User Guide

SATAYO Items

This page lists all the items collected by SATAYO, visible from the GUI. The collected elements can vary from organization to organization and it is possible that not all items are available for your search. This is not a bug, but the fact that SATAYO did not find anything related to your company in that specific category. You can use this page to get a better understanding of what a certain section does and to get an idea of your overall exposure by comparing the evidence found for your company with all the evidence analyzed. You can click on each item to explore it further.

../../../_images/homeExample.png

This is an example analysis performed on the domain teslamotors.com.

Every item is correlated with the MITRE ATT&CK, a framework for describing the behavior of cyber adversaries across their intrusion lifecycle. More specifically, at the top of each item there is a table that maps the respective Tactics and Techniques used to retrieve it. The full table is available in the page Mitre Attack Coverage.

../../../_images/mitre.png

These are the mappings for the Market section.

After opening an item, you will notice two buttons at the top of the page. With them you can filter the results and see only the data coming from the last scan. Information about how often a scan is performed are available here, How does SATAYO work.

../../../_images/newold.png

The red button shows only recently added data, while the blue button shows everything. If blue is selected, new data are still marked in red to distinguish them from old evidence.

The next sections are dedicated to the collected items.



Hostname

Hostnames are one of the starting points for SATAYO’s exposure assessment analysis. This page shows the hostnames found for the selected domain. Each hostname is resolved and its IP is also displayed, along with the country of origin.

If a suitcase emoji appears next to an IP address, it means that it is part of a subnet block managed directly by your organization. More on this can be found in the section Registry.

If interesting items were found within the hostname, they are shown in the table to the right. Each row also has a score value, and more information about the scoring can be found in the section Global Report.

../../../_images/hostname.png

You can click on each result to explore the item further. A brief description of these subsections is provided below.

Vulnerability

This page shows the existence of vulnerabilities, identified by a CVE number and a CVSS score, on exposed and domain-related resources. For the various CVEs, the link to the U.S. National Vulnerability Database, maintained by the NIST, and an indication of the type of vulnerability listed within CWE, a system of categories used for software weaknesses and vulnerabilities, is given. Links to existing exploits or PoC are also available.

The EPSS value is also shown, which is a data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited. EPSS is managed by FIRST, and SATAYO is present in the official list of EPSS supported vendors.

Vulnerabilities are scanned periodically; if one has been corrected and was not detected during the rescan, a green tick appears next to the vulnerability.

When you access this page from the Hostname section, you will only see vulnerabilities related to the IP address you clicked on. Otherwise, you can access this section directly from the menu, where you will see the data for every IP address within the domain. Clicking on one of these IPs will redirect you back to the hostname section, but limited to the selected IP.

Blacklist host

This page shows the presence of host names within blacklists. This situation can compromise the provision of services and ruin reputations. If browsers or organizations activate controls such as content filtering, the connection to the blacklisted machine may be terminated or refused. Several blacklists allow users to request removal of their resources after a reputation check of the exposed resource.

Port

This section consists of seven different subsections. The operation of each is explained below. You can access this section directly from the main menu and see a list of all the evidences. Otherwise, from the Hostname section you can view details about an individual IP.

Industrial systems

This page shows exposed services, on domain-related IPs, related to protocols used within industrial systems (SCADA / ICS).

Unencrypted protocols

This page shows the exposure of services over protocols that transmit information in cleartext, such as http, ftp, imap, etc. These cleartext protocols may simplify the activity of network sniffing and consequent capture of confidential information.

Interesting services

This page shows exposed services that might be of interest to a malicious user. These services can be for example MySQL, MSSQL, Oracle database, LDAP, Tomcat, etc.

Port management

This page shows exposed services, on domain-related IPs, related to remote management protocols (for example: vnc, rdp).

Obsolete services

This page shows exposed obsolete services such as ftp or telnet on domain-related IPs.

Web server NO SSL ports

This page shows exposed unencrypted web servers, reachable on port 80 or 8080.

Web server ports

This page shows exposed encrypted web servers, reachable on port 443 or 8443.

Wayback machine

This page shows the sitemap and previous snapshots of the website hosted on the scanned IP. This service is provided by the Internet Archive. Old versions of sites may contain confidential information, so it is suggested to check them out.

Technologies

This page shows the technologies used within the exposed web resources. A screenshot of the website and information about the certificate are also present.

robots.txt

This page shows the details of the robots.txt file exposed by the website. This file may contain paths to restricted areas of the website.

HTTP method

This page shows the exposed http methods of the website hosted on the analyzed IP. In case of vulnerabilities attackers can exploit them, so if they are not necessary they should not be exposed.

SSL/TLS

This page shows the robustness of the TLS / SSL protocols of various web sites of the domain. Checks performed may return evidence of expired SSL certificates or the use of obsolete and insecure cryptographic algorithms. Findings are classified with a severity level ranging from CRITICAL to INFO. You can access this section directly from the main menu and see the list of the evidences for all the IP addresses present in the scanned domain. Otherwise, from the Hostname section you can view details about an individual IP.



Registry

This page shows the subnet blocks where the found IP address reside. The records are managed by various RIRs. If some IP blocks are managed directly by the organization, they are set as favorites and the addresses inside are scanned to see if there are other resolvable hostnames.



Potentially confidential data

The following three items are grouped in this category in the guide as they all may contain sensitive data. In SATAYO each of them has a single section.

File

This page shows all files found in the domain analyzed at and with an extension deemed interesting. For each record some information is shown, such as the title, author, creation date, size, etc. It is recommended to check the contents of these files and remove them from the Internet if they contain confidential information. The link to the files is provided so that they can be verified.

Bucket

This page shows the Amazon, Google, and Azure buckets and containers that belong to the organization. If they are publicly accessible, the internal content is listed.

GitHub hot data

This page shows information deemed interesting obtained from GitHub repositories related to the scanned domain. It is possible that some files may contain confidential information. Items such as users, passwords, certificate keys, configuration files, and log files were searched. The link to the repository and the evidence found can be viewed in the list.



Mail server

This page shows the mail servers used by IPs within the scanned domain. The presence of SPF and DMARC is checked. These are e-mail validation systems designed to detect e-mail spoofing attempts, with several checks performed before the message reaches the recipient. If they are not present, it is recommended to enable them to avoid mail spoofing scenarios.



Mobile Apps

This page shows organization-related mobile applications uploaded to the Play Store or other third-party stores. Applications are scanned periodically and different versions of the same application may be visible. If some antimalware engine detects malware in a version, it is flagged.



Personal information sections

The following items are grouped in this category as they all contain personal data of the employees. In SATAYO each of them has a single section.

Phone number

This page shows all phone numbers published on the institutional website of the analyzed domain. If personal phone numbers are present, it is suggested to remove them as they may facilitate social engineering activities.

General Social

This page shows all the social presence of accounts named after the domain in analysis. Attackers may create accounts to simulate the identity of an organization, with the goal of establishing trust relationships with victims.

We have developed an advanced profile search feature within Instagram that can find similar suspicious accounts that could impersonate the legitimate company.

Mail

This page shows the email accounts belonging to the domain under analysis. It is reported whether the account was used to subscribe to an online service and if it is present in one or more data breaches. From here it is possible to access the sections Breached Accounts, Password and Paste and see the data related to the selected account. Accessing the same sections from the global menu will show data for all the email adresses present.

Other accounts that do not belong to the domain can also be monitored. They are called VIP accounts and are related to important corporate figures with an email associated with a domain outside the monitored ones (e.g., gmail, yahoo, etc.). If you are interested in adding VIP accounts you must report them by opening a ticket. Once added, you will be able to see them at the beginning of the page.

Breached accounts

This page shows the presence of corporate e-mail addresses in different data breach scenarios. New data breaches are constantly being added. For each breach, some information such as date, number of compromised accounts, and type of data contained is reported. Results can be sorted by last update or by date of breach. Accounts can be set as verified after the owner has been informed and changed the password. If there are passwords in the data breach, you can click on the e-mail address and view the password.

Password

This page shows the passwords detected in the various data breaches, indicating the type of password. For the hashes present, if available, the equivalent in plain text is shown. There is also a counter indicating how many times that password was found within the breaches. All the passwords present within this list are unsecure and should be changed immediately.

Paste

This page shows the presence of corporate e-mail accounts within various paste sites. The content may not be available, as it is usually removed after a short time. Although they may no longer be visible, the presence in multiple bonding sites may indicate that a data breach has occurred and that sensitive information may be at risk.



Open Bug Bounty

This page shows evidence of occurrences related to domain resources found within the Open Bug Bounty portal. The portal allows an organization to manage the Vulnerability Disclosure activity in a coordinated way with the researchers who discover it.



Deep & Dark Web

This page contains evidence retrieved by SATAYO from Deep&Dark web sources, such as leak forums, onion sites, illegal marketplaces, social networks, etc. The analysis is performed with several keywords related to the analyzed domain. The link of the mention and a snippet of it is given.



Market

On this page, SATAYO shows evidence related to credentials, cookies, and sessions offered for sale within different marketplaces and coming from attacks carried out using a log stealer malware. Stealers are a type of malware that is usually installed along with program cracks and is capable of stealing personal information within the system, such as passwords stored in the browsers. We try as much as possible to maintain privacy and not let the market know our interests, for example, to find amazon-related data, searches are done by searching for “azon” and the results filtered so that they contain only the items we are really interested in.

Resources are classified with a severity level that can be RISK ACCEPTED, POTENTIALLY CRITICAL or CRITICAL, depending on the website within the log. This classification is done by us, but you can request a change at any time if you feel that the severity of an item should be adjusted. You can check how the resources were classified from a link in the top of the market page.

In cases of critical resources, such as intranet websites, password managers, private clouds, administrative pages, etc., the item can be acquired and analyzed. Purchasing a log prevents other criminals from accessing it and allows the owner of the infected machine to be discovered and informed of the theft of his or her personal information.

For customers with the SaaS & Managed version of SATAYO, critical logs are purchased and analyzed by our team, up to a maximum of 2 percent of the total budget. You will then be informed via a ticket in Jira about mitigations and best practices to follow.

Acquired logs may contain passwords and other personal information of the victim. We set limits (both technical and ethical) between what we can and cannot do. We don’t test credentials to see if they are currently usable on related services and we don’t share passwords in plaintext with customers. These activities are outside the scope of the Threat Intelligence service and don’t help solve the problem. Additionally, sharing this data violates the target’s privacy. Victims should be informed of the compromise, clean up their computer as the stealer may still be present on the machine and change all their passwords.



Sandboxes

This page shows the evidence found within sandboxes and related to the monitored organization. Evidence is detected using special YARA rules preconfigured by the team of analysts. A sandbox detonates files into controlled virtual environments to track their activities and communications, producing detailed reports that include files opened, created and written, registry keys set, domains contacted, and more.

The URL of the analyzed evidence is provided, along with information on the country from which the file was uploaded and the size and extension of the file.



Credit Card

On this page, SATAYO shows evidence related to Credit Cards (CC) offered for sale within different marketplaces. Information such as the name of the bank, the address of the card owner and the price at which the card is sold are shown if available. CCs are stolen through a multitude of techniques, including, but not limited to, phishing emails, data breaches, sniffing on a public Wi-Fi network, physical cloning at ATMs, etc. This section is available only to credit institutions that issue credit cards.