Search and correlate ASI data

In this article:

Tip: For automating and integrating ASI, see the API article. 

Attack Surface Intelligence (ASI) provides direct access to SecurityScorecard's data with more than 4.1 billion IP addresses scanned every 10 days across 1400+ ports globally. 

Use ASI’s search capabilities to correlate views of the internet's exposed IPs and vulnerabilities with relevant threat actor context and analyze risks to a region, organization, or individual assets.

Note:  Attack Surface Intelligence does not surface potential vulnerabilities. It surfaces Common Vulnerability Enumerations (CVEs) that we confirm as being actual vulnerabilities. SecurityScorecard does, however, flag potential vulnerabilities as an issue type. Learn more.

Understand how ASI search queries work

SecurityScorecard stores ASI data with Amazon Web Services (AWS), so ASI uses AWS CloudSearch query structures for searching. To fully understand all possibilities for building queries, see comprehensive guidance on using CloudSearch.

Search from a global to a local level

You can devise a number of different ways to search and filter ASI data. This section provides an example of how you can…

1. Start a search to gain a broad view of threats based on high-level search criteria.
2. Based on results from the initial search, trace and correlate details of specific threats to determine what risks they pose and how to address them.
3. Analyze aspects of threats at a granular level.

Initiate a search with a sample query

ASI provides a number of preset queries that you can use without writing your own. These sample queries can be helpful for starting to use ASI and understanding its capabilities, especially if you are not familiar with writing queries. You also easily can modify sample queries according to your needs.

These queries reflect some prevalent use cases and interesting scenarios, such as:

• All IPs for breached domains in the financial services industry within Germany
• All IPs with malicious reputations on a blocklist or threat feed that also are attributed to domains attacked by the CONTI ransomware group
• All IPs running Windows operating systems that are not associated with any Scorecard.
• All IPs with exposed webcams that have Chinese SSL certificates yet are hosted in the United States

This section provides steps based on starting with a sample query. To initiate a search based on your own query, see Create your own queries.

To use a sample query:

1. In SecurityScorecard, select Attack Surface (ASI).
   
   
   
   
2. In ASI, click More examples under the search box. 
3. In the right panel that appears, read the query descriptions and click a query.
   
   These steps will use the sample query for all IPs belonging to government organizations with port 22 open and at least one detected vulnerability that has been exploited by the North Korean threat actor Lazarus Group.
   
   
   
   

ASI displays a page of search results with the selected query in the search text box.

Review your initial search results for comprehensive data about each IP that matches the query:

• The IP’s location and host name, if available
• The domain to which the IP is attributed
• Vulnerabilities that we discovered on the IP
• Ransomware groups or threat actors, such as Lazarus Group from your initial query, who have exploited any of those vulnerabilities anywhere on the internet
• Blocklists that include the IP because suspicious or malicious activity was detected on it  (malicious reputation)
• Malware infections that have been been detected on the IP 
• Services, protocols, and other processes running on the port from your initial query, in this case, port 22

Modify your initial query

You may want to refine, expand, or otherwise change your query to see more or different data. 

One way is to change the value for any of the facets in the search text box. For example, to change the industry to healthcare, replace GOVERNMENT with HEALTHCARE for the industry facet and press ENTER or return on your keyboard. Learn more about editing queries.

You also can simply click items from the facets displayed in the left panel of the search results page. Each facet includes 10 items that appear most frequently in the search results for that facet.

For example, click France from the Top countries facet to narrow the search to only affected IPs in France…

…and now the results page only displays IPs located in France, as reflected in query syntax in the search box.



You can change the threat actor in your search or add a specific product that concerns you.

Tip: If you are looking for an item that does not appear in one of the facet lists because it is not one of the “top” items, you can hand-edit the query. For example, to add the company Netsy to the query, insert and org:'Netsy' after the first opening parenthesis in the search box, so that the entire query looks like:

(and org:'Netsy' (and product:'MySQL' (and threat_actor:'Gamaredon Group' (and country_name:'France' (and port:22 threat_actor:'Lazarus Group' industry:'GOVERNMENT')))))

Review the results:

Analyze the details in your results

After creating or refining a search filter to generate an optimal view of ASI data, you can study the results to connect data points or find granular details.

For example, click an IP address to see a page of comprehensive threat-related information about it…

Then, in the Threats and vulnerabilities table, filter on Lazarus to see a specific CVE on that IP that the Lazarus Group has been known to exploit….

Then, click the CVE for details available in the National Vulnerability Database…

From there, knowing that this CVE is associated with the threat actor from your original query, Lazarus Group, you can click Search in Attack Surface in the details panel isolate the CVE in a new search to trace this combined threat of CVE and threat actor in the contexts of other IPs, ports, domains, and threat actors.

See also

• Create your own ASI queries
• Attack Surface Intelligence API