Also by Jamil Mirza
Microsoft Defender External Attack Surface Management (Defender EASM) discovers your externally facing digital assets and provides many useful details about the assets found to help you manage risk impacting your organization. One example of this asset detail is Trackers, which can be associated with Page, Host, or IP Address assets. The definition of Trackers from the Defender EASM official documentation is as follows:
Trackers are unique codes or values found within web pages and often are used to track user interaction. These codes can be used to correlate a disparate group of websites to a central entity. Microsoft's tracker dataset includes IDs from providers like Google, Yandex, Mixpanel, New Relic, Clicky and continues to grow regularly.
What’s so special about Trackers and why should security teams understand what they are and the functionality they provide? In practice, Trackers can be used for both legitimate and malicious purposes, and it’s important to understand any potential risk created by the latter. Below are a few examples.
Example Legitimate Uses:
Example Malicious Uses:
This blog post will show you how to view Trackers in the User Interface (UI). In a second forthcoming post, I will demonstrate the awesome power of the Defender EASM API (Application Programming Interface) and how you can increase the visibility of Trackers in your attack surface. In the final installment of this series, I will describe the similarities and differences between Trackers and Web Components.
We have already defined what Trackers are in terms of how they are generally used on the internet. Within the rich corpus of Defender EASM data called “Trackers” (AKA “Attribute Type” in the UI search screen), there are additional derived data subtypes to be aware of. These other derived asset attributes are valuable for managing an external attack surface in several ways, but not all fit within the traditional definition of a website tracker.
For example, there are several attributes you may encounter that are related to “JARM hashes.” JARM hashes aren’t website trackers as you might think of them, but they are useful for identifying technologies that make up an attack surface. Sometimes, they can identify individual users if certain customized configurations are used. You can learn more about JARM hashes in this blog post. Now that we have a baseline knowledge of the Tracker data set available in a Defender EASM Azure resource, and an understanding that it contains even more valuable data than the name implies, let’s dive in!
In this example, we will focus on Google Tag Manager (GTM), which according to Google enables the following:
Tag Manager allows you to add and update your own tags for conversion tracking, site analytics, remarketing, and more. There are nearly endless ways to track activity across your sites and apps, and the intuitive design lets you change tags whenever you want.
One mechanism GTM uses to provide this functionality is by dynamically injecting and executing JavaScript code when a user loads a website in a browser. Unfortunately, threat actors have developed multiple complex methods to abuse this design, and those techniques are beyond the scope of this blog post. Regardless of approach, the result is typically the injection of malicious code that allows an attacker to profit from advertising revenue or breached data – avoiding raising the suspicion of site administrators and developers.
Let’s assume that our goal is to find all Page assets in our attack surface that use GTM. With Defender EASM, it’s easy for security teams to uncover these websites with a simple search in the “Inventory” blade. Only the following three filters are needed:
That’s it! It’s now possible to navigate to the asset details of each Page asset returned by clicking the link in the “Asset” column.
After selecting any result returned, Defender EASM will present you with the details for that asset. Select “Trackers” in the asset details screen to view all trackers Microsoft has detected for that specific asset. In this instance, the results will include assets using GTM and their corresponding values.
Note: As previously mentioned, there are many types of Trackers in the Defender EASM data set. Viewing those programmatically will be shown in the next installment of this blog series.
Let’s assume that you know the exact GTM value of interest, or at least what the value begins with. By simply adding one more filter, Defender EASM allows us to reduce our data set to just the GTM values we might want to interrogate further.
The result set will now be reduced to just those Page assets that may need to be analyzed per business needs.
You now understand Trackers in Defender EASM and how they could create risk to your organization. You can also search for them via the Defender EASM UI within your external attack surface. I sincerely hope you will join me for the next installment of this series. Happy Tracker hunting!
Begin your attack surface discovery for free today by trying Defender External Attack Surface Management journey today.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.