What is an Attack Surface Appraisal?

August 17, 2021 Claranet Limited

Rob Jepson
Penetration Tester at Claranet

At Claranet, our Attack Surface Appraisals are a free initial Open-Source INTelligence (OSINT) engagement. In the process, we use our automated OSINT platform to scour the internet for information about your externally facing infrastructure. 

With our Attack Surface Appraisals, we consume information that exists in various public records of the internet without ever sending a single packet to your infrastructure. Unlike a penetration test, we are not looking for vulnerabilities but instead, look to see what you have exposed to the internet. 

Our attack surface appraisal will give you an immediate overview of the most critical information that is public. Often, we have customers who are surprised by the sheer volume of available data, discovering servers that should have been previously decommissioned still live on the internet, subdomains exposing sensitive internal functionality publicly, and even current passwords of C-Level employees in breached data. 

As all this information is publicly available , there is no way to detect this information gathering, and it is often the first step taken by threat actors. They will use social media from sources such as LinkedIn, Twitter, and Facebook to enumerate and target employees, perform lookups from previous breaches to get leaked credentials for easy initial access, and analyse internet-wide scans to find exposed servers. 

Our cutting-edge OSINT automation pipeline performs the same checks as these threat actors, and in some cases more, to give you immediate insight into the landscape of your public threat surface. 

What do I need to supply for my own Attack Surface Appraisal? 

For the free initial Attack Surface Appraisal, we need up to five root domains to seed our automation pipeline. Domains are the key for discovering information through public records, as there is a trove of information available. 

If your organisation has one or more domains for email addresses (i.e, the foobar.com in rob@foobar.com), then these should be the priority. This allows our pipeline to identify any data breaches that have leaked credentials of employees - sometimes this will even identify active malware on an employee's machine! We will also check to see if any potential phishing domains have been created running mail servers, with slightly different domain names. For example, foobar.com 

You should also supply domains that are widely used within your company. The more important and utilised the domain the better, as the checks we perform will not make any requests to these domains. In other words, there is no chance of our pipeline affecting these assets - only public records will be examined. 

These domains should be the highest level possible: not subdomains. The automation will identify subdomains of the domain given, as well as any associated IP addresses or other domains that may be of interest. 

What Checks Are Performed? 

Our automation pipeline consists of the following checks: 

  • Credential Breaches and Password Exposure 
  • Typosquatting Domain Identification 
  • Phishing Domain Identification 
  • Asset Discovery:  
    • Subdomain Enumeration 
    • Historical Internet Data 
    • DNS Enumeration 
  • Associated Host Discovery:  
    • Certificate Intelligence
    • Reverse IP Address Lookups 
    • Reverse WhoIS Lookups

Credential Breaches and Password Exposure 

As attackers harvest data, they expose it to the Dark Web where it can be monetised and sold to other attackers. Therefore, with over 80% of data breaches involving stolen passwords, it is essential that organisations monitor the Dark Web for credentials put on sale before they are abused. 

By discovering breached credentials and identifying the users, you can quickly reset them before someone buys them, restoring the security of your business. 

Phishing & Typosquatting Detection 

Attackers will aim to steal data by preying on chance happenings or deliberately manipulating the victim into visiting a malicious website. 

Deliberately acquiring domains that are similar to legitimate brands but slightly misspelled is a widespread practice for attackers. Domains will present websites that are almost indistinguishable from the real sites, luring the user into disclosing sensitive data (usually credentials). 

Typosquatting sites become potential phishing sites where they have an MX record associated with them. 

Asset Discovery 

Organisations and employees publish vast amounts of data to the internet daily. Most of it is “good for business”. However much of it can be useful reconnaissance information for an attacker, and most can be gathered without performing any intrusive checks. 

When we carry out Attack Surface Appraisals, extensive checks are performed to map out the total potential attack surface of your organisation commonly defined by: 

  • IP Addresses 
  • Hosts 
  • Domains 
  • Subdomains 
  • Websites 
  • Servers 

Comparing this output to your known assets can illuminate assets that are missing from your security strategies or require attention to close them down. 

Associated Host Discovery 

Discovering other top-level domains is possible through analysing internet-wide scan data. The most fruitful technique for discovering other top-level domains owned by an organisation is certificate intelligence. Certificates, or public keys, are used across the internet to prove the identity of a resource.  

Certificates hold a large amount of information that can be used by an attacker to build a larger profile of the attack surface. Pivoting on the information found in a single certificate can lead to:  

  • Organisation names used to register certificates  
  • Identification of other certificates owned by the organisation  
  • Identification of the assets where additional certificates are used  
  • Identification of assets where wildcard certificates are used  
  • The physical and digital location of web servers 

Other techniques are employed by our automation pipeline in discovering associated hosts include reverse IP lookups and reverse WhoIS lookups. 


At a time when public facing web applications are under increased threat of being breached, it’s essential that companies have a clear view and understanding of all potential vulnerabilities in their estate. 

We have developed our Attack Surface Appraisal service as a free first step, and an introduction to a whole new approach to security testing. 

Previous Video
Cloud: Stealing the Silver Lining
Cloud: Stealing the Silver Lining

Next Article
Top five vulnerabilities and how to avoid them
Top five vulnerabilities and how to avoid them

Although no two networks or domains are the same, there are a number of common security weaknesses that pen...