External Threat Management

Know Your Internet-Exposed Services, Know Your Attack Surface

A modern organization's digital presence is a mosaic of internet-connected services—hardware, software, and digital supply chains. More internet services mean complexity goes up, and "non-standard" becomes the norm. However, while these digital services boost functionality, they can also unexpectedly change how organizations appear to attackers and, at any time, open up exposures across an attack surface. Just recently, the massive boost in VPN and remote access to enable staff forced to work from home has created an array of new access points for attackers to interrogate.

With your attack surface regularly in flux, keeping tabs on its composition as well as the infrastructure of attackers targeting it is one of the most challenging jobs facing security teams today. However, deep insight across the public internet makes it not only possible but also manageable.

Discover Unknowns

Enterprise digital attack surfaces are dynamic, complicated, and hard to keep under control. They're a tangle of IP-connected devices and third-party dependencies across the web and in the cloud that continuously change, go out of date, and become exposed.

Many of these systems were stood up without the oversight of security teams and then forgotten, so they cannot be evaluated or pen-tested. Some were stood up to accommodate a suddenly homebound workforce, and IT teams, moving quickly, may have mistakenly misconfigured them. Others, like third-party shopping platforms, are entirely outside the purview of most organization's security tools and can become vulnerable without anyone ever knowing.

Threat actors know these internet-connected services can be easy inroads to corporate networks and are always scanning for vulnerable services to attack. To counter hackers, security teams must have visibility into the IPV4 space so they can develop a full inventory of digital assets connected to them outside their internal network and flag assets that become vulnerable so they can be patched and put under management.

Here are a few recently exploited services that far too many organizations could not identify and address:


Threat actors continue to threaten organizations with unknown and misconfigured web servers across their attack surface. ZDNet reported that a malicious actor has been scanning the internet for unsecure Elasticsearch instances connected to the internet, wiping over 15,000 servers. Most organizations have dozens of servers across their attack surface, any of which can become exposed.

Shopping platforms

Shopping platforms like Shopify and Magento can become vulnerable, especially out of date versions. Magento vulnerabilities have been a target for Magecart operatives over the years and have led to skimmers on thousands of e-commerce sites.


VPN usage has surged 112% with stay-at-home orders forcing staff to work remotely. Unfortunately, many VPNs, like Palo Alto GlobalProtect, have had glaring vulnerabilities in the past. A report from ClearSky Security uncovered a campaign waged by Iranian state-sponsored hackers using vulnerabilities in VPNs, including GlobalProtect, to gain access to dozens of organizations around the world.

Remote Access points

Remote access points are being stood up at a record pace. In March, RiskIQ noted a 26.11% increase in Microsoft Remote Access Gateway instances, stood up to support people working from home, which have several known vulnerabilities.


There are likely seemingly innumerable routers across the average attack surface of large organizations, many of which are set up without oversight by the security team. For example, ZTE Routers are among the most commonly seen network devices in our data. As always, vulnerabilities exist for such devices, which attackers can use to collect data or tamper with your network.


It's likely your organization's websites use jQuery, but many security teams aren't familiar with every line of the library but trust that it's secure. However, vulnerabilities in jQuery have occurred, and because of the library's ubiquity, it can leave a vast swath of the web exposed. Often jQuery has been open to Cross-site Scripting (XSS) attacks, where malicious code can be injected that the browser (unknowingly) executes.

Access systems and IoT devices

Attack surfaces have changed drastically in industries like manufacturing and energy, where work can't get done without access systems and internet-connected equipment. For example, webcams dominate the most popular searches in Shodan, indicating that they are a frequent target among attackers. AVTECH devices and firmware have suffered from numerous well-known security vulnerabilities.

Know your attack surface

Security teams must arm themselves with the power of seeing their entire business from the perspective of the internet. Defining your attack surface by fingerprinting each component, connection, service, IP-connected device, and infrastructure provides a strategic advantage in dealing with your living, breathing attack surface.


For security teams, knowing which IP-connected services are part of the attacker's infrastructure and how they're wielding them against you can be just as important as knowing your own attack surface. In our recent blog post highlighting our Internet Intelligence Graph, we note that its power lies in a deep understanding of the internet and knowing how both the good guys and the bad guys fit inside it. In each of the attacks highlighted above, threat actors used IP-connected services of their own to attack businesses. Defenders with the right tools could have used this to their advantage.

Know an IOC when you see one

Intelligence from regular port scans across systems responsive online gives analysts immediate insight into infrastructure used in attacks against their organization. Knowing the services running on malicious IPs can point you to enemy vitals like c2 servers and certificates.

Illuminate attacker infrastructure

When investigating an adversary, data from port scanning alone isn't enough. Visibility into internet-connected services is good, but combining it with deep intelligence from web-crawling makes it powerful.

After an analyst identifies a particular asset running on an attacker-owned IP, say a C2 server, crawl data shows you the rest of the story: which other components are running on that page, what pages share those components, and to which IPs do those components resolve. Suddenly, an attacker's entire toolset becomes illuminated.

Decrease MTTR

When you're under attack, time is of the absolute essence. For analysts and incident responders, visibility into the entire IPV4 space is key to uncovering attacker infrastructure and taking decisive action quickly. Being able to detect specific technologies in use by your adversary and then quickly note the build and its relationship with the rest of the components on a web page or sever—all on one platform—can be the difference between preventing a breach and a successful attack.

See more and do more with RiskIQ

RiskIQ collects data at an unmatched scale. Our systems conduct daily scans of more than 228 unique ports and service banners across the entire IPv4 space to collect host data, including when it was first and last seen, service banners, and much more. These observations are saved within the RiskIQ Internet Intelligence Graph and made available to customers.

Meanwhile, our network of virtual users make billions of HTTP requests, and take in terabytes of passive DNS data, collect millions of components such as SSL Certificates, tracking codes, and cookies. RiskIQ is currently mapping 157 billion relationships across the internet to help organizations discover their attacks surface and add a whole new layer to their threat investigations.

Explore RiskIQ's exposed services data set in RiskIQ PassiveTotal, and learn how RiskIQ can help you discover and protect your attack surface today.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor