A Tale of Three Expanse Customers

The Internet is a small place. Attackers can scan the Internet in under an hour and get a list of every RDP, database, and abandoned web server out there. Because attackers can find exposed assets quickly, it’s important for organizations to reduce their attack surface so there are fewer opportunities for unauthorized entry. At Expanse, we specialize in discovering, and monitoring, Internet assets for the world’s largest organizations so they can reduce their attack surface and lock down their perimeter.

Continue reading

Black Hat

3 Must-See Sessions at Black Hat 2019

It’s that time of the year again: Black Hat 2019 is almost here. As always, it should be a great event with top-of-the-line keynotes, fascinating sessions, amazing options from the vendor community (Expanse included), and of course an opportunity to mingle with friends and colleagues in the security industry.  

Continue reading

How to Implement Policies to Secure Your Network

How to Implement Policies to Secure Your Network

Certain security basics used to be good enough to protect your network. You could roll out an endpoint security tool, implement a firewall, and use sandboxing, and at least sleep a little easier at night. But today’s attackers are more sophisticated, and that means security professionals have to be more sophisticated, too. 

Continue reading

How a Fortune 500 Company Reduced Attack Surface by using Expanse

Fortune 100 Financial Services Company Reduces Attack Surface


Like most large financial institutions, this Fortune 100 financial services company has a complex network. From M&A activity to cloud development to securing critical suppliers, it was challenging for the company to identify and monitor all of its Internet-connected assets. And without a complete and accurate IT asset inventory, it was even more challenging to secure those assets. 

Continue reading

What Keeps Security Leaders Up At Night

What Keeps Security Leaders Up At Night

It’s easy to focus on the threats that you know about, and easy to ignore the ones that you don’t see. When organizations conduct vulnerability scans, they get a weekly reminder of all of the unpatched and out-of-date devices on their network. Spam and phishing emails come in daily and are a constant reminder of the need for vigilance. 

Continue reading

Worried About Your Internet Presence?

Worried About Your Internet Presence? Focus on Your Attack Surface

The Internet has created myriad ways for people and organizations to connect with one another. Unfortunately, attackers will attempt to find and exploit the Internet presence of an organization. All of the connections, profiles, pages, and posts can be discovered and potentially weaponized in both targeted and opportunistic attacks.

Continue reading

RDP and BlueKeep: What You Need To Know

RDP and BlueKeep: What You Need To Know

On May 14th, 2019, Microsoft released a patch for a pre-authentication vulnerability affecting several versions of Windows. Microsoft even released a patch for end-of-life software because the vulnerability is so serious that it has the potential to create a WannaCry-styled global outbreak. In this post, we’ll talk about RDP, the vulnerability, and how you can make sure that you’re secure.

RDP: Already Known to be Trouble

Remote Desktop Protocol is a Microsoft-based service that allows a user to remotely connect to a device and interact with it through a virtual interface. It’s like a screen share where you can control what’s happening on the projected screen. RDP is a very useful tool but was never intended to be exposed to the public Internet. If it is ever compromised, the attacker can do just about whatever they want; it’s as if they were sitting in front of the physical device.

RDP has a lot of known issues. In fact, RDP is one of the most common entry vectors for ransomware. The SamSam campaign has targeted dozens of organizations, bringing down hospitals and local government. Attackers scan the global Internet looking for exposed devices open on RDP and then attempt a brute-force password guessing attack. If strong passwords and lockouts aren’t used, the attacker can gain direct access to a user’s machine and then begin to move laterally. It’s incredibly dangerous to have one thin layer separate attackers from a user’s device, which is exactly how RDP operates when it is publicly exposed.

WannaCry 2.0

RDP is already known to be risky. But CVE-2019-0708 — also known as BlueKeep — takes things up a notch by allowing an attacker to remotely execute code pre-authentication with no user interaction. This is just about as bad as it can get for a vulnerability. All an attacker needs is a vulnerable device; no user to click on anything, no privileges, nothing. And the complexity of the attack is low, meaning that attackers will reverse engineer the exploit quickly.

The result could be a program that seeks out vulnerable devices (of which there are many), automatically infects them, and then continues to spread. These worms, which are self-propagating infections, are the worst kind and can quickly spiral out of control.

In 2017, WannaCry infected around 200,000 machines across 150 countries via a similar mechanism (SMB). Hospitals were hit especially hard, rendering their computer systems unusable. An RDP worm could cause similar damage, making this a vulnerability that’s especially important to patch immediately.

Cover Your Assets

With all of the dangers associated with RDP, you might think that it is tightly controlled and rarely exposed. But you’d be wrong. In the past two weeks, Expanse observed RDP instances exposed at 50% of the Fortune 500. Seventy percent of the Fortune 100 had at least one exposure in the past three months.

Why are these exposures so common? Mostly because they occur in an organization’s blind spot, namely cloud and ISP IP space. Some employees purposely expose their laptops on RDP to get work done. Other times, misconfigurations can result in an employee’s laptop being exposed while they travel.

These exposures occur outside of an organization’s known IP space. It could be in IP space registered to a coffee shop, a hotel chain, or their home Internet connection, but it can be nearly impossible for the security team to detect the exposure unless they are monitoring the global Internet.

Expanse identifies rogue RDP exposures via signature-based detection. Cyber risk analysts use Expanse’s internal mapping engine to discover and track specific configuration details. These are used to track RDP exposures no matter where they occur. Exposures that reside in on-prem, cloud environments, consumer dynamic IP space, or any other portion of the Internet can be found when you monitor everything.

To help organizations protect themselves, we’re offering a complimentary report on your RDP exposures.

Simplify Security with Automated Asset Discovery and Monitoring

Simplify Security with Automated Asset Discovery and Monitoring

A comprehensive understanding of what assets are yours is the foundation of a secure organization. If you have gaps in visibility or assets you don’t know about, then you are at risk. These gaps and unknowns are the footholds that attackers will use to get into your organization.

Because networks change frequently (even daily), the asset list you had yesterday is not likely to be accurate unless it’s being continuously updated automatically. That means that if you’re using a manual process, such as self-reporting and an Excel spreadsheet, you’re already behind.

An automatically populated asset list allows your security teams to pull from a list that is continuously updated, including when infrastructure or configurations change, mergers occur, or new assets are put into production. You can automatically learn when a server or service is exposed, like the accidental exposure of a database to the Internet, a poorly configured remote endpoint running RDP, when the Marketing or Human Resources team launches a new service in an unapproved cloud vendor in Asia, or when your developers stand-up an insecure test or dev system in AWS. These are all potential unknown unknowns and points of entry into your organization.

It’s Time for a Global View of Your Internet Assets

Your existing suite of security tools only secures what they know about. Vulnerability Management tools, for example only scan what is known. Cloud Security Management Platforms, meanwhile, only manage accounts you already know about — you tell them what to watch, and then they’ll watch them.

With Expanse Expander, however, you discover all of your Internet-exposed assets, including those you don’t know about. Those unknowns are often a large part of your exposed attack surface — we routinely discover 30% more assets than a given organization was tracking previously.

We do this by continuously indexing the entire global Internet and collecting data about all the assets we discover. We use customer signatures like certificates, domains, registration information, and more to automatically tie the assets we see back to their parent organization, providing our customers with a complete, outside-in view of their networks and everything that belongs to them. With our new Cloud Module, we can even associate assets in the constantly changing ephemeral IP space back to organizations. We do this across all cloud providers.

Security begins with knowing what you need to protect. Learn more about how to automatically discover and monitor your Internet-connected assets in our latest tech brief:

Increasing Your IQ Around Attack Surface Reduction

Your Attack Surface Problem Is Really an Asset Management Problem

The foundation of effective security is knowing what you need to protect. Without a full inventory of your Internet-connected assets, you don’t have a clear picture of your attack surface. And that means you can’t identify and remediate exposures. While many organizations today may think they understand their attack surface, the truth is that they don’t because of a fundamental breakdown in asset management and governance.

Continue reading

Shiny Things

Shiny Things: Why Your Certificates Matter

Who really ever wants to be a target? Unless it is of someone’s affection, it is pretty much never a good thing. Especially in the world of cybersecurity. Now don’t get me wrong, it doesn’t take much to attract the attention of someone hacking for fun, profit, or even to make a statement, but sometimes we do things that attract unnecessary attention to ourselves.

Continue reading

Machine speed attacks create new security risks for remote workforce tech

Machine-speed Attacks Create New Security Risks for Remote Workforce Technologies

RDP and other productivity-enhancing tools leave organizations exposed to attacks on their ever-changing attack surface

In a previous post, we discussed advances in technology that have made it possible to scan the entire public Internet much faster than ever before. Because of these advances, the thought that exposures can simply hide on the Internet is no longer true. You may think that your organization isn’t a target for cybercriminals, but the ease through which an exposure can be found opportunistically means that you may end up a victim anyway.

Continue reading

Misconfigured Datastore Services Abound in the Cloud

Cloud hosting provides great flexibility for your developers. But this agility comes with security risks.

Cloud hosting provides great flexibility for your developers. They are lured to the cloud by promises of rapid deployments and order-of-magnitude decreases in maintenance costs. But this agility comes with security risks as new services are deployed without adequate safeguards for security and compliance.

Continue reading