack - @realslimslack - Praetorian Inc.

[ryantxu1]

Hey Connor, thanks for your comments so far. I think we'd like to proceed with including this technique as a type of Network Node Inventory and the name "Active Server Directory". I agree we should emphasize this as a continous process.

I noticed that someone had made a PR on this issue already #274. Are you guys connected?

[realslimslack]

@ryantxu1 No we're not, it looks like they went through and opened PR's for a few techniques that had been submitted via issues but had been sitting for a while. There are a few others such as PRs #200 #170 and #169 .