GUIDES
Playbooks
Respond to Open Web Events
12min
when you receive an event pointing to an open web source, the first step will be to look at the result on the platform using the link provided in the event if there is a specific result that is of interest to you and you are unsure about how, or whether it's safe to access, feel free to reach out to us, we'll be happy to help in general, whenever you see sensitive technical information and can confirm it relates to your firm or assets (e g password, api key, token, etc ) the first step is to invalidate it (reset the password, revoke the api key, etc ) monitoring for attempts to connect following this can also reveal information on potential attackers pastes and google an event of this type means that flare found one of your identifiers on a paste site (pastebin, etc ) or on google (through open web) what's the risk? the risk varies depending on the type of information found in the case of personal information (pii) , this can lead to increased and better targeted phishing and spear phishing for the target individual this risk increases with the authority and power that the individual has the initial phishing attack can lead to account takeovers, social engineering, and fraud in the case of technical information such as credentials, api keys, or access tokens, the risk is similar to the source code risks defined below in the case of business information such as financial statements, or project roadmaps it can lead to a loss of competitiveness and credibility on the market what should i do? analyze the content of the document or page to understand the risk identify the type of information that is leaked in the case of personal information, notify victim employees and warn them to be aware of an increased risk of being targeted by phishing attacks in the case of technical information, follow the recommendations in source code below source code events referring to documents found on sites like github or stackoverflow are straightforward to investigate what's the risk? there are 2 main risks of leaked source code first is that it exposes, directly or indirectly, information about your it system to malicious actors this can include hostnames, network routes, ip addresses, credentials, api keys, and access tokens with these in hand, an actor can achieve initial access to an internet system and/or have information to improve their lateral movement and privilege escalation steps the second risk is exposed intellectual property which can result in loss of competitiveness if accessed by competitors or by malicious actors in some cases, threat actors will download the data and then sell it on underground channels to third parties what should i do? identify which identifier matched the content, and the overall criticality of this identifier confirm the relationship between the leaked document and your organization this includes looking at the code, both in flare and on the source code repository website (github, gitlab, etc ), and looking at the email of the committer if credentials, api keys, or access tokens are present, launch an incident response, identify and contact the internal teams in charge of the related systems, and rotate the leaked credentials assume that malicious actors are also monitoring these events and will have the data even if they are timely removed from the internet if an employee or active consultant is involved, use the provided template to request from the employee to remove the code this is by far the easiest way to remove leaked source code from public websites if the individual in question cannot be identified or reached, contact the website through the link provided in the platform and request removal websites like github will only accept requests when justification of the risk is sufficient hosts events in the hosts category indicate that an exposed host was detected and relates to one of your identifiers in flare, a host represents a unique service that can be hosted anywhere from a physical device to a cloud container what's the risk? exposed hosts present 2 main risks exposed services can provide entry points to malicious actors into a network this includes, for example, exposed ssh ports and rdp ports this can result in a large scale breach following other lateral movements and privilege escalations exposed databases or data related services can provide access to employee or customer personal information this includes, for example, exposed mysql databases, elasticsearch clusters, or ftp servers this can result in large fines and brand impact what should i do? if the results refer to an ip which is owned by your company or your client and is running an http service, use your browser to send a request to the ip\ port combination to gather additional information if a database is exposed, leverage a database exploration tool to gain access to the data if an rdp or ssh port is exposed, identify which team or department owns that specific ip and validate the intent we generally recommend keeping open rdp ports accessible only through a corporate vpn public ssh ports should be as limited as possible, and integrate ssh security best practices if a development or qa service is exposed, validate the intent with the team in charge of the service these services can often provide access to servers or data in a less secure way than production servers and can present an interesting entry point for malicious actors further investigate services like ssh ports or various databases, or refer to the incident through your appropriate channels in the case where it is unclear whether the ip or host belongs to you, investigate internally to better understand the risk keep in mind that accessing data or services belonging to third parties can be a gray legal area keep records of the steps undertaken to justify them to regulators if needed buckets events in the buckets category indicate that a public bucket or blob on amazon web services (aws), microsoft azure or google cloud platform (gcp) has matched one of your identifiers what's the risk? buckets can expose confidential data to malicious actors and can result in small or large scale breaches, leaked customer and employee data, fines and brand impact what should i do? browse to the bucket and validate the sensitivity of the exposed information if your organization uses the cloud service in question, identify and connect with the team to validate the intent if your organization does not use the cloud service, try to identify the project or department to which the leak is related and validate the intent evaluate the possibility of reducing the shadow it and adding measures to control the use of the cloud platform related articles