Use example queries or visual filters to find data in Attack Surface Intelligence

Attack Surface Intelligence provides direct access to SecurityScorecard's data with more than 4.1 billion IP addresses scanned every 10 days across 1500+ ports globally. 

Use the tool's search capabilities to correlate views of the internet's exposed IPs and vulnerabilities with relevant threat actor context and analyze risks to a region, organization, or individual assets.

Note:  Attack Surface Intelligence does not surface potential vulnerabilities. It surfaces Common Vulnerability Enumerations (CVEs) that we confirm as being actual vulnerabilities. SecurityScorecard does, however, flag potential vulnerabilities as an issue type. Learn more.

Understand how Attack Surface Intelligence search queries work

SecurityScorecard stores Attack Surface Intelligence data with Amazon Web Services (AWS), so the tool uses AWS CloudSearch query structures for searching. To fully understand all possibilities for building queries, see comprehensive guidance on using CloudSearch.

Tip: For automating and integrating Attack Surface Intelligence, see the API article. 

Search from a global to a local level

You can devise a number of different ways to search and filter Attack Surface Intelligence data. This section provides an example of how you can…

1. Start a search to gain a broad view of threats based on high-level search criteria.
2. Based on results from the initial search, trace and correlate details of specific threats to determine what risks they pose and how to address them.
3. Analyze aspects of threats at a granular level.

To get started, select Attack Surface Intelligence from the Modules drop-down list in the top navigation bar.

Initiate a search with a sample query

Attack Surface Intelligence provides a number of preset queries that you can use without writing your own. These sample queries can be helpful for starting to use the tool and understanding its capabilities, especially if you are not familiar with writing queries. You also easily can modify sample queries according to your needs.

These queries reflect some prevalent use cases and interesting scenarios, such as:

• All IPs for breached domains in the financial services industry within Germany
• All IPs with malicious reputations on a blocklist or threat feed that also are attributed to domains attacked by the CONTI ransomware group
• All IPs running Windows operating systems that are not associated with any Scorecard.
• All IPs with exposed webcams that have Chinese SSL certificates yet are hosted in the United States

This section provides steps based on starting with a sample query. To initiate a search based on your own query, see Create your own queries.

To use a sample query:

1. In the top navigation menu, select Attack Surface Intelligence under Modules.
   
   
   
   
2. In Attack Surface Intelligence, click More examples under the search box. 
3. In the right panel that appears, read the query descriptions and click a query.
   
   These steps will use the sample query for all IPs belonging to government organizations with port 22 open and at least one detected vulnerability that has been exploited by the North Korean threat actor Lazarus Group.
   
   
   
   

Attack Surface Intelligence displays a page of search results with the selected query in the search text box.

Review your initial search results for comprehensive data about each IP that matches the query:

• The IP’s location and host name, if available
• The domain to which the IP is attributed
• Vulnerabilities that we discovered on the IP
• Ransomware groups or threat actors, such as Lazarus Group from your initial query, who have exploited any of those vulnerabilities anywhere on the internet
• Blocklists that include the IP because suspicious or malicious activity was detected on it  (malicious reputation)
• Malware infections that have been been detected on the IP 
• Services, protocols, and other processes running on the port from your initial query, in this case, port 22

Initiate a search with visual filters

Each visual filter consists of one or more sets of criteria for the information you want to see. 

How multiple criteria are related within a filter

If you select multiple criteria within a filter, choose how they are related to each other:

• AND returns values for all criteria within a filter for a narrower range of possible results.
• OR returns values for any criteria within a filter for a wider range of possible results.

For example, the following search only returns values for both criteria:

IP address is 123.45.678.9

AND

CVE is CVE-2023-27997

The following search returns any values for both criteria, and the result set is likely much larger.

IP address is 123.45.678.9

OR

CVE is CVE-2023-27997

How multiple filters are related

Using multiple filters can be helpful if, for example, you want to use a base set of criteria in one filter and then compare results for that set against different types of criteria. 

If you select multiple filters, choose how they are related to each other:

• AND returns values for all filters for a narrower range of possible results.
• OR returns values for any filters for a wider range of possible results.

Tip: Start with simpler queries, and gradually add criteria and filters to hone your searches. Watch how joining multiple criteria or filters with AND or OR affects the number and specificity of your result sets.

Start a search with visual filters

1. In Attack Surface Intelligence, select Visual Search.
   
   
   
2.  Select an information type from the drop-down list.
   

• • See a full list of items that you can search for, including their descriptions, and examples.
  • The Quick filter item includes current, time-sensitive items. For example, select the MOVEit value to find IP addresses in vendor domains that run the MOVEit service. Learn more about addressing the MOVEit zero-day vulnerability.
  • You also can specify names of Portfolios that you have access to.
    
    
    

3. Select an operator:

• • Is includes values that you specify, so the results would all match that specific value.
    
  • Is not excludes values that you specify, so, for example the query
    For example, the query
    Threat actor is not Cobalt group
    returns results that include all threat actors, other than Cobalt group, that are relevant to any other criteria in the query. 
    
    
    

4. Enter or select a value to search on.
   

   Tip: To help ensure matches, see examples for items that you can search on to understand how certain values are formatted.
   
   

5. Add criteria and filters, repeating the selection steps as needed.
   
   
   
   

   Tip: Notice how the syntax of the query changes in the preview. each time you add criteria or filters.
   
   

   4. After selecting your criteria and filters, click Search and see your results.
      
      
      

Modify your initial query

You may want to refine, expand, or otherwise change your query to see more or different data. 

One way is to change the value for any of the facets in the search text box. For example, to change the industry to healthcare, replace GOVERNMENT with HEALTHCARE for the industry facet and press ENTER or return on your keyboard. Learn more about editing queries.

You also can simply click items from the facets displayed in the left panel of the search results page. Each facet includes 10 items that appear most frequently in the search results for that facet.

For example, click France from the Top countries facet to narrow the search to only affected IPs in France…

…and now the results page only displays IPs located in France, as reflected in query syntax in the search box.



You can change the threat actor in your search or add a specific product that concerns you.

Tip: If you are looking for an item that does not appear in one of the facet lists because it is not one of the “top” items, you can hand-edit the query. For example, to add the company Netsy to the query, insert and org:'Netsy' after the first opening parenthesis in the search box, so that the entire query looks like:

(and org:'Netsy' (and product:'MySQL' (and threat_actor:'Gamaredon Group' (and country_name:'France' (and port:22 threat_actor:'Lazarus Group' industry:'GOVERNMENT')))))

Review the results:

Analyze the details in your results

After creating or refining a search filter to generate an optimal view of Attack Surface Intelligence data, you can study the results to connect data points or find granular details.

For example, click an IP address to see a page of comprehensive threat-related information about it…

Then, in the Threats and vulnerabilities table, filter on Lazarus to see a specific CVE on that IP that the Lazarus Group has been known to exploit….

Then, click the CVE for details available in the National Vulnerability Database…

From there, knowing that this CVE is associated with the threat actor from your original query, Lazarus Group, you can click Search in Attack Surface in the details panel isolate the CVE in a new search to trace this combined threat of CVE and threat actor in the contexts of other IPs, ports, domains, and threat actors.

See also

• Create your own queries in Attack Surface Intelligence
• Attack Surface Intelligence API