In this article:
This article reflects a version of Attack Surface Intelligence that is currently in Early Access. For more information, talk to your Customer Success Manager or Sales Engineer.
By crafting targeted searches in Attack Surface Intelligence, you can unlock the rich, varied, and dynamic threat data in SecurityScorecard and make connections between IPs, vulnerabilities, threat actors, and more. Leverage this data in your investigations of assets, forensic work, vulnerability analysis, and other efforts.
Note: Attack Surface Intelligence does not surface potential vulnerabilities. It surfaces Common Vulnerability Enumerations (CVEs) that we confirm as being actual vulnerabilities. SecurityScorecard does, however, flag potential vulnerabilities as an issue type. Learn more.
If you want to design searches according to your specific needs, use this article for guidance to create your own queries.
Tip: To try out search capabilities and get a sense of what data is available, see the article on using example queries or visual filters. The article also shows how to refine or expand queries easily using visual search elements.
Understand how search queries work
SecurityScorecard stores Attach Surface Intelligence data with Amazon Web Services (AWS), so the tool uses AWS CloudSearch query structures for searching. To populate the information, Attack Surface Intelligence leverages Confluent Kafka to ingest data from SecurityScorecard’s in-house threat intelligence collections as well as open sources such as MITRE, MISP, and ISACs to stream and contextualize data for the AWS CloudSearch index. To fully understand all possibilities for building queries, see comprehensive guidance on using CloudSearch.
Tip: For automating and integrating Attack Surface Intelligence, see the API article.
Access the search page
- In the top navigation menu, select Attack Surface Intelligence under Modules.
- Select Query as the search option.
- Enter the query in the text box and click Search.
Tip: Click More examples above the text box to see sample queries. These help you understand how queries are structured and what data is available. You also can build your own queries based on these sample queries by editing them.
Tip: Reuse your earlier queries by clicking them.
Write compound queries with logical operators
With compound queries you can use multiple criteria to see more specific information.
To write compound queries using Amazon CloudSearch structured query syntax:
- Specify facets, which are categories of information that you want to find.
An example of a facet is: threat_actor.
See a list of facets that you can use in Attack Surface Intelligence queries. - Specify the expressions, which are the values that you wan tyour query to return.
An example of an expression for the facet threat_actor is: APT29. - Join the facet/expression pairs with operators, which show that facets are related.
Learn how different operators work
Use the following operators to connect multiple facets in compound queries:
- AND
Returns values for all filters connected with this operator for a narrower range of possible results - OR
Returns values for any filters connected with this operator for a wider range of possible results - NOT
Returns values not specified by a filter, allowing you to exclude results you do not want
For more information about boolean operators, see the AWS CloudSearch compound query documentation.
Tips for using facets
To filter your results so that they only apply to specific categories of information, use the following tips:
- Use the following structure for a simple filtered query:
[facet]: "expression"
or
[facet]:true - Enclose literal text and literal expressions in double quotation marks ("). Integer and float (decimal) fields, as noted in the table descriptions for facets, do not require quotation marks.
- Do not use quotation marks for queries on binary values, true or false.
- For facets with multiple expressions, use parentheses and an operator, and repeat the pairing for each expression.
- When you join conditions with the AND operator, values must match ALL joined conditions:(facet:"expression" AND facet:"expression" AND facet:"expression")
- When you join conditions with the OR operator, values can match ANY joined conditions:(facet:"expression" OR facet:"expression" OR facet:"expression")
- When you write a query with both types of operators, enclose in parentheses each set of facets that are joined by a different operator. Parentheses control the order of evaluation of the expressions. When an expression is enclosed in parentheses, that expression is evaluated first, and then the resulting value is used in the evaluation of the remainder of the compound query:(facet:"expression" OR facet:"expression" OR facet:"expression" AND (not facet: "expression"))
- Attack Surface Intelligence is case sensitive for expressions in facet queries. Also, you cannot use wildcards (*) with facets. Learn more about facets in Amazon CloudSearch.
Note: You can run a maximum of 1024 clauses, or sets of compound queries.
Query examples
See the following compound query examples to understand how the syntax is constructed and how to use parentheses.
- The following query returns any IPs with the cloud providers AWS, Oracle, GCE, or Azure.(cloud_provider:"aws" cloud_provider:"oracle" OR cloud_provider:"gce" OR cloud_provider:"azure")
- The following query returns all IPs for breached domains in the financial services industry within Germany. The and operator specifies that all specified values must match.(has_ransomware:true AND industry:"FINANCIAL_SERVICES" AND country:"DE")
- The following query returns all Fortinet FortiOS devices, such as firewalls, with IP addresses that are not within major cloud provider ranges. The query first specifies all instances of the FortiOS operating system and, within that context, excludes matches for the listed cloud providers.(os_type:"FortiOS" AND NOT (cloud_provider:"aws" OR cloud_provider:"oracle" OR cloud_provider:"gce" OR cloud_provider:"azure"))
- The following query returns all IPs with host names that include dev, test, qa, or staging and on which Wordpress is detected as an application library. This query first specifies all instances of the WordPress library and then, within that context, includes any instance of the specified host names.
(crawling_detected_library_name:"WordPress" AND (hostname:"dev" OR hostname:"test" OR hostname:"qa" OR hostname:"staging"))
Search on text strings
Searching on text strings can be helpful if you are not sure what you are looking for. Then you can study and sort through the results for more specific context. Simply enter the string in the search box with no other syntax. Searching on text strings is not case sensitive, and you can use a wildcard (*).
Example: cve-2021*
When you search on a text string, Attack Surface Intelligence returns matching results in the following categories and others highlighted below that are not filterable currently with a *:
- attributed_domain
- securityscorecard.com, google.com, example.com
- cpe
- cpe:/a:openbsd:openssh:7.4
- cve
- CVE-2018-15919
- device_type
- router, firewall, webcam
- industry
- Finance, Healthcare, Telecommunications
- org
- SecurityScorecard, Inc., Square
- os_type
- Linux, Windows, Mac OS, FortiOS
- product
- Apache httpd, FortiGate
- ransomware_group
- CONTI, LOCKBIT 2.0
- Service
- http, ssh, modbus, dnp3, pptp
- threat_actor
- APT29, Wizard Spider
- malicious_reputation
- ipsum, blocklist.de, AlienVault OTX pulse, Adware, Trojan, CTA, CI-ARMY feed, CISA - KNOWN EXPLOITED VULNERABILITIES CATALOG feed, Bitcoin Nodes feed, Backdoor
- Infections_family
- android.cheetah
- infections_category
- malware, adware, potentially unwanted application
- cloud_provider
- aws, azure, gcp, oracle
- cloud_region
- us-east-1
- country_name
- Germany
- ip_address
- 1.1.1.1, 84.33.49.102
- *hostname
- staging-site.example.com, us-east-1-1638.aws.com
- crawling_detected_library_name
- WordPress, jQuery, React
Available query facets
We make updates as new filters become available. To inquire about facets that you do not see in this table, submit a Support request.
For context on how we detect the data for a given facet, click the numeral in parenthesis that appears in the description column.
Tip: The Examples column lists a few possible expressions for each facet. If you have a paid SecurityScorecard account, use the the facet endpoint in the Attack Surface Interface API to see a full list of expressions for any facet. Learn how to use the facet endpoint.
In the Examples column, we also provide links to a page with more available expressions for certain facets.
|
Filter |
Description |
Examples |
|
asn |
Autonomous system number that controls routing within the asset's network and exchanges routing information with other ISPs (Learn more) |
asn:'268581' |
|
attributed_domain |
Domain to which SecurityScorecard attributes an asset |
attributed_domain:'microsoft.com' |
|
attributed_domain_count |
Number of domains to which an asset is attributed, as indicated with the attributed_domain facet |
attributed_domain_count:'100' attributed_domain_count:'5' |
|
breach_cause |
Cause of a breach related to the asset |
breach_cause:'Email' breach_cause:'unauthorized access' breach_cause:'unauthorized access by vendor' |
|
breach_date |
Date and time that a breach related to the asset, displayed in ISO 8601 format. |
breach_date:'2022-04-01T17:37:17.879Z' |
|
breach_source_domain |
Domain of the asset associated with the breach |
breach_source_domain:'example-domain.com' Note the lower-case formatting. Use the /facets API endpoint for see actual examples. |
|
breach_source_type |
Category of information source of the breach disclosure for asset, such as news media, the Dark Web, or a government (official) |
breach_source_type:'ransomware' breach_source_type:'defacement' breach_source_type:'official' |
|
breach_source_url |
URL of the information source of the breach disclosure |
We are currently compiling examples for this facet. |
|
breach_type |
Type of breach that occurred on the asset |
breach_type:'Hacking/IT Incident' breach_type:'Theft' breach_type:'Improper Disposal' |
|
cidr |
IP address CIDR range |
cidr:'71.6.234.0/28' |
|
city |
City in which an asset is located |
city:'Milan' This field is case sensitive. There are currently more than 150,000 city names currently detected. See a current list as of February, 2023. |
|
cloud_provider |
Cloud services provider where an asset is hosted |
Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and Oracle are currently supported, but we will add more providers. cloud_provider:'aws' cloud_provider:'gce' cloud_provider:'azure' cloud_provider:'oracle' |
|
cloud_region |
Geographical region for a cloud provider |
cloud_region:'us-east-1' Note: Region names vary by provider. See a list of cloud regions you can query for. |
|
country |
Two-letter country code abbreviation set by the International Organization for Standardization (ISO), associated with the IP address using full GeoIP data from MaxMind |
country:'DE' |
|
country_name |
Full name of a country in English |
country_name:'Germany' |
|
cpe |
Common Platform Enumeration (CPE) for the asset, as detected with Nmap probe |
cpe:'cpe:/o:linux:linux_kernel' cpe:'cpe:/o:microsoft:windows' cpe:'cpe:/a:openbsd:openssh:7.4' |
|
crawling_detected_library_name |
Libraries discovered on exposed ports (6) |
crawling_detected_library_name:'WordPress' |
|
cve |
CVE v2 IDs from National Vulnerability Database (NVD) (2) |
Single CVE example: There are currently more than 8,800 CVEs currently detected in Attack Surface Intelligence as of 8/2022. See a current list as of August 2022. |
|
cvss_score |
CVSS v2 score from NVD |
Single CVSS score example: Multiple CVSS score example: |
|
device_type |
Device types (1) |
device_type:'webcam' device_type:'switch' |
|
geo |
Latitude and longitude of an asset |
geo:'45.4303,-73.4768' |
|
has_breach |
Whether the asset has breaches associated with it, based on the attributed domain and publicly posted data breaches
|
has_breach:1 has_breach:0 |
|
has_cloud |
Whether an asset is hosted by a cloud provider (The expression is an integer: either 1 for yes or 0 for no) |
has_cloud:1 has_cloud:0 |
|
has_cve |
Whether or not an asset has CVEs (3) (The expression is an integer: either 1 for yes or 0 for no) |
has_cve:1 |
|
has_cve_been_exploited |
Whether any CVEs have been exploited based on VulDB. Any CVE listed as anything other than Unknown is labeled as possibly having been exploited. |
has_cve_been_exploited:1 |
|
has_infection |
Whether there any active infections or unwanted applications on the IP address (7) |
has_infection:1 |
|
has_malrep |
Whether an asset is on any public blocklists or threat intelligence feeds (both external and in-house), indicating malicious reputation hits |
has_malrep:1 |
|
has_mitre_ttps |
Whether the asset has MITRE ATT&CK tactics, techniques, software, or mitigations associated with it based on the threat_actor facet (The expression is an integer: either 1 for yes or 0 for no) |
has_mitre_ttps:1 has_mitre_ttps:0 |
|
has_port |
Whether an asset has a port exposed to the internet (The expression is an integer: either 1 for yes or 0 for no) |
has_port:1 |
| has_product |
Whether an asset has a product associated with it (The expression is an integer: either 1 for yes or 0 for no) |
has_product:1 has_product:0 |
|
has_ransomware |
Whether an asset has had a ransomware breach tied to a domain to which it was attributed (13) |
has_ransomware:1 |
|
has_scorecard |
Whether an asset has an affiliated Scorecard, which may not always be the case for assets that are not yet scored or can even be attributed to a company using SecurityScorecard's attribution system |
has_scorecard:1 |
|
has_screenshot |
Whether a domain has a screenshot (6) |
has_screenshot:1 |
|
has_sensor_observation |
Whether we observed traffic or some interaction on the asset from our global honeypot network, open proxies and email relays, or other passive collection systems other than our sinkhole (See How SecurityScorecard collects data for Attack Surface Intelligence) (The expression is an integer: either 1 for yes or 0 for no) |
has_sensor_observation:1 has_sensor_observation:0 |
|
has_service |
Whether an asset has a service associated with it (The expression is an integer: either 1 for yes or 0 for no) |
has_service:1 |
|
has_ssl_cert |
Whether the asset has an SSL/TLS certificate attached to any valid service with TLS that is scannable (14) |
has_ssl_cert:1 |
|
has_threatactor |
Whether there are associated threat actors linked with the asset (12)
|
has_threatactor:1 has_threatactor:0 |
|
hostname |
Label or name of device at an IP address, assigned by the administrator or owner of that device |
hostname:'QA' |
|
http_favicon_hash |
Hash of the HTTP favicon from HTTP services on the asset, as detected from the Nmap http-favicon probe script |
http_favicon_hash:'Unknown favicon MD5: 67C7E06341546D5B3C164EA5374F0F7A' http_favicon_hash:'Unknown favicon MD5: 015BA131BE8D2E90880F53A982DC32E7' http_favicon_hash:'Unknown favicon MD5: 478B63898983C4A3DAE2B3F6D5CDDD38' http_favicon_hash:'Unknown favicon MD5: 53E1EA4754F1DA527F1C6F360200A0FB' http_favicon_hash:'Unknown favicon MD5: 16AF1FCE9822DD00054EF09790E19C35' |
|
http_status |
HTTP status code in the response of the HTTP services on this asset, as detected from Nmap probes |
http_status:'200' http_status:'403' http_status:'404' http_status:'407' http_status:'500' |
|
http_title |
HTTP page title in the response fro the HTTP services on this asset, as detected from Nmap probes |
http_title:'400 The plain HTTP request was sent to HTTPS port' http_title:'403 Forbidden' http_title:'Welcome to nginx!' http_title:'400 The plain HTTP request was sent to HTTPS port' http_title:'Index - My ASP.NET Application' |
|
industry |
Possible industry name for the organization to which an asset belongs |
industry:'HEALTHCARE' |
|
infections_category |
Malware infection category (7) |
infections_family:'adware' infections_family:'malware' infections_family:'potentially unwanted application' Potentially vulnerable application includes potentially unwanted applications (PUAs), such as torrents |
|
infections_family |
Malware infection family (7) This list covers the sinkhole family name if an asset hits the sinkhole for the specific category. |
infections_family:'bitcoinminer' infections_family:'pva.samsunghub' infections_family:'magecart' infections_family:'sodinokibi' infections_family:'apt.winnti'
|
|
ip_address |
IP address detected with exposed ports (1) |
ip_address:'174.129.207.123' |
|
isp |
Internet service provider (ISP) that provides internet connectivity for the asset |
isp:'Myszkowska Telewizja Kablowa Sp.z.o.o.' isp:'EUSERV-SRV' Attack Surface Intelligence currently detects more than 100,000 ISPs. If you are unable to get search results for an ISP name, post a question in our community. |
| leak_source_domain | Domain where leaked user information was posted, such as on the Dark Web | We are currently compiling examples for this facet. |
| leaked_address | Street address exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_api_key | Token or key for API authentication exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_birthday | Birthday exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_chatonline | User ID for Google ChatOnline instant messaging app, exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_email | Email address exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_employer | Employer's name exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_facebook_email | Email registered to Facebook exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_facebook_email_hash | Hash of email registered to Facebook exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_facebook_id | Facebook user ID exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_facebook_name | Facebook user name exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_facebook_pic | Facebook user photo exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_facebook_secret | Facebook login secret exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_facebook_session | Facebook user session information exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_facebook_token | Facebook user login token exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_hashed_password | Hashed password exposed in a leaked record, based on examination of password fields for hashes | We are currently compiling examples for this facet. |
| leaked_instagram | Instagram user name exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_ipaddress | IP address exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_language | ISO code for language spoken by a user, exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_linkedin_id | LinkedIn user ID exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_myspace_id | MySpace user ID exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_name | Name of a person exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_non_social_media_token | Any user login token not used for a site or application other than social media, exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_occupation | A person's occupation, exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_parents_name | Name of a persons parents exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_password | Raw password string exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_password_hint | Password hint exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_phone | Telephone number exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_race | A person's race or ethnicity exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_security_question_answer | Answer to a security question exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_social_security_number | Social Security number exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_steam_id | User ID for the Steam game distribution service, exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_twitter | Twitter handle exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_twitter_secret | Twitter login secret exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_twitter_token | Twitter login token exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_useragent_string | User agent string for a browser, phone, or other device | We are currently compiling examples for this facet. |
| leaked_username | Normalized username from any source exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_vk_id | User ID for VKontakte social media platform, exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_vk_token | Login token ID for VKontakte social media platform, exposed in a leaked record | We are currently compiling examples for this facet. |
| leaked_youtube | Youtube URL exposed in a leaked record | We are currently compiling examples for this facet. |
|
ssl_cert_alpn |
TLS server's supported application-layer protocols using the ALPN protocol, as detected on this asset from Nmap probes (Learn more) |
ssl_cert_alpn:'http/1.1 http/1.0' |
| ssl_cipher_name | The specific set of algorithms that the asset uses to help establish secure network connections (Learn more) |
ssl_cipher_name:'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' ssl_cipher_name:'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA' ssl_cipher_name:'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA' ssl_cipher_name:'TLS_RSA_WITH_AES_256_CBC_SHA' ssl_cipher_name:'TLS_RSA_WITH_AES_128_CBC_SHA' |
| ssl_cert_extension | SSL/TLS certificate extension names, as detected on this asset from Nmap probes |
ssl_cert_extension:'X509v3 Extended Key Usage' ssl_cert_extension:'X509v3 Basic Constraints' ssl_cert_extension:'X509v3 Certificate Policies' ssl_cert_extension:'CT Precertificate SCTs' ssl_cert_extension:'Authority Information Access' |
| ssl_is_cert_expired |
Whether the SSL certificate has passed its expiration date (The expression is an integer: either 1 for yes or 0 for no) |
ssl_is_cert_expired:1 ssl_is_cert_expired:0 |
| ssl_is_certificate_chain_valid | Whether the SSL certificate chain is valid (11) (The expression is an integer: either 1 for yes or 0 for no) |
ssl_is_certificate_chain_valid:1 ssl_is_certificate_chain_valid:0 |
| ssl_issuer_city | The city of the SSL certificate issuer for an asset | ssl_issuer_city:'Chicago' |
| ssl_issuer_cn | Common Name (domain) of the SSL Certificate issuer for an asset | ssl_issuer_cn:'DigiCert' |
| ssl_issuer_country | The country of the SSL certificate issuer for an asset | ssl_issuer_country:'Canada' |
| ssl_issuer_email | The email address of an SSL certificate issuer for an asset |
ssl_issuer_email:'[name@domain.suffix]` Values are specific to each certificate issuer, and there is not finite list of acceptable expressions. |
| ssl_issuer_org_name | The organization of an SSL certificate issuer for an asset | ssl_issuer_org_name:'Cloudflare, Inc.' |
| ssl_issuer_org_unit | The sub-organization of an SSL certificate issuer for an asset |
ssl_issuer_org_unit:'IT services' ssl_issuer_org_unit:'InCommon' Values vary by certificate issuer, and there is not finite list of acceptable expressions.
|
| ssl_issuer_state | SSL Certificate on asset issuer City | ssl_issuer_state:'Illinois' |
| ssl_md5 | The MD5 hash for an SSL certificate (with SNI detection) for an asset | ssl_md5:'[hash]' |
| ssl_sha1 | The SHA1 hash for an MD5 certificate for an asset | ssl_sha1:'[hash]' |
| ssl_sha256 | The SHA256 hash for an MD5 certificate for an asset | ssl_sha256:'[hash]' |
| ssl_signature_algorithm | The SSL certificate signature algorithm used for an asset |
ssl_signature_algorithm:'sha1WithRSAEncryption' ssl_signature_algorithm:'sha256WithRSAEncryption'
See a list of algorithms. |
| ssl_subject_city |
Subject City for an SSL certificate for an asset |
ssl_subject_city:'New York' |
| ssl_subject_cn |
Subject common name (domain) for an SSL certificate for an asset |
ssl_subject_cn:'www.cmu.edu' |
| ssl_subject_country |
Subject country for an SSL certificate for an asset |
ssl_subject_country:'United States' Values can vary by certificate issuer. For example, different issuers may use any of the following variations: United States USA US |
| ssl_subject_email |
Subject contact email for an SSL certificate for an asset |
Values vary by certificate issuer, and there is not finite list of acceptable expressions. |
| ssl_subject_org_name |
Subject organization for an SSL certificate for an asset |
ssl_subject_org_name:'Cloudflare, Inc.' |
| ssl_subject_org_unit |
Subject sub-organization for an SSL certificate for an asset |
ssl_subject_org_unit:'Carnegie Mellon University' |
| ssl_subject_state |
Subject city for an SSL certificate for an asset |
ssl_subject_state:'New Jersey' |
|
ssl_verify_string |
SSL certificate verification string for an asset |
ssl_verify_string:'certificate has expired' ssl_verify_string:'self signed certificate'
See a list of possible expressions in the Diagnostics section of this OpenSSL documentation page. |
|
ssl_version |
The version of the SSL protocol that the asset is using to encrypt data and authenticate connections when moving data on the internet |
ssl_version:'SSLv3' |
|
state |
State or province where the asset is located |
state:'Sisačko-Moslavačka' state:'Hà Giang' state:'New York' Attack Surface Intelligence currently detects more than 3,500 state names. If you are unable to get search results for a state name, post a question in our community. |
|
threat_actor |
Names of threat actors associated with the asset (12) |
threat_actor:'APT29' threat_actor:'Packrat' threat_actor:'Kimsuky'
|
|
version |
Version number (1) |
version:'2.0' |
Notes on detection methods
See these notes for context on how we detect facet data that you can query for.
(1) Detected by our in-house global scanning platform
(2) Based on detection with version strings and services from our in-house global scanning platform
(3) Detected with automatic mapping to the National Vulnerability Database (NVD), based on version, by our in-house global scanning platform
(4) Detected automatically by a module of our in-house global scanning platform. As of September, 2022, the scanning platform does not use the in-depth -O option for OS scanning in detail since it adds substantial time to our broad-but-fast, Internet-wide scan, so this may be limited until we implement the option.
(5) Detected as exposed by our in-house global scanning platform during initial port scan
(6) Detected with our in-house Chrome-based Web crawler
(7) Based on information from our in-house malware DNS sinkhole infrastructure, based on DGA algorithms reversed from samples or known domains used by malware, adware, or potentially unwanted applications that we track.
(8) Detected if the asset has a malicious reputation that comes from well known threat feeds as well as in-house trusted feeds to the SecurityScorecard Malware Information Sharing Platform (MISP) deployment
(9) Detected by our in-house global scanning platform with the -sV flag for service and version scanning
(10) Based on the attributed domain of the asset
(11) Determined when we detect SSL/TLS with our in-house global scanning platform
(12) Linked to an asset through one of the following methods:
- Based on whether the threat actor has previously weaponized the CVE based on research from trusted vendors (Cisco Talos Intelligence, SecurityScorecards STRIKE Team, Palo Alto Unit42)
- If the threat actor is tied to the IP address based on events from SecurityScorecard's malware information sharing platform (MISP) deployment, which gathers outside and inside indicators from trusted sources
- Whether our in-house malware analysis and attribution automation platform links known threat actor malware to unknown threat actor malware and then extracts the following from VirusTotal to assets in Attack Surface Intelligence:
- Contacted IPs, domains, and URLs
- Embedded IPs, URLs, and domains
- In-the-wild IPs, domains, and URLs
(13) Found by crawling ransomware extortion sites with our in-house dark web crawler
(14) Determined after an initial port scan with our in-house global scanning platform, since we additionally send SNI information to get full certificate chains