Identifying subsidiaries for your network pentest

When we perform external network assessments, one of the crucial initial phases involves comprehensive discovery work. This process not only provides our clients with insights into potentially accessible assets from an attacker’s perspective but also helps identify internet-facing assets that should not be publicly exposed. A key component of this discovery phase is the identification of an organization’s associated subsidiaries.

The Importance of Subsidiary Identification

From an attacker’s standpoint, subsidiaries can be particularly enticing targets when attempting to breach a larger company. There are a few reasons for this:

  1. Varied Security Postures: Subsidiaries may have different security measures in place compared to their parent company, potentially offering easier points of entry.
  2. Integration Points: Connections between subsidiaries and the parent company can provide lateral movement opportunities once a foothold is established.
  3. Legacy Systems: Newly acquired subsidiaries may still be running outdated or unpatched systems that haven’t been integrated into the parent company’s security protocols.

While there isn’t a foolproof method for identifying a company’s up-to-date subsidiaries across the board, we employ several techniques to accomplish this task effectively.

Methods for Identifying Subsidiaries

1. Wikipedia

One of the first places we start is by reading up on the company and its history. Wikipedia often outlines various timelines of acquisitions, lists current subsidiaries, and can generally and can point to domain names and regional locations when cross checking IP addresses.

2. Search Engine Results

Search engines such as Google and DuckDuckGo can also yield valuable results. Using search operators such as site: or " " can help to fine tune your efforts, as well as the news tab to find acquisition announcements. These results, like every other source, aren’t always accurate or up to date, but another data point helps us cross check our final results.

3. Company Websites

Oftentimes, company websites have a news and publications section that discloses major acquisitions. A quick scan for articles of this nature is usually sufficient. Look for:

  • “About Us” or “Our Companies” pages
  • Investor Relations sections
  • Press releases or news archives
  • Annual reports or financial statements

4. Industry News Feeds

Industry-specific news sources can provide valuable insights, especially for recent acquisitions or divestitures. This source is especially useful when the industry your target company operates in isn’t widely covered in general news feeds. Automobile and legal firm acquisitions may not be front page news on major media outlets, but they will be on their industry news feeds.

For example, when investigating subsidiaries for an agricultural company, searching for news involving the word “acquisition” in various agriculture-focused newsletters helped identify a few targets we later found reportable vulnerabilities for.

5. LinkedIn

LinkedIn has proven to be an surprisingly useful source of information for confirming subsidiary relationships. Reading the target company’s description and scanning through employee titles can help identify subsidiary companies and conversely, you can confirm a subsidiary’s affiliation through its own company description.

6. SEC.gov

For publicly traded companies in the US, the Securities and Exchange Commission’s Electronic Data Gathering, Analysis, and Retrieval system, or EDGAR system is an invaluable resource. This database contains public documents filed by the companies in question, and often contains documents pointing to lists of subsidiaires.

While this has mostly been useful for larger, older companies, we’ve had notable success reading through acquisition documents through searching target companies on this site as well.

An easy starting point for checking a company’s subsidiaries is to simply use a search engine and look for “sec edgar companyname subsidiaries.”

Many of these filings can be significantly outdated, so pay close attention to document dates as well.

7. Marketing and Business Intelligence Websites

Various marketing and business intelligence platforms can provide structured data about company hierarchies and relationships. Some useful resources include:

  • Crunchbase: Offers detailed company profiles, including subsidiaries and acquisitions
  • Owler: Provides competitive intelligence, including subsidiary information
  • Bloomberg: Provides detailed company profiles and relationship data
  • ZoomInfo: Provides company hierarchies and relationships

These sites often require subscriptions for full access, but even their free tiers can provide valuable insights.

8. Domain and IP Research

Investigating domain registrations and IP address allocations can uncover subsidiaries:

  • Use WHOIS lookups to find related domain registrations
  • Investigate IP address ranges owned by the target company
  • Use reverse DNS lookups to find related domain names
  • Employ tools like Shodan or Censys to discover related internet-facing assets

Cross-checking IP locations with regions the target company is known to operate in can also give your search some confidence. An IP and domain associated with Southeast Asia is far less likely to be related if your target company exclusively operates in the US Mid-Atlantic.

Conclusion

Identifying subsidiaries is a critical step in conducting thorough network penetration tests. While these methods are never foolproof, using a combination of approaches can help you cross-check your findings for a greater degree of confidence.