External attack surface

You can explore and manage your external attack surface in Surface Command. Your external attack surface comprises IP addresses, domains, network services, certificates, which are all discovered using seeds. For more information on these concepts, refer to Surface Command Overview.

Prerequisites

Anyone with read access to Surface Command can view External Attack Surface data. However, you need the Surface Command Admin role to change testing status (Vector Command only) or manage seeds. Review Manage Command Platform users for details.

Explore and manage your external attack surface

The External Attack Surface section of Surface Command also hosts all seeds and discoveries from the Rapid7 External Asset Engine. The External Attack Surface is divided into several pages:

  • Network Services: Displays open network ports indicating a service responding at the given address.
  • Certificates: Displays SSL certificates associated with a web service.
  • Domains: Displays top-level domains or subdomains that are accessible using the Domain Name System (DNS).
  • IP Addresses: Displays independent IPv4 or IPv6 addresses referring to a discovered method of reaching an asset (note that the same asset may be listed by multiple addresses if it is accessible via multiple addresses).
  • Vector Command: Links to your assessment reports. This section is only available if you have a Vector Command license.
  • Discovery Seeds: Displays your seeds. You can also manage seeds from this page.
Add seeds (Surface Command)

Seeds are used to discover IP addresses, domains, network services, certificates used in your environment, which help build visibility of your external attack surface.

To add seeds:

  1. Log in to Surface Command.
  2. Go to Discovery Seeds.
  3. Click Add Seeds. A window containing a free text field opens.
  4. Enter seeds (separated by spaces, commas, or line breaks) into the text field.
  5. Click Add Seeds. Rapid7’s External Asset Engine begins scanning your seeds immediately. You will see discoveries populate the External Attack Surface pages as appropriate.
Filter

You can filter any External Attack Surface page using the Filter icon in any column header. Click Filter and adjust the operator to get started.

Save and use filters

After filtering an External Attack Surface page, you can save the filter for later access. Anyone in Surface Command can access a saved filter.

To save a filter:

  1. Filter the External Attack Surface page as necessary.
  2. Click Save View.
  3. Enter a name for the view.
  4. Optionally, enter a description for the view.
  5. Click Save.

To access a saved filter:

  1. Go to an External Attack Surface page.
  2. Click Filter views (top-left corner).
  3. Select a filter. The filters with a lock icon denote a pre-made filter created by the Surface Command team.

To modify a saved filter:

  1. Go to an External Attack Surface page.
  2. Click Filter views (top-left corner).
  3. Select a filter.
  4. Remove, add, or modify filters as necessary.
  5. Save the filter:
    1. Click Save View to update the filter with the current configuration. This option is not available for pre-made filters.
    2. Click Save as... to save the current configuration as a new filter.
View properties

You can access properties from these locations:

  • Query results - click the asset or identity in the results table.
  • Widgets - click View results or View all query results, then click the asset or identity in the results table.
  • Relationships graph - click an asset or identity node, then click Show details.

Properties are organized into two categories depending on where they come from: General properties and connector properties. This means you'll see multiple tabs when you open the properties side panel. Navigate to a connector tab to see the properties associated with that particular connector.

Update statuses (Vector Command only)

After seeds have been added, you can update the status of discovered network services, certificates, domains, and IP addresses to adjust or filter your Vector Command attack plan.

To update the status of an individual asset:

  1. Log in to Surface Command.
  2. Go to one of the External Attack Surface pages (Network Services, Certificates, Domains, IP Addresses).
  3. Hover over the Testing Status value for an asset.
  4. Click Edit EASM Status (pencil icon).
  5. Select a status:
    • Approved: Indicates the asset has been reviewed and determined to be owned by your organization and part of your attack surface.
    • Rejected: Indicates the asset has been reviewed and determined not to be owned by or relevant to your organization. This asset is not part of your attack surface.
    • Not Reviewed: Indicates the asset has not been reviewed or confirmed yet.
    • Not Approved: Indicates the asset has been reviewed and determined to be owned by your organization but should not be considered part of your attack surface.
    • SaaS: Indicates the asset is related to a Software as a Service (SaaS) product your organization uses and does not own but should be part of your attack surface.

Notice an Unknown status?

Unknown statuses are rare but can occur if other data sources are providing IP addresses or Domains that Rapid7 has not discovered yet. You cannot change an Unknown status.

To update the status of assets in bulk:

  1. Log in to Surface Command.
  2. Go to one of the External Attack Surface pages (Network Services, Certificates, Domains, IP Addresses).
  3. Filter the page as necessary.
  4. Click Change Status.
  5. Select the group of assets to change status for:
    • This page: Change status for all assets on the current page (limited to 25 assets).
    • All results: Change status for all assets.
    • Filtered results: This option is available if a filter is currently applied. Change status for all filtered assets.
  6. Select a status:
    • Approved: Indicates the asset has been reviewed and determined to be owned by your organization and part of your attack surface.
    • Rejected: Indicates the asset has been reviewed and determined not to be owned by or relevant to your organization. This asset is not part of your attack surface.
    • Not Reviewed: Indicates the asset has not been reviewed or confirmed yet.
    • Not Approved: Indicates the asset has been reviewed and determined to be owned by your organization but should not be considered part of your attack surface.
    • SaaS: Indicates the asset is related to a Software as a Service (SaaS) product your organization uses and does not own but should be part of your attack surface.
  7. Click Change Status. A summary of the changed statuses is displayed.
  8. Click Close and Refresh.

Explore and manage your external attack surface in the Command Platform

Start managing attack surface in Surface Command

You can continue to use the original external attack surface interface in the Command Platform while you get familiar with the Surface Command interface, but the original interface will be retired in an upcoming release. Ideally, you should only use one interface for adding seeds and updating Vector Command statuses. Rapid7 recommends exploring and managing your external attack surface in Surface Command. This is because external attack surface components are treated as asset types in Surface Command, so you can use them to create filter views, discover relationships, create queries, and build widgets and dashboards.

Original interface details

The External Attack Surface section of the Command Platform (Attack Surface > External Attack Surface) hosts all seeds and discoveries from the Rapid7 External Asset Engine. The External Attack Surface is divided into three tabs:

  • Seeds: Displays existing seeds. You can also add seeds from this page.
  • IPs & Domains: Displays the following:
    • Independent IPv4 or IPv6 addresses referring to a discovered method of reaching an asset (note that the same asset may be listed by multiple addresses if it is accessible via multiple addresses).
    • Top-level domains or subdomains that are accessible using the Domain Name System (DNS).
  • Network Services & Certificates: Displays the following:
    • SSL certificates associated with a web service.
    • Open network ports indicating a service responding at the given address.

The information available with each discovery includes its Type, Name, Severity and Status. The Name identifies the discovery based on the given type, and the Status helps you take action on the discovery. Severity is automatically determined by Rapid7 based on the impact a compromise could have and cannot be adjusted.

Status is limited to Vector Command

The status for a given external asset is only applicable to Vector Command customers.

Add seeds (Command Platform)

To add seeds:

  1. Log in to the Command Platform and navigate to Command Platform Home.
    1. If your company has multiple Rapid7 Organizations, for example for multiple divisions or locations, ensure you select the correct Organization by using the drop-down next to the Rapid7 logo. This will help keep your external attack surface findings appropriate for the given organization. If you only have one Organization, you can skip this step.
  2. In the navigation menu, click Attack Surface > External Attack Surface > Seeds. On the Seeds tab, you will see a brief introduction if you have never added seeds before or a list of existing seeds.
  3. Click Add Seeds. A window containing a free text field opens.
  4. Enter seeds (separated by spaces, commas, or line breaks) into the text field.
  5. Click Add Seeds. Rapid7’s External Asset Engine begins scanning your seeds immediately, and you will see discoveries populate the IPs & Domains and Network Services & Certificates tabs as appropriate.
Update statuses (Vector Command only)

After seeds have been added, you can update the status of IP addresses and domains to assist with filtering or adjusting your attack plan.

To update the status of an asset:

  1. Log in to the Command Platform.
  2. Go to Attack Surface > External Attack Surface > IPs & Domains.
  3. Select an item or items.
  4. Adjust the status:
    • Not Reviewed: Indicates the asset has not been reviewed or confirmed yet.
    • Accepted: Indicates the asset has been reviewed and determined to be owned by your organization and part of your attack surface.
    • Rejected: Indicates the asset has been reviewed and determined not to be owned by or relevant to your organization. This asset is not part of your attack surface.
    • SaaS: Indicates the asset is related to a Software as a Service (SaaS) product your organization uses and does not own but should be part of your attack surface.
  5. Click Change Status.
Export data

You may reveal unexpected or previously unknown discoveries with this feature, and it’s important to take appropriate action. You may want to send filtered results to specific teams or create tickets for further investigation or remediation.

To export data:

On the top-right corner of each tab, click Export, and select from CSV or JSON export formats. CSV files can be easily converted to a spreadsheet for further filtering and analysis, while JSON files work better with automation tools and scripts.