Skip to main content
ASM Cheatsheet
Case Study 1

Fortune 500 Shadow IT Discovery

Major financial services firm (anonymized)6-month engagement3 security engineers + 1 consultant

Challenge: Unknown cloud assets and shadow IT proliferation

Background

Company: Major financial services firm (anonymized)
Challenge: Unknown cloud assets and shadow IT proliferation
Timeline: 6-month engagement
Team Size: 3 security engineers + 1 consultant

The Problem

The organization suspected significant shadow IT usage but had no visibility into:

  • Unauthorized cloud services
  • Developer-created test environments
  • Third-party integrations
  • Subsidiary digital assets

Business Impact:

  • Potential regulatory compliance violations
  • Unknown data exposure risks
  • Inability to assess true security posture
  • Audit findings and regulatory pressure

ASM Approach

Phase 1: Asset Discovery (Month 1-2)

# Comprehensive domain enumeration
COMPANY_DOMAINS="bigbank.com,bigbankservices.com,bigbank-corp.com"

# Multi-source discovery
for domain in $COMPANY_DOMAINS; do
    # Certificate transparency
    curl -s "https://crt.sh/?q=%.${domain}&output=json" | \
    jq -r '.[].name_value' | sort -u > "${domain}_ct.txt"
    
    # Passive DNS
    amass enum -passive -d "$domain" -timeout 30 -o "${domain}_amass.txt"
    
    # Cloud-specific enumeration
    python3 cloud_enum.py -k bigbank --aws --azure --gcp
done

# Results: 2,847 unique subdomains discovered

Phase 2: Cloud Asset Identification (Month 2-3)

# Cloud service patterns identified
grep -E "(amazonaws|azure|gcp|s3|blob)" all_subdomains.txt > cloud_assets.txt

# Custom cloud enumeration
cat > cloud_patterns.txt << EOF
bigbank-dev
bigbank-test
bigbank-prod
bigbank-staging
bigbank-backup
bigbank-data
bigbank-analytics
EOF

# S3 bucket discovery
while read pattern; do
    aws s3 ls s3://$pattern --no-sign-request 2>/dev/null && echo "$pattern - ACCESSIBLE"
done < cloud_patterns.txt

Phase 3: Risk Assessment (Month 3-4)

# Live service detection
httpx -l all_subdomains.txt -tech-detect -status-code -title > live_services.txt

# High-risk service identification
grep -iE "(admin|api|dev|test|staging|backup)" live_services.txt > high_risk.txt

# Technology stack analysis
grep -o 'tech:\[[^]]*\]' live_services.txt | sort | uniq -c | sort -nr > tech_summary.txt

Key Findings

Shadow IT Assets Discovered

  • 847 unauthorized cloud assets across AWS, Azure, and GCP
  • 156 development environments exposed to the internet
  • 23 production databases with public access
  • 67 third-party integrations without security review

Critical Security Issues

  1. Exposed customer data in 12 unsecured S3 buckets
  2. Admin panels accessible without VPN on 34 services
  3. Default credentials found on 8 development systems
  4. Unencrypted data transmission on 45 legacy services

Implementation Results

Immediate Actions (Month 4)

# Emergency remediation script
#!/bin/bash
# secure_exposed_assets.sh

# Secure S3 buckets
aws s3api put-bucket-policy --bucket exposed-bucket --policy '{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Deny",
        "Principal": "*",
        "Action": "s3:*",
        "Resource": ["arn:aws:s3:::exposed-bucket/*"],
        "Condition": {
            "Bool": {"aws:SecureTransport": "false"}
        }
    }]
}'

# Block public access to admin panels
for host in $(cat admin_panels.txt); do
    # Coordinate with teams to implement IP restrictions
    echo "Securing: $host"
done

Long-term Improvements (Month 5-6)

  • Continuous monitoring implemented using custom ASM pipeline
  • Cloud governance policies established
  • Developer training on secure cloud practices
  • Asset inventory integration with CMDB

Business Outcomes

Quantified Results

  • $4.2M in potential fines avoided through proactive compliance
  • 847 shadow assets brought under management
  • 99.7% reduction in unauthorized cloud spending
  • Zero security incidents in 18 months post-implementation

Process Improvements

  • 30-day asset discovery cycle established
  • Automated alerting for new cloud resources
  • Security review process for all new deployments
  • Executive dashboard with real-time asset visibility

Lessons Learned

What Worked Well

  1. Multi-source discovery provided comprehensive coverage
  2. Cloud-specific enumeration revealed hidden assets
  3. Executive sponsorship enabled rapid remediation
  4. Cross-team collaboration improved adoption

Challenges Faced

  1. False positives required manual verification
  2. Team resistance to asset disclosure initially
  3. Legacy system complexity slowed remediation
  4. Vendor coordination for third-party assets

Key Recommendations

  1. Start with passive discovery to avoid disruption
  2. Engage legal early for compliance implications
  3. Implement gradual rollout to manage change
  4. Invest in automation for sustainable operations