In this article:
Tip: For automating and integrating ASI, see the API article.
By crafting targeted searches in Attack Surface Intelligence (ASI), you can unlock the rich, varied, and dynamic threat data in SecurityScorecard and make connections between IPs, vulnerabilities, threat actors, and more. Leverage this data in your investigations of assets, forensic work, vulnerability analysis, and other efforts.
Note: Attack Surface Intelligence does not surface potential vulnerabilities. It surfaces Common Vulnerability Enumerations (CVEs) that we confirm as being actual vulnerabilities. SecurityScorecard does, however, flag potential vulnerabilities as an issue type. Learn more.
You can use ASI’s sample queries to try out ASI’s search capabilities and get a sense of what data is available. If you want to design searches according to your specific needs, you can create your own queries.
Understand how ASI search queries work
SecurityScorecard stores ASI data with Amazon Web Services (AWS), so ASI uses AWS CloudSearch query structures for searching. To populate the information, ASI leverages Confluent Kafka to ingest data from SecurityScorecard’s in-house threat intelligence collections as well as open sources such as MITRE, MISP, and ISACs to stream and contextualize data for the AWS CloudSearch index. To fully understand all possibilities for building queries, see comprehensive guidance on using CloudSearch.
Access ASI’s search page
In SecurityScorecard, select Attack Surface (ASI).
Write queries in the ASI search box.
Tip: Click More examples below the search box to see sample queries. These help you understand how queries are structured on what data is available. You also can build your own queries based on these sample queries by editing them.
Write compound queries with boolean operators
Note: We may update these query elements at any time and publish updates in this article on a quarterly basis. To inquire about query elements you do not see on this list, submit a Support request.
To write compound queries using Amazon CloudSearch structured query syntax:
- Specify the name of the operator.
- Specify the facets or options for the operator.
- Specify the match expression to be operated on.
The match expression can be a simple text string, or a sub-clause of your compound query. Specify any options before the terms.
See a list of facets that you can use in ASI queries.
Using compound queries, you can connect multiple facets, or categories of information, with the following boolean operators to make your search more focused and specific:
-
and
Returns values for all filters connected with this operator for a narrower range of possible results -
or
Returns values for any filters connected with this operator for a wider range of possible results -
not
Returns values not specified by a filter, allowing you to exclude results you do not want
For more information about boolean operators, see the AWS CloudSearch compound query documentation.
Filter results using facets
To filter your results so that they only apply to specific categories of information, use facets.
The structure of a simple filtered query is:
[facet]: ‘expression’
Enclose literal text and literal expressions in single quotation marks ('). Integer and float (decimal) fields, as noted in the table descriptions for ASI facets, do not require quotation marks.
For facets with multiple expressions use parentheses and an operator, and repeat the pairing for each expression:
(and [facet]: 'expression' [facet]: 'expression' [facet]: 'expression')
(or [facet]: 'expression' [facet]: 'expression' [facet]: 'expression')
(or [facet]: 'expression' [facet]: 'expression' [facet]: 'expression' (and (not [facet]: 'expression')))
Example:
(or cloud_provider:'aws' cloud_provider:'oracle' cloud_provider:'gce' cloud_provider:'azure')
Note: ASI is case sensitive for expressions in facet queries. Also, you cannot use wildcards (*) with facets. Learn more about facets in Amazon CloudSearch.
Note: A maximum of 1024 clauses (sets of filters or queries within an and/or/not) are allowed.
Syntax examples
Parentheses control the order of evaluation of the expressions. When an expression is enclosed in parentheses, that expression is evaluated first, and then the resulting value is used in the evaluation of the remainder of the compound query.
See the following sample compound queries to understand how the syntax is constructed and how to use parentheses:
(and has_ransomware:1 industry:'FINANCIAL_SERVICES' country:'DE')
This returns all IPs for breached domains in the financial services industry within Germany. The and operator at the beginning specifies that all specified values must match.
(and os_type:'FortiOS' (not (or cloud_provider:'aws' cloud_provider:'oracle' cloud_provider:'gce' cloud_provider:'azure')))
This returns all Fortinet FortiOS devices, such as firewalls, with IP addresses that are not within major cloud provider ranges. The query first specifies all instances of the FortiOS operating system and, within that context, excludes matches for the listed cloud providers.
(and crawling_detected_library_name: 'WordPress' (and (or hostname:'dev' hostname:'test' hostname:'qa' hostname:'staging')))
This returns all IPs with host names that include dev, test, qa, or staging and on which Wordpress is detected as an application library. This query first specifies all instances of the WordPress library and then, within that context, includes any instance of the specified host names.
Search on text strings
Searching on text strings can be helpful if you are not sure what you are looking for. Then you can study and sort through the results for more specific context. Simply enter the string in the search box with no other syntax. Searching on text strings is not case sensitive, and you can use a wildcard (*).
Example: cve-2021*
When you search on a text string, ASI returns matching results in the following categories and others highlighted below that are not filterable currently with a *:
-
attributed_domain
- securityscorecard.com, google.com, example.com
-
cpe
- cpe:/a:openbsd:openssh:7.4
-
cve
- CVE-2018-15919
-
device_type
- router, firewall, webcam
-
industry
- Finance, Healthcare, Telecommunications
-
org
- SecurityScorecard, Inc., Square
-
os_type
- Linux, Windows, Mac OS, FortiOS
-
product
- Apache httpd, FortiGate
-
ransomware_group
- CONTI, LOCKBIT 2.0
-
Service
- http, ssh, modbus, dnp3, pptp
-
threat_actor
- APT29, Wizard Spider
-
malicious_reputation
- ipsum, blocklist.de, AlienVault OTX pulse, Adware, Trojan, CTA, CI-ARMY feed, CISA - KNOWN EXPLOITED VULNERABILITIES CATALOG feed, Bitcoin Nodes feed, Backdoor
-
Infections_family
- android.cheetah
-
infections_category
- malware, adware, potentially unwanted application
-
cloud_provider
- aws, azure, gcp, oracle
-
cloud_region
- us-east-1
-
country_name
- Germany
-
ip_address
- 1.1.1.1, 84.33.49.102
-
*hostname
- staging-site.example.com, us-east-1-1638.aws.com
-
crawling_detected_library_name
- WordPress, jQuery, React
Available ASI query facets and other searchable fields
We make updates as new filters become available. To inquire about facets that you do not see in this table, submit a Support request.
For context on how we detect the data for a given facet, click the numeral in parenthesis that appears in the description column.
Tip: The Examples column lists a few possible expressions for each facet. If you have a paid SecurityScorecard account, use the the facet endpoint in the Attack Surface Interface API to see a full list of expressions for any facet. Learn how to use the facet endpoint.
In the Examples column, we also provide links to a page with more available expressions for certain facets.
|
Filter |
Description |
Examples |
|
asn |
Autonomous system number that controls routing within the asset's network and exchanges routing information with other ISPs (Learn more) |
asn:'268581' |
|
attributed_domain |
Domain to which SecurityScorecard attributes an asset |
attributed_domain:'microsoft.com' |
|
attributed_domain_count |
Number of domains to which an asset is attributed, as indicated with the attributed_domain facet |
attributed_domain_count:'100' attributed_domain_count:'5' |
|
breach_cause |
Cause of a breach related to the asset |
breach_cause:'Email' breach_cause:'unauthorized access' breach_cause:'unauthorized access by vendor' |
|
breach_date |
Date and time that a breach related to the asset, displayed in ISO 8601 format. |
breach_date:'2022-04-01T17:37:17.879Z' |
|
breach_source_domain |
Domain of the asset associated with the breach |
breach_source_domain:'example-domain.com' Note the lower-case formatting. Use the /facets API endpoint for see actual examples. |
|
breach_source_type |
Category of information source of the breach disclosure for asset, such as news media, the Dark Web, or a government (official) |
breach_source_type:'ransomware' breach_source_type:'defacement' breach_source_type:'official' |
|
breach_source_url |
URL of the information source of the breach disclosure |
Examples to come |
|
breach_type |
Type of breach that occurred on the asset |
breach_type:'Hacking/IT Incident' breach_type:'Theft' breach_type:'Improper Disposal' |
|
cidr |
IP address CIDR range |
cidr:'71.6.234.0/28' |
|
city |
City in which an asset is located |
city:'Milan' This field is case sensitive. There are currently more than 150,000 city names currently detected in ASI. See a current list as of February, 2023. |
|
cloud_provider |
Cloud services provider where an asset is hosted |
Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and Oracle are currently supported, but we will add more providers. cloud_provider:'aws' cloud_provider:'gce' cloud_provider:'azure' cloud_provider:'oracle' |
|
cloud_region |
Geographical region for a cloud provider |
cloud_region:'us-east-1' Note: Region names vary by provider. See a list of cloud regions you can query for in ASI. |
|
country |
Two-letter country code abbreviation set by the International Organization for Standardization (ISO), associated with the IP address using full GeoIP data from MaxMind |
country:'DE' |
|
country_name |
Full name of a country in English |
country_name:'Germany' |
|
cpe |
Common Platform Enumeration (CPE) for the asset, as detected with Nmap probe |
cpe:'cpe:/o:linux:linux_kernel' cpe:'cpe:/o:microsoft:windows' cpe:'cpe:/a:openbsd:openssh:7.4' |
|
crawling_detected_library_name |
Libraries discovered on exposed ports (6) |
crawling_detected_library_name:'WordPress' See a list of detected library names you can query for in ASI. |
|
cve |
CVE v2 IDs from National Vulnerability Database (NVD) (2) |
Single CVE example: There are currently more than 8,800 CVEs currently detected in ASI as of 8/2022. See a current list as of August 2022. |
|
cvss_score |
CVSS v2 score from NVD |
Single CVSS score example: Multiple CVSS score example: |
|
device_type |
Device types (1) |
device_type:'webcam' device_type:'switch' |
|
geo |
Latitude and longitude of an asset |
geo:'45.4303,-73.4768' |
|
has_breach |
Whether the asset has breaches associated with it, based on the attributed domain and publicly posted data breaches
|
has_breach:1 has_breach:0 |
|
has_cloud |
Whether an asset is hosted by a cloud provider (The expression is an integer: either 1 for yes or 0 for no) |
has_cloud:1 has_cloud:0 |
|
has_cve |
Whether or not an asset has CVEs (3) (The expression is an integer: either 1 for yes or 0 for no) |
has_cve:1 |
|
has_cve_been_exploited |
Whether any CVEs have been exploited based on VulDB. Any CVE listed as anything other than Unknown is labeled as possibly having been exploited. |
has_cve_been_exploited:1 |
|
has_infection |
Whether there any active infections or unwanted applications on the IP address (7) |
has_infection:1 |
|
has_malrep |
Whether an asset is on any public blocklists or threat intelligence feeds (both external and in-house), indicating malicious reputation hits |
has_malrep:1 |
|
has_mitre_ttps |
Whether the asset has MITRE ATT&CK tactics, techniques, software, or mitigations associated with it based on the threat_actor facet (The expression is an integer: either 1 for yes or 0 for no) |
has_mitre_ttps:1 has_mitre_ttps:0 |
|
has_port |
Whether an asset has a port exposed to the internet (The expression is an integer: either 1 for yes or 0 for no) |
has_port:1 |
| has_product |
Whether an asset has a product associated with it (The expression is an integer: either 1 for yes or 0 for no) |
has_product:1 has_product:0 |
|
has_ransomware |
Whether an asset has had a ransomware breach tied to a domain to which it was attributed (13) |
has_ransomware:1 |
|
has_scorecard |
Whether an asset has an affiliated Scorecard, which may not always be the case for assets that are not yet scored or can even be attributed to a company using SecurityScorecard's attribution system |
has_scorecard:1 |
|
has_screenshot |
Whether a domain has a screenshot (6) |
has_screenshot:1 |
|
has_sensor_observation |
Whether we observed traffic or some interaction on the asset from our global honeypot network, open proxies and email relays, or other passive collection systems other than our sinkhole (See How SecurityScorecard collects data for ASI) (The expression is an integer: either 1 for yes or 0 for no) |
has_sensor_observation:1 has_sensor_observation:0 |
|
has_service |
Whether an asset has a service associated with it (The expression is an integer: either 1 for yes or 0 for no) |
has_service:1 |
|
has_ssl_cert |
Whether the asset has an SSL/TLS certificate attached to any valid service with TLS that is scannable (14) |
has_ssl_cert:1 |
|
has_threatactor |
Whether there are associated threat actors linked with the asset (12)
|
has_threatactor:1 has_threatactor:0 |
|
hostname |
Label or name of device at an IP address, assigned by the administrator or owner of that device |
hostname:'QA' |
|
http_favicon_hash |
Hash of the HTTP favicon from HTTP services on the asset, as detected from the Nmap http-favicon probe script |
http_favicon_hash:'Unknown favicon MD5: 67C7E06341546D5B3C164EA5374F0F7A' http_favicon_hash:'Unknown favicon MD5: 015BA131BE8D2E90880F53A982DC32E7' http_favicon_hash:'Unknown favicon MD5: 478B63898983C4A3DAE2B3F6D5CDDD38' http_favicon_hash:'Unknown favicon MD5: 53E1EA4754F1DA527F1C6F360200A0FB' http_favicon_hash:'Unknown favicon MD5: 16AF1FCE9822DD00054EF09790E19C35' |
|
http_status |
HTTP status code in the response of the HTTP services on this asset, as detected from Nmap probes |
http_status:'200' http_status:'403' http_status:'404' http_status:'407' http_status:'500' |
|
http_title |
HTTP page title in the response fro the HTTP services on this asset, as detected from Nmap probes |
http_title:'400 The plain HTTP request was sent to HTTPS port' http_title:'403 Forbidden' http_title:'Welcome to nginx!' http_title:'400 The plain HTTP request was sent to HTTPS port' http_title:'Index - My ASP.NET Application' |
|
industry |
Possible industry name for the organization to which an asset belongs |
industry:'HEALTHCARE' |
|
infections_category |
Malware infection category (7) |
infections_family:'adware' infections_family:'malware' infections_family:'potentially unwanted application' Potentially vulnerable application includes potentially unwanted applications (PUAs), such as torrents |
|
infections_family |
Malware infection family (7) This list covers the sinkhole family name if an asset hits the sinkhole for the specific category. |
infections_family:'bitcoinminer' infections_family:'pva.samsunghub' infections_family:'magecart' infections_family:'sodinokibi' infections_family:'apt.winnti'
|
|
ip_address |
IP address detected with exposed ports (1) |
ip_address:'174.129.207.123' |
|
isp |
Internet service provider (ISP) that provides internet connectivity for the asset |
isp:'Myszkowska Telewizja Kablowa Sp.z.o.o.' isp:'EUSERV-SRV' ASI currently detects more than 100,000 ISPs. If you are unable to get search results for an ISP name, post a question in our community. |
| leak_source_domain | Domain where leaked user information was posted, such as on the Dark Web | Examples to come |
| leaked_address | Street address exposed in a leaked record | Examples to come |
| leaked_api_key | Token or key for API authentication exposed in a leaked record | Examples to come |
| leaked_birthday | Birthday exposed in a leaked record | Examples to come |
| leaked_chatonline | User ID for Google ChatOnline instant messaging app, exposed in a leaked record | Examples to come |
| leaked_email | Email address exposed in a leaked record | Examples to come |
| leaked_employer | Employer's name exposed in a leaked record | Examples to come |
| leaked_facebook_email | Email registered to Facebook exposed in a leaked record | Examples to come |
| leaked_facebook_email_hash | Hash of email registered to Facebook exposed in a leaked record | Examples to come |
| leaked_facebook_id | Facebook user ID exposed in a leaked record | Examples to come |
| leaked_facebook_name | Facebook user name exposed in a leaked record | Examples to come |
| leaked_facebook_pic | Facebook user photo exposed in a leaked record | Examples to come |
| leaked_facebook_secret | Facebook login secret exposed in a leaked record | Examples to come |
| leaked_facebook_session | Facebook user session information exposed in a leaked record | Examples to come |
| leaked_facebook_token | Facebook user login token exposed in a leaked record | Examples to come |
| leaked_hashed_password | Hashed password exposed in a leaked record, based on examination of password fields for hashes | Examples to come |
| leaked_instagram | Instagram user name exposed in a leaked record | Examples to come |
| leaked_ipaddress | IP address exposed in a leaked record | Examples to come |
| leaked_language | ISO code for language spoken by a user, exposed in a leaked record | Examples to come |
| leaked_linkedin_id | LinkedIn user ID exposed in a leaked record | Examples to come |
| leaked_myspace_id | MySpace user ID exposed in a leaked record | Examples to come |
| leaked_name | Name of a person exposed in a leaked record | Examples to come |
| leaked_non_social_media_token | Any user login token not used for a site or application other than social media, exposed in a leaked record | Examples to come |
| leaked_occupation | A person's occupation, exposed in a leaked record | Examples to come |
| leaked_parents_name | Name of a persons parents exposed in a leaked record | Examples to come |
| leaked_password | Raw password string exposed in a leaked record | Examples to come |
| leaked_password_hint | Password hint exposed in a leaked record | Examples to come |
| leaked_phone | Telephone number exposed in a leaked record | Examples to come |
| leaked_race | A person's race or ethnicity exposed in a leaked record | Examples to come |
| leaked_security_question_answer | Answer to a security question exposed in a leaked record | Examples to come |
| leaked_social_security_number | Social Security number exposed in a leaked record | Examples to come |
| leaked_steam_id | User ID for the Steam game distribution service, exposed in a leaked record | Examples to come |
| leaked_twitter | Twitter handle exposed in a leaked record | Examples to come |
| leaked_twitter_secret | Twitter login secret exposed in a leaked record | Examples to come |
| leaked_twitter_token | Twitter login token exposed in a leaked record | Examples to come |
| leaked_useragent_string | User agent string for a browser, phone, or other device | Examples to come |
| leaked_username | Normalized username from any source exposed in a leaked record | Examples to come |
| leaked_vk_id | User ID for VKontakte social media platform, exposed in a leaked record | Examples to come |
| leaked_vk_token | Login token ID for VKontakte social media platform, exposed in a leaked record | Examples to come |
| leaked_youtube | Youtube URL exposed in a leaked record | Examples to come |
|
ssl_cert_alpn |
TLS server's supported application-layer protocols using the ALPN protocol, as detected on this asset from Nmap probes (Learn more) |
ssl_cert_alpn:'http/1.1 http/1.0' |
| ssl_cipher_name | The specific set of algorithms that the asset uses to help establish secure network connections (Learn more) |
ssl_cipher_name:'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' ssl_cipher_name:'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA' ssl_cipher_name:'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA' ssl_cipher_name:'TLS_RSA_WITH_AES_256_CBC_SHA' ssl_cipher_name:'TLS_RSA_WITH_AES_128_CBC_SHA' |
| ssl_cert_extension | SSL/TLS certificate extension names, as detected on this asset from Nmap probes |
ssl_cert_extension:'X509v3 Extended Key Usage' ssl_cert_extension:'X509v3 Basic Constraints' ssl_cert_extension:'X509v3 Certificate Policies' ssl_cert_extension:'CT Precertificate SCTs' ssl_cert_extension:'Authority Information Access' |
| ssl_is_cert_expired |
Whether the SSL certificate has passed its expiration date (The expression is an integer: either 1 for yes or 0 for no) |
ssl_is_cert_expired:1 ssl_is_cert_expired:0 |
| ssl_is_certificate_chain_valid | Whether the SSL certificate chain is valid (11) (The expression is an integer: either 1 for yes or 0 for no) |
ssl_is_certificate_chain_valid:1 ssl_is_certificate_chain_valid:0 |
| ssl_issuer_city | The city of the SSL certificate issuer for an asset | ssl_issuer_city:'Chicago' |
| ssl_issuer_cn | Common Name (domain) of the SSL Certificate issuer for an asset | ssl_issuer_cn:'DigiCert' |
| ssl_issuer_country | The country of the SSL certificate issuer for an asset | ssl_issuer_country:'Canada' |
| ssl_issuer_email | The email address of an SSL certificate issuer for an asset |
ssl_issuer_email:'[name@domain.suffix]` Values are specific to each certificate issuer, and there is not finite list of acceptable expressions. |
| ssl_issuer_org_name | The organization of an SSL certificate issuer for an asset | ssl_issuer_org_name:'Cloudflare, Inc.' |
| ssl_issuer_org_unit | The sub-organization of an SSL certificate issuer for an asset |
ssl_issuer_org_unit:'IT services' ssl_issuer_org_unit:'InCommon' Values vary by certificate issuer, and there is not finite list of acceptable expressions.
|
| ssl_issuer_state | SSL Certificate on asset issuer City | ssl_issuer_state:'Illinois' |
| ssl_md5 | The MD5 hash for an SSL certificate (with SNI detection) for an asset | ssl_md5:'[hash]' |
| ssl_sha1 | The SHA1 hash for an MD5 certificate for an asset | ssl_sha1:'[hash]' |
| ssl_sha256 | The SHA256 hash for an MD5 certificate for an asset | ssl_sha256:'[hash]' |
| ssl_signature_algorithm | The SSL certificate signature algorithm used for an asset |
ssl_signature_algorithm:'sha1WithRSAEncryption' ssl_signature_algorithm:'sha256WithRSAEncryption'
See a list of algorithms. |
| ssl_subject_city |
Subject City for an SSL certificate for an asset |
ssl_subject_city:'New York' |
| ssl_subject_cn |
Subject common name (domain) for an SSL certificate for an asset |
ssl_subject_cn:'www.cmu.edu' |
| ssl_subject_country |
Subject country for an SSL certificate for an asset |
ssl_subject_country:'United States' Values can vary by certificate issuer. For example, different issuers may use any of the following variations: United States USA US |
| ssl_subject_email |
Subject contact email for an SSL certificate for an asset |
Values vary by certificate issuer, and there is not finite list of acceptable expressions. |
| ssl_subject_org_name |
Subject organization for an SSL certificate for an asset |
ssl_subject_org_name:'Cloudflare, Inc.' |
| ssl_subject_org_unit |
Subject sub-organization for an SSL certificate for an asset |
ssl_subject_org_unit:'Carnegie Mellon University' |
| ssl_subject_state |
Subject city for an SSL certificate for an asset |
ssl_subject_state:'New Jersey' |
|
ssl_verify_string |
SSL certificate verification string for an asset |
ssl_verify_string:'certificate has expired' ssl_verify_string:'self signed certificate'
See a list of possible expressions in the Diagnostics section of this OpenSSL documentation page. |
|
ssl_version |
The version of the SSL protocol that the asset is using to encrypt data and authenticate connections when moving data on the internet |
ssl_version:'SSLv3' |
|
state |
State or province where the asset is located |
state:'Sisačko-Moslavačka' state:'Hà Giang' state:'New York' ASI currently detectes more than 3,500 state names. If you are unable to get search results for a state name, post a question in our community. |
|
threat_actor |
Names of threat actors associated with the asset (12) |
threat_actor:'APT29' threat_actor:'Packrat' threat_actor:'Kimsuky'
|
|
version |
Version number (1) |
version:'2.0' |
Notes on detection methods
See these notes for context on how we detect facet data that you can query for.
(1) Detected by our in-house global scanning platform
(2) Based on detection with version strings and services from our in-house global scanning platform
(3) Detected with automatic mapping to the National Vulnerability Database (NVD), based on version, by our in-house global scanning platform
(4) Detected automatically by a module of our in-house global scanning platform. As of September, 2022, the scanning platform does not use the in-depth -O option for OS scanning in detail since it adds substantial time to our broad-but-fast, Internet-wide scan, so this may be limited until we implement the option.
(5) Detected as exposed by our in-house global scanning platform during initial port scan
(6) Detected with our in-house Chrome-based Web crawler
(7) Based on information from our in-house malware DNS sinkhole infrastructure, based on DGA algorithms reversed from samples or known domains used by malware, adware, or potentially unwanted applications that we track.
(8) Detected if the asset has a malicious reputation that comes from well known threat feeds as well as in-house trusted feeds to the SecurityScorecard Malware Information Sharing Platform (MISP) deployment
(9) Detected by our in-house global scanning platform with the -sV flag for service and version scanning
(10) Based on the attributed domain of the asset
(11) Determined when we detect SSL/TLS with our in-house global scanning platform
(12) Linked to an asset through one of the following methods:
- Based on whether the threat actor has previously weaponized the CVE based on research from trusted vendors (Cisco Talos Intelligence, SecurityScorecards STRIKE Team, Palo Alto Unit42)
- If the threat actor is tied to the IP address based on events from SecurityScorecard's malware information sharing platform (MISP) deployment, which gathers outside and inside indicators from trusted sources
-
Whether our in-house malware analysis and attribution automation platform links known threat actor malware to unknown threat actor malware and then extracts the following from VirusTotal to assets in ASI:
- Contacted IPs, domains, and URLs
- Embedded IPs, URLs, and domains
- In-the-wild IPs, domains, and URLs
(13) Found by crawling ransomware extortion sites with our in-house dark web crawler
(14) Determined after an initial port scan with our in-house global scanning platform, since we additionally send SNI information to get full certificate chains
See also
- Search and correlate ASI data (in the SecurityScorecard user interface)
- Attack Surface Intelligence API