What is the External Scan?

What is an attack exploiting technical vulnerabilities?

The "External Surface" tab

Stoïk External Scan: Methodology and impact on IT infrastructure

Differences between the external scan of a customer and a prospect

Intro

The external scan is a preventive tool created by Stoïk. It aims to identify vulnerabilities in the company's information system through an automated and weekly analysis of its external surface. The external scan is non-intrusive and focuses only on the company's external infrastructure accessible to all.

Some of Soïk's insurees are regularly scanned by organisations not affiliated with Stoïk.

If you experience a scan that affects the availability of your IT system, you can contact CERT Stoïk, our incident response team, directly on the emergency number indicated on your insurance policy or at [email protected]. Our CERT team is available 24/7.

Stoïk also recommends using a web application firewall (WAF) or a solution such as Cloudflare to mitigate distributed denial-of-service (DDoS) attacks.

What is an attack exploiting technical vulnerabilities?

This is a cyberattack in which a hacker takes advantage of a vulnerability in your computer system to gain access to or act within it.

These vulnerabilities can be:

  • Outdated software that has not been updated.

  • Poorly configured services.

  • Open ports accessible from the Internet.

  • Systems not protected by security mechanisms.

Cybercriminals use automated tools or targeted techniques to detect these flaws and then exploit them to take control of the system, steal data, deploy malware (e.g. ransomware) or disrupt your business.

Here are four basic recommendations to protect yourself:

  1. Address vulnerabilities detected by the Stoïk External Scan.

  2. Regularly update all systems and software.

  3. Limit services exposed to the Internet.

  4. Apply security best practices from the initial configuration.

The "External Surface" tab

You can access your Stoïk External Scan by going to the External Surface tab in your Stoïk Protect account.

Stoïk External Scan automatically and continuously inspects your resources accessible from the Internet to detect open ports and known vulnerabilities that could be exploited by an attacker. In particular, it identifies:

  • Ports accessible from the outside (potential entry points for an attacker).

  • Exposed services and technologies.

  • Known vulnerabilities (CVEs) that can be exploited if patches are not applied.

The external scan then conducts an audit to identify technical vulnerabilities, aiming to discover them before they can be exploited. It also examines other external information, such as Internet reputation or the presence of data leaks related to the main domain name.

Finally, it detects vulnerabilities by connecting to the CVE database and performs port scans to check if certain ports are open. If a vulnerability is identified, it is displayed on the "Infrastructure" tab of your Stoïk Protect platform.

Stoïk External Scan: Methodology and impact on IT infrastructure

The External Scan runs continuously, discreetly and non-intrusively.

Designed to combine efficiency and discretion, it generates a very low volume of requests, thus limiting the risk of detection or blocking by your security tools.

It accurately identifies known vulnerabilities in your Internet-exposed infrastructure without impacting the operation of your systems. In more technical words, it uses the company's domain name to estimate its attack surface, searching for everything within its external perimeter. Indeed, the domain name represents the company's public identity on the Internet, including domains, subdomains, associated IP addresses, and various services. In practical terms, these are all the paths through which a malicious hacker might attempt to gain entry.

The external scan is built on an aggregation of open-source tools, with the main ones being Shodan, Nucleus, Censys, and Sublist3r. For its operation, the scan makes a significant number of queries from an AWS IP range located in Ireland once a week, during the night from Friday to Saturday.

Differences between the external scan of a customer and a prospect

The Stoïk external scan runs even before you subscribe to Stoïk insurance, in order to determine your eligibility. However, Stoïk does not perform the same type of scan depending on whether you are a prospect or a customer.

This is because prospect analyses have different priorities than customer analyses. For example, for a prospect, speed of eligibility is important, whereas for a customer, comprehensive coverage of vulnerabilities is more important.

To reflect this, the "Prospect" external analysis scenario removes several resource-intensive steps. Specifically:

  • The "Bruteforce" task is not enabled: data leaks are not tested.

  • The "Technology Discovery" task is not enabled: the technologies used by all customers are no longer checked in order to improve scan speed. The minimum throughput is increased: more queries are performed per second, significantly improving analysis speed. As a result, prospect analyses are faster and less thorough than those of Stoïk clients, which are longer but more comprehensive.

PreviousUser access managementNextIs the Stoik External Scan a penetration test?

Last updated

Was this helpful?