What an attacker learns about your company before launching a single attack

Before launching an attack, an attacker spends time looking. That phase is called reconnaissance. For most companies it takes nothing sophisticated, because almost everything the attacker needs is already public, legal and free.

When we start an audit, the first thing we do is exactly that, gather everything that can be known about you without touching a single system. What turns up tends to surprise. This is part of what an attacker learns before making a move.

Your emails in other people’s breaches

Your employees use their work email to sign up for services of all kinds. When one of those services suffers a breach, those addresses end up in collections that circulate freely, sometimes with the password next to them.

An attacker cross-references your domain with those breaches and gets a list of real emails from your company, several of them with a password that has already leaked. If someone reuses it, or follows an easy-to-guess pattern, they already have a way in.

Subdomains and services you thought were forgotten

Every service you have ever published leaves a trace. There are public certificate and DNS records that let someone rebuild your subdomains, including the ones you set up for a campaign years ago and never switched off.

That is where the exposed admin panel, the test environment with real data or the unpatched service no one watches anymore show up. The older and more forgotten one of those doors is, the easier it is for whoever wants in.

The metadata in your own documents

The PDFs, spreadsheets and presentations you publish on your website carry hidden information inside. That metadata often keeps the username of whoever created the file, the software it was made with and even internal paths from your network.

With a handful of documents from your own website, an attacker works out how you build usernames, which software versions you run and some detail of your internal structure. All of it downloaded from your page, without breaking into anything.

The technology you run, seen from outside

Without touching anything, just by watching how your website and your email respond, someone can tell which server you run, which content manager, which email provider and what protection you have in front. It is like reading the make and model of every lock from the pavement.

With that map, the attacker wastes no time. They go straight for the known weaknesses of exactly what you have, instead of trying blindly.

Your people

People are the most exposed part and the most useful for whoever is preparing a targeted attack. On professional networks you can see who works on what, who reports to whom and who has just joined without knowing the internal processes yet.

With that, someone builds a believable phishing email, aimed at the right person, at the right moment. Nothing has to be broken. A single click is enough. The information to build that email is something you published yourselves without realising.

All of this is public

None of the above involves getting into your systems. It is information that sits out there, reachable by anyone who knows where to look. Gathering it takes a few hours. The problem is not that it exists, it is that most companies do not know how much they give away without meaning to.

The good news is that it can be reduced. You can find out what your organisation exposes, close what is unnecessary and teach your people not to hand over the rest. But to fix it you first have to see it, which is exactly what an attacker does while you are not looking. It is also the first phase of a pentest, before trying to get in.

---

If you want to know what your company exposes in open sources before someone else uses it, write to us at [email protected].