Bad Guys are Scanning Your Network!

(Last Updated On: November 28, 2021)

Bad guys are scanning your network. They are finding all the vulnerabilities exposed to the Internet. The vulnerable systems, critical devices, and other ways to break into your network. When ransomware, malware, botnets, and other break-ins happen, people wonder, “how did the threat actors find that service?” People thought that “if we don’t publish it, then obscurity will protect the service.

Can you get ahead of the bag, guys scanning your network? There is a public benefit (free) service open to all organizations that will let you know daily what systems the bad guys can see and what you need to do to protect yourself.

What is Attack Surface Management (ASM)?

An organization’s “attack surface” is the public internet-facing parts of your network. These are systems that may or may not be protected. Anyone on the Internet can scan these systems for vulnerabilities, weak authentication, and exposures. They can be easily DDoSed. Organizations are moving so fast that is now normal for applications, services, and systems to be exposed to the Internet without the security due diligence to minimize additional attack surface risk.

Organizations must have Attack Surface Management as part of their security architecture. ASM provides an outsider’s view of that the threat-actors who would attack your network could and would target. Threat Actors planning ransomware, Advanced Persistent Threat (APT), DDoS, Business Email Compromised (BEC), and data breaches scan the network. ASM services replicate what the attackers are doing, allowing you to proactively mitigate the attack surface exposures.

There are many commercial Attack Surface Management services, but none offer the comprehensive surface from Shadowserver’s Daily Network Report. Typical ASM reports just “scan” your network. Shadowserver diverse telemetry connects to malware, botnet, and threat actor takedowns. They monitor the malware Command-and-Control systems coming from your network, through your firewall, and beaconing to the Internet. One public benefit ASM++ service provides organization powerful intelligence from Shadowserver – an organization whose mission is to fight the same threat actors who are scanning your network to harm you.

Shadowserver’s Daily Report Diverse Range of Attack Surface Detection

The Shadowserver Daily Reports Differential

Normal Commerical Attack Surface Managers will scan the IPv4 addresses exposed on your network. Shadowserver does way more. Organizations who sign up to Shadowserver put in the IPv4, the IPv6, Autonomous System Numbers (ASN), and DNS Zones for the organization. With all of this information Shadowserver:

  • matches scan data (IPv4/IPv6)
  • looks at traffic coming from your organization into Sinkhole
  • sees if any of your systems are beaconing to malware systems
  • explores is any system that has been part of one of the threat-actor takedowns
  • matches against SPAM/Phishing traps to see if any system in your organization map is infected with malware and sending SPAM/Phishing
  • Watches for traffic from your organization hitting the Shadowserver’s global Honeypot-as-a-Service systems.

All the reports provide explicit timestamps and details to allow you to reverse the map through NAT and Firewalls. This enables the organization to find systems behind their security that have been infected – which is critical to head off an APT/Ransomware attack.

Principle of 3 – Including Shadowserver in your ASM Architecture

Are commercial Attack Surface Managers (ASMs) better than Shadowserver? That question would be missing the critical importance of knowing what the threat-actors are finding and exploiting without your knowledge. ASM is ideal for the principle of three. The principle of 3 is an approach for monitoring a safety/risk area with three different approaches. It is a resiliency architecture approach to avoid confirmation bias, overreliance on one measurement, and expanding the scope to monitor the risk.

In the Internet world, we would have three sources of ASM measurement: a Community Curated approach, a Commerical Vendor approach, and Tooling Curated by the Organization. For Attack Surface Risk monitoring we would have:

  • Community Curated – Using Shadowserver’s Daily Network Reports. As of this post, there are 111 different types of reports that could be delivered (depending on the detection of risk.). The reports are curated by the Internet security community based on active, current, and potential risks. These are combined with the malware, botnet, and other telemetry infected devices in the organization that is picked up by Shadowserver’s sinkholes, honeypots, and backscatter detection tools.
  • Commercial ASM Service would be the second vector of detection. Searching the Internet for “Attack Surface Managers (ASMs)” would find many options to review and evaluate.
  • Tooling Curated by the Organization. There are open-source tools, tools that the organization’s network/application/security teams would develop, and specific tools that do other types of scanning. These “curated tooling” can be commercial, using vulnerability, compliance, and other scanning services to also cover Attack Surface risk. The core principle is that these tools are curated by the organization’s team meeting specific security, resiliency, and compliance requirements.

CxOs are Waking Up to the Attack Surface Risk!

In 2018, Gartner urged security leaders to start reducing, monitoring and managing their attack surface as part of a holistic cybersecurity risk management program. Today, attack surface management is a top priority for CIOs, CTOs, CISOs, and security teams. “Reducing the Attack Surface Risk” is a call to action for all organizations seeking to minimize the risk to ransomware, data breaches, advanced persistent threat actors (APT), and DDoS Attacks. The irony is the vast majority of organizations have no idea that they can start their attack surface reduction risk with Shadowserver’s Daily Network Reports.

Start Your Exploration with “Securing Your Network Using Shadowserver Reports”

Securing Your Network Using Shadowserver Reports is a video from the 2021 Singapore Network Operations Group (SANOG) that walks through how organizations can get started with Shadowserver’s daily reports. You can find the latest version of these talks @ Securing Your Network Using Shadowserver’s Daily Network Reports. The Shadowserver Team will present sessions for audiences large and small – private or public. These reports have proven time and again to protect organizations from unexpected security risks.

Are you looking for more practical, low-cost security Advice?

Shadowserver’s Daily Network Reports are one of many tools, techniques, and services that help you secure your organization. If you find your organization needs help and worry about the FUD from the industry, reach out and ask for help. You can reach me at The materials and guides posted on here help organizations leverage the talent around them to get started with their security activities. Start with the Operator’s Security Toolkit and Meaningful Security Conversations with your Vendors. Each is no-nonsense security for all organizations. The guides provide details to help them build more security resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights. You can sign up to the mailing list for updates here: Stay Connected with Senki’s Updates.