The Hidden Risks of Scale: Identifying Exposures in Subdomains | Cloud Computing & SaaS Awards (2024)

By Tom Gorup, VP of Security Services at Edgio, winners of the Best Web Security Solution award at The 2024 Cloud Security Awards.

In today’s competitive market, enterprises face mounting pressure to rapidly scale their operations to meet stakeholder expectations, but with this urgency comes a host of challenges.

One such challenge is maintaining coherence across IT channels, where growing a business via activities such as mergers and acquisitions often lead to a significant accumulation of data and newfound exposure risks. Identifying and rectifying these risks, now consolidated under the management of a single organization, are mission critical to ensuring compliance and customer trust standards are met. Yet, amidst this process, subdomains are often overlooked by IT departments, posing an underestimated threat to enterprise security.

A Closer Look at the Domain Name System (DNS) Hierarchy

A subdomain functions as an appendix to a root website domain set up for various purposes including blog posting, career resources, testing environments and supporting sub entities. Yet, with each subdomain that is added, an organization’s attack surface expands, making it more susceptible to threats looking to exploit unmonitored back doors. On average, businesses have nine subdomains per top level domain, with many enterprises managing hundreds of subdomains across a single top-level domain.

Malicious actors are becoming more innovative in their domain takeover tactics as technology evolves, leaving enterprises and regulators working reactively to plug security holes in a sinking ship. For example, attackers are taking advantage of unmaintained subdomains pointing to third party services (like a web hosting platform, content delivery network, etc.) that have been removed or are no longer in use by the business, but where the Domain Name Service (DNS) record for that subdomain still exists. This attack is called a Subdomain Takeover whereby the attacker stakes claim to the old service URL as their own by taking control over the resource serving the subdomain.

Here’s how this works in practice: Imagine a company, ExampleCorp, which uses a third-party service, CoolHoster, to host its blog at

The Hidden Risks of Scale: Identifying Exposures in Subdomains | Cloud Computing & SaaS Awards (1)

One day, ExampleCorp decides to switch to a different hosting service and stops using CoolHoster, but they forget to remove the DNS entry that points to CoolHoster. An attacker later discovers that is still pointing to a specific service at CoolHoster that no longer hosts any content for ExampleCorp. The attacker then registers a new account on CoolHoster and then creates a site with the same name or identifier that was originally pointing to. Since’s DNS record still points to CoolHoster and the attacker has now created a project with the matching identifier, they effectively control where leads. The attacker can now host content on the hijacked subdomain, which can range from harmless pranks to malicious phishing pages or even redirects to completely different domains.

It is critical businesses take DNS management seriously and properly manage their attack surface by conducting regular audits of DNS records, scanning frequently for unknown subdomains and Internet-facing assets, have clearly defined decommission process, and educating their teams on the risks associated allowing subdomains to linger after a service has been long decommissioned.

Early warning signs that an organization might have fallen victim to a subdomain takeover include search engines showing security warnings for an owned domain, browsers flagging the company’s site as potentially suspicious when users surf to the domain, or complaints from users attempting to accessing the site receiving warnings or encountering unexpected content. If left unchecked, the costs of such attacks can impact bottom lines. Fines of hundreds of millions of dollars, not to mention additional costs attributed to covering incident response, regulatory fines, and legal and notification fees, have been noted in previous cases.

Additionally, not every attack will result in a compromise of data leading to litigation. Risks to attacks like these can also negatively impact a website’s Search Engine Optimization (SEO) rating, a brand, or even go as far as having a top-level domain blacklisted; each carrying with it direct impacts to revenue and are not quick or easy to recover. Getting a domain de-listed from a reputation list can take weeks while SEO recovery times can span months.

The Hidden Risks of Scale: Identifying Exposures in Subdomains | Cloud Computing & SaaS Awards (2)

The Need for Robust Security Measures

In an era where digital assets are the foundational backbone of businesses and enterprise organizations, ensuring the security of every nook and cranny within a domain is not just best practice, but an imperative.

As a first step, having all the subdomains protected through a Web Application Firewall (WAF) and bot management solution helps keep an eye on the movement of bad actors and monitor the new ways they are attempting to gain access. Ensuring all subdomains are protected through a single protection scheme, i.e., a unified web application and API protection (WAAP) solution with integrated WAF and bot management in one platform and interface, makes it easier to observe and ensure mitigation of threats across all subdomains. However, setting and forgetting these types of security measures do not provide enough protection on their own.

Regular auditing using tools that give comprehensive visibility across the organization is critical for staying on top of newly added risks and providing insight into the exposures that bad actors will race to exploit. There have been plenty of near misses by large companies where researchers discovered the problem before it was taken advantage of by a more nefarious hacker.

The most notable brought to light a much larger downstream problem than serving erroneous content on an old, unused, subdomain. In this case, the Single Sign On (SSO) was configured using a shared cookies model that was configured for * (all sub-domains). This meant that if an attacker were to compromise a subdomain and steal cookies from an end user, all access that user had would be now available to the attacker. This would turn the sub-domain into a waterhole attack and potentially expose troves of sensitive data should the attacker coerce the right individuals to surf to that subdomain.

The Hidden Risks of Scale: Identifying Exposures in Subdomains | Cloud Computing & SaaS Awards (3)

A Crucial Component of Comprehensive Cybersecurity

Establishing and maintaining a robust cybersecurity practice begins by fortifying every facet of your digital footprint and maintaining that stance as the organization grows. As businesses navigate an increasingly complex digital landscape, the integration of subdomain security into broader cybersecurity strategies becomes paramount for maintaining stakeholder trust and engagement.

Identifying susceptible domains within a network can be complex, yet with the implementation of straightforward protocols and a central control source, organizations can safeguard their assets and uphold their reputation over time. Businesses should strive for an operational layered defense approach to protecting themselves. Solely relying on the security team is a surefire way to failure. Developers, marketers, or anyone charged with creating new resources that use subdomains should be aware of these types of attacks. This will help to ensure adherence to process when decommissioning old and unused resources.

Additionally, IT departments managing DNS resolution should consistently track and document newly created subdomains giving them an opportunity to audit frequently. Finally, security teams can run regular scans leveraging Attack Surface Management tools to quickly identify any gaps or failures in the process. These teams, working together in concert, will protect the business from subdomain takeovers. Ultimately, a holistic cybersecurity approach that includes robust subdomain security is essential for safeguarding the integrity and continuity of operations in today’s interconnected world.

The Hidden Risks of Scale: Identifying Exposures in Subdomains | Cloud Computing & SaaS Awards (2024)
Top Articles
Latest Posts
Article information

Author: Saturnina Altenwerth DVM

Last Updated:

Views: 6184

Rating: 4.3 / 5 (44 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Saturnina Altenwerth DVM

Birthday: 1992-08-21

Address: Apt. 237 662 Haag Mills, East Verenaport, MO 57071-5493

Phone: +331850833384

Job: District Real-Estate Architect

Hobby: Skateboarding, Taxidermy, Air sports, Painting, Knife making, Letterboxing, Inline skating

Introduction: My name is Saturnina Altenwerth DVM, I am a witty, perfect, combative, beautiful, determined, fancy, determined person who loves writing and wants to share my knowledge and understanding with you.