Working with Scan Results - "Things" Detailed Description

In the context of ThingsRecon’s Discovery platform, “Things” are the various known or unknown assets exposed to the Internet, as identified during Discovery scans. In other words, they are all of the component parts of an organisation’s potential cybersecurity threat surface.

These are broken down as follows, and viewable in respective tables via the Dashboard Things page:

• Applications (any software exposed on internet, e.g. web application, SSH server, database, etc.) 
• API Endpoints (any URIs callable by a program and returning a result. Also called web service)
• Certificates (SSL digital entity’s identity)
• Cookies (retained user information)
• Domains (any internet names described with WHOIS records)
• FQDNs (Fully Qualified Domain Names: complete, specific/unambiguous and verified addresses of websites, servers, or other online resources)
• Headers (information attached to a digital asset, including metadata e.g. creation date, file type, etc)
• Inputs (web application fields expecting data from user)
• IPs (IP addresses: the numeric labels identified as part of the attack surface, assigned to web-connected entities)
• IP Ranges (groups of IP addresses sharing the same network address; identified as belonging to the aimed organisation)
• Mobile Apps (applications to be installed on mobile endpoints and used by the intended organization)
• Scripts (Java script locations, displayed as URIs)
• Script Variants (Java script codes, identified by checksums. A script variant is always linked to a script (checksum of code found out from a script URI) or a URL (inline script)
• Software Components (distributed software entities offering a specific set of services through well-defined interfaces)
• SSL Services (identified SSL server. An SSL server can cover several HTTPS web applications)
• Supplier Connections (any clues proving some digital proximity with identified and known suppliers. A supplier is a third-party company. Supplier Connections are used to build the Supply Chain).
• URLs (Uniform Resource Locators, used by browsers to retrieve published resources, such as HTML pages, CSS documents, images, etc)
• Vulnerabilities (potential point of security weakness e.g. through integration with third party tools)
   

Dashboard: Things View

You can view all discovered Things via your Dashboard. 

The Things View is where everything is categorised. The selection bar in the upper-right corner makes it easy to view Things by type (eg. Applications, Domains, etc). 

Each Things type opens in its own table view, simplifying asset inventory, triage and tagging. 

These tables are displayed with 

• Filterable columns
• Bulk actions (e.g. you may wish to filter and bulk select all things found on port 80, tag them and add them to a security program)
• Direct links to a detailed ”Thing Profile” (a graphical presentation of the attack surface with additional information on related things/software components, and the ability to add the application to a security program and tag it).

Working with Things

Once discovered, all Things are put into a graph dataset and a number of insights are created using a combination of rules, analytics and AI.  

Discovered Things are categorised based on risk severity, business context and potential for vulnerability exploitability. This helps focus any remediation efforts on the most critical threats. 

Application View

When you navigate to the Things page (Things View) in your dashboard, you’ll arrive at the Application view first.

Here you'll find a comprehensive list of all discovered applications, complete with details such as status, risk level, and more. Effectively, it serves as your configuration management database for applications.

By default, the Application view displays all discovered applications. You can easily navigate this view by minimising the left-hand panel to focus on the table. This gives you a clear, detailed overview of your applications.

Application View - Table details

Each identified application is described under a series of key fields. There are over 20 in total, including the following:

• The name: the Fully Qualified Domain Name (FQDN) or the IP address if the application is reachable on IP directly, which includes the sub domain and top-level domain
• The port: where the application is running
• The risk level: calculated based on discovered hygiene issues
• The status: whether the application is online, offline, or inaccessible
• The server technology behind the application and the main technology running it.

Note that the name and port will be sufficient to identify an application.

Application filtering

One of the most powerful features in the Things View is the ability to filter applications. You can do this by risk grade to focus on high-risk applications, by status to show only online or offline ones, or by server type to narrow down specific technologies.

You can also filter by Attack Surface Score to prioritise applications with the highest exposure. (The higher the attack surface score, the greater the exposure.)

See: Dashboard – Working with Results for details on how the risk grade is assigned.

Attack surface score

The attack surface score is arrived at using an algorithm that takes into account the following seven key vectors:

1. Security mechanisms: Are you using HTTP, HTTPS or a mix?
2. Page creation method: Is the application built with server side, client side or mixed technologies?
3. Degree of distribution: How many pages and connections does the application have?
4. Authentication: Does the application have login pages?
5. Input vectors: Are there forms or fields for user input?
6. Active content: Are there internal, external, or embedded scripts?
7. Cookies: How many cookies does the application use?

These vectors will help you understand how exposed an application is, so you can prioritise your security efforts. 

Additional insights

The more you know about discovered Applications and their status and make-up, the better equipped you are to act appropriately and contain or reduce any potential risk. The Things View provides the following additional detail to help inform and prioritise next steps:

Need Action

The Need Action column highlights applications that require attention. You can filter this information by actions such as ‘Fix’, ‘Protect’ or ‘Remove’ to address vulnerabilities and reduce risks.

CNAME

The CNAME column helps pinpoint where an application is hosted or what it is connected to.

It can reveal whether an application is pointing to a third-party service, or another domain within your infrastructure.

Category 

This column identifies specific types of applications, such as web apps, file-sharing or other services (if scan parameters have been configured accordingly). 

Web Application: an application running on HTTP or HTTPS protocol.

Web Server Default Page: a misconfigured web server, showing the default page (ex: IIS, NGINX, etc).

Third Party: a known solution instance from the industry, running on an FQDN belonging to the intended organisation.

Domain For Sale: responsive FQDN running on a parked domain name.

URI: responsive web application where only blank pages were found. ThingsRecon suspects web services here, rather than a web application.

DB: typical database open port exposed on internet.

DNS: DNS server exposed on internet.

File Sharing: file sharing service exposed to the internet (ex: FTP).

Mail Service: mail service exposed to the internet (ex : IMAP).

Protocol: LDAP, NTP or NetBIOS port exposed to the internet.

Remote Access: services like RDP or SSH exposed on internet. 

WAF: if there is an identified Web Application Firewall (WAF) responding from an FQDN rather than a web application.

Detail: the Detail column shows specifics about what has been discovered.

Scan criticality (from vulnerability scanning):

Scan criticality relates to the assessment side of the application, helping you prioritise scans based on the level of risk or importance.

• No: not onboarded to any security program so, no vulnerability assessment done yet
• Safe: vulnerability assessment done, no vulnerability detected
• Low, Medium, High: vulnerability assessment done, severity of the most critical vulnerability found.

Advanced features

To complete the picture, the Things/Application View provides additional insights, to inform onward decision-making:

• Security onboarding. This lets you select programs to run on an application (such as manual pentesting or automated dynamic application scanning), whether you're working with an MSSP, a third party or an internal scanner
• Ownership. This column shows who owns the application
• Business criticality. This lets you define an application’s importance to the business as low, medium or high
• Update Frequency. Use this to track how often an application is updated
• Manual Complexity. This is to rate how complex the application is to manage. If used, this will replace the attack surface score for security program recommendation
• Program Recommendation. One of the most powerful tools, this suggests the best way to scan and assess an application based on automated data (for example risk score and other criteria selected by the organisation) and your manual inputs
• Tags. This lets you categorise applications. You can use system tags or create your own to group similar apps together. 

Taking Action

ThingsRecon Discovery delivers a passive analysis of potential risks, including open ports, misconfigured services, outdated software and exposed sensitive data. Armed with this intelligence, you can choose what to do next.

Discovered applications are broken down into their individual components, providing an attack surface analysis and other data insights that can support penetration testing and DAST security assessment. Depending on the particular requirements and priorities, applications can be assigned to a security program as preferred.