Company X has a website and an internal network. The website is hosted by a provider; the site is not on X's network. X's network has Internet access so they can browse, send email etc. The website is the public world access to the company. They can see and read up about the company. All good and dandy. X's internal network has security measures in place, that any good company should; IDS, IPS, firewalls, IPtables galore.
An attacker(or what have you) wants to breach company X's internal network for what ever purpose. To do so, the attacker needs to know how the company connects to the Internet. The company's connection is referenced by their assigned IP address from their ISP. How can an attacker find the IP address of the company and how can the company make such information hard to obtain? A ping sweep is not practical and so is trying to attack the ISP. Could one possible option be breaching the company website to try and find traffic information that points to the company's IP address? I can't think of any other way of finding the IP address of the company. I know if the attacker as physical access to the network he could directly jack in or setup a rouge wireless AP. Or the attacker can gain documents or verbal communication to discover VPN info or other remote access methods. But I want to know how it is possible for an attacker to determine how to remotely access the company's network without using the aforementioned techniques.
This brings up another question. In a typical set up a website is not hosted directly by a company X. The site is hosted by a hosting business. To be more efficient and modern Hosts use visualization. So when sending pings or other traffic to a website it is not directly hitting one entity. The traffic is being routed internally; it hits the routing machines, then the server running the VM, directed to the right VM, and finally processed appropriately by the localized server software. In short when pining a website you are indirectly touching a single server. So how can a single website be compromise when there are so many layers of the hosting framework? It seems like the target server is buried far away and just getting to one site requires breaking through many systems merely for one target. Does the VM host server have to be compromised first? I know SQL injections will leak private data that could be useful in attacking a website. Where and what security measures need to placed to prevent website directed attacks?