Today, classical threat intelligence models are falling short. The concept of External Attack Surface, which has recently entered the literature, has shown us this inadequacy and has closed the deficiencies. This concept has brought a new perspective to threat intelligence. The concept of Extended Threat Intelligence (XTI) has gained more popularity apart from classical intelligence. To define, XTI, unlike CTI, creates an attack surface belonging to the organization in order to produce intelligence specific to the organization. Thanks to this attack surface, organizations gain visibility. This visibility can be a forgotten endpoint or a forgotten subdomain. The main interest at this point is that organizations now know their inventories and clearly know which assets to defend against.
When creating the attack surface, domains, subdomains, websites, login pages, CMS applications, technologies used on websites, IP addresses, IP blocks, DNS records, C-level employee mails, network applications, operating systems, bin numbers, and swift codes, and SSL certificates will be included. We will determine all these by proceeding through the main domain, which was provided to us by the organization as per the scenario.
Domains
The only information that will be given to us in the first place will be the primary domain of the organization. We will try to create the entire entity structure over this domain. In the sample scenario below, an asset inventory of Abanca, a bank located in Spain, will be created.
Main Domain: abanca.com
Related Domains:
In order to find other domains of the company, we can find domains that provide redirects to the main domain. We can use the host.io service for this. Host.io will provide us with all the domains hosted on the same IP, the domains hosting the relevant domain within the website, and other domains hosted by the relevant domain within the website, apart from other domains that provide redirection to the relevant domain. Not all domains obtained may belong to the organization. We can decide which domains belong to the organization and which ones don't by checking the whois outputs of the domains or by looking at their content.
When we search the abanca.com domain on host.io, we can also see other domains hosted on the same IP address in the "Co-Hosted" section.
In a subsection, we can view other domains that contain our relevant domain, and after making the necessary verifications, we can include these domains in our asset list.
In the "Links to" section, we can view other domains that our domain hosts within the website.
In the Redirects section, we can view other domains directed to our domain.
Since the number of domains displayed on the screen is limited, we can obtain all domains via the API by becoming a member.
As a secondary method, we can find similar information in whois records of the primary domain we are working on by performing a Reverse whois lookup (Reverse by Org Name, reverse by Registrant Mail, etc.) for certain information.
