Co-located Cloud Exposures Now Available in Expander

Expanse Finds SSH, FTP, and POP3 to Be the Most Commonly Exposed Cloud Services Among Top Enterprise Organizations

At Expanse, we’re committed to helping our customers manage their complete global attack surface. To further support this mission, Expanse is rolling out enhanced visibility into customers’ cloud attack surface by displaying co-located cloud assets in the Expander UI. 

Expander has long included the ability to view exposed assets from both on-premises and cloud environments belonging to the customer. Now, we are supercharging customers’ cloud visibility by adding the ability to see co-located cloud exposures as well as more traditionally defined cloud assets. Co-located cloud exposures are observed on the same IP as a customer’s domain or certificate, but don’t contain the domain or certificate in the response from the exposed IP. These are therefore lower-confidence in attributing to your organization than other cloud services with a verified domain or certificate clearly associated with them.  

Across a selection of top enterprise organizations, Expanse has found the following to be the most common co-located exposure types:

  • Secure Shell Servers (SSH): SSH servers provide encrypted remote terminal access, and should always be behind VPNs or accessible by trusted networks. SSH servers are frequent targets of machine speed password guessing attacks.
  • File Transfer Protocol (FTP): FTP is an outdated method of transferring files from one server to another in an unencrypted manner. Although FTP is an industry standard protocol, it is frequently in violation of regulatory compliance standards because of its lack of encryption, consequently heightening the risk of data compromise. FTPS, SFTP, or SCP are great alternatives.
  • Post Office Protocol 3 (POP3): POP3 is used for receiving and deleting mail from a mailbox via a client (Outlook, Mac Mail, PINE, etc.). While generally less risky to have exposed than services we consider critical like SMB or RDP, POP3 is still associated with potential security issues like man-in-the-middle (MITM) attacks, brute force attacks, accidental deletion of emails, and security bypass vulnerabilities.

For security teams, maintaining full visibility into co-located cloud infrastructure is extremely difficult, as cloud assets are ephemeral and don’t link to a static IP address. With Expanse’s differentiated ability to inventory co-located cloud assets, customers get an unparalleled understanding of their total attack surface in the cloud. 

Co-located cloud exposures in Expander.

Expander provides additional context about co-located cloud exposures, including configuration details and the particular customer asset (e.g. domain, certificate) associated with the exposure. With this additional cloud exposure information, customers are empowered to investigate potential vulnerabilities, remediate risk, and ensure the proper configuration of all of their cloud assets. The criticality level for co-located exposures is currently set as “Uncategorized” in the Cloud Exposures view, but customers have the ability to customize exposure severity.

With complete visibility into co-located cloud assets, customers are further enabled to evaluate and remediate security issues in the cloud with confidence. If you are a current customer, please reach out to your Engagement Manager if your team would like assistance. And if you’re not a customer, contact us to discuss how we can help your organization identify co-located cloud systems and services that could be vulnerable to attack.