Part 1: Uncovering Trackers Using the Defender EASM UI
Published Feb 17 2023 05:40 PM 6,150 Views
Microsoft

 

Also by Jamil Mirza

 

Microsoft Defender External Attack Surface Management (Defender EASM) discovers your externally facing digital assets and provides many useful details about the assets found to help you manage risk impacting your organization. One example of this asset detail is Trackers, which can be associated with Page, Host, or IP Address assets. The definition of Trackers from the Defender EASM official documentation is as follows: 

 

Trackers are unique codes or values found within web pages and often are used to track user interaction. These codes can be used to correlate a disparate group of websites to a central entity. Microsoft's tracker dataset includes IDs from providers like Google, Yandex, Mixpanel, New Relic, Clicky and continues to grow regularly. 

 

What’s so special about Trackers and why should security teams understand what they are and the functionality they provide? In practice, Trackers can be used for both legitimate and malicious purposes, and it’s important to understand any potential risk created by the latter. Below are a few examples.

 

Example Legitimate Uses:

 

  • Product Management and IT (information technology) teams may use them to track user interactions with a website, gathering both user information and browsing habits to personalize and improve a user’s web experience.
  • Marketing teams may use them to collect metrics about the effectiveness of advertising campaigns and the conversion of ad impressions to the sale of goods or services.
  • Governance, Risk, and Compliance (GRC) teams may need to monitor the use of trackers due to regulatory requirements, such as those in the Health Insurance Portability and Accountability Act (HIPAA) 

Example Malicious Uses:

 

  • Threat actors have been known to use well-known trackers and leverage obfuscation to evade the detection of compromised websites. Attackers may also incorporate them into phishing websites to decrease the chance their attempt at impersonation of a legitimate website will be noticed.  
  • Trackers are often delivered to a user’s browser from a third-party source, and in this case, it’s important for security teams to be aware of the following: 
    • Any changes that might indicate the breach of a third party’s infrastructure that would allow a threat actor to deliver malicious JavaScript to an unsuspecting user.
    • Misconfigurations that could lead to data leakage. 

 

This blog post will show you how to view Trackers in the User Interface (UI). In a second forthcoming post, I will demonstrate the awesome power of the Defender EASM API (Application Programming Interface) and how you can increase the visibility of Trackers in your attack surface. In the final installment of this series, I will describe the similarities and differences between Trackers and Web Components. 

 

Trackers in Defender EASM 

 

We have already defined what Trackers are in terms of how they are generally used on the internet. Within the rich corpus of Defender EASM data called “Trackers” (AKA “Attribute Type” in the UI search screen), there are additional derived data subtypes to be aware of. These other derived asset attributes are valuable for managing an external attack surface in several ways, but not all fit within the traditional definition of a website tracker.

 

For example, there are several attributes you may encounter that are related to “JARM hashes.”  JARM hashes aren’t website trackers as you might think of them, but they are useful for identifying technologies that make up an attack surface. Sometimes, they can identify individual users if certain customized configurations are used. You can learn more about JARM hashes in this blog post. Now that we have a baseline knowledge of the Tracker data set available in a Defender EASM Azure resource, and an understanding that it contains even more valuable data than the name implies, let’s dive in! 

 

Searching and Viewing Trackers  

 

In this example, we will focus on Google Tag Manager (GTM), which according to Google enables the following: 

 

Tag Manager allows you to add and update your own tags for conversion tracking, site analytics, remarketing, and more. There are nearly endless ways to track activity across your sites and apps, and the intuitive design lets you change tags whenever you want.  

 

One mechanism GTM uses to provide this functionality is by dynamically injecting and executing JavaScript code when a user loads a website in a browser. Unfortunately, threat actors have developed multiple complex methods to abuse this design, and those techniques are beyond the scope of this blog post. Regardless of approach, the result is typically the injection of malicious code that allows an attacker to profit from advertising revenue or breached data – avoiding raising the suspicion of site administrators and developers.  

 

Find all Trackers in 3 Steps 

 

Let’s assume that our goal is to find all Page assets in our attack surface that use GTM. With Defender EASM, it’s easy for security teams to uncover these websites with a simple search in the “Inventory” blade. Only the following three filters are needed: 

 

  1.  The filter of “State = Approved” is default and should not be changed for this example (i.e., “Approved” signifies ownership by your organization) 
  2. Add a filter for “Kind = Page” to focus-in on websites only 
  3. Add a filter for “Attribute Type = GoogleTagManagerId 

 

Figure 1: GTM SearchFigure 1: GTM Search

 

 

That’s it! It’s now possible to navigate to the asset details of each Page asset returned by clicking the link in the “Asset” column.  

 

Figure 2: GTM Search ResultsFigure 2: GTM Search Results

 

After selecting any result returned, Defender EASM will present you with the details for that asset. Select “Trackers” in the asset details screen to view all trackers Microsoft has detected for that specific asset. In this instance, the results will include assets using GTM and their corresponding values.  

 

Note: As previously mentioned, there are many types of Trackers in the Defender EASM data set. Viewing those programmatically will be shown in the next installment of this blog series. 

 

Figure 3: Page Asset Tracker DetailsFigure 3: Page Asset Tracker Details

 

 

Find Tracker Values in Just One More Step 

 

Let’s assume that you know the exact GTM value of interest, or at least what the value begins with. By simply adding one more filter, Defender EASM allows us to reduce our data set to just the GTM values we might want to interrogate further. 

 

  1. Add the filter “Attribute Value,” the operator “Starts With,” and the characters that comprise the beginning of the GTM string value. 

 

The result set will now be reduced to just those Page assets that may need to be analyzed per business needs.

 

Figure 4: Search by Attribute ValueFigure 4: Search by Attribute Value

 

Conclusion  

 

You now understand Trackers in Defender EASM and how they could create risk to your organization. You can also search for them via the Defender EASM UI within your external attack surface. I sincerely hope you will join me for the next installment of this series. Happy Tracker hunting!  

 

Begin your attack surface discovery for free today by trying Defender External Attack Surface Management journey today.

 

Co-Authors
Version history
Last update:
‎Apr 27 2023 12:30 PM
Updated by: