External attack surface
Copy link

You can explore and manage your external attack surface with Attack Surface Management capabilities in the Command Platform. Your external attack surface comprises IP addresses, domains, network services, certificates, which are all discovered using seeds. Seeds can be added manually or by leveraging data from your IT and cybersecurity management tools using dynamic seed queries. For more information on these concepts, refer to Attack Surface Management (Surface Command) Overview .

Prerequisites
Copy link

Anyone with read access to Attack Surface Management (Surface Command) can view External Attack Surface data. However, you need the Attack Surface Management (Surface Command) Admin role to change Vector Command testing status (Red Team Findings only) or manage seeds. Review Manage Command Platform users  for details.

Explore and manage your external attack surface
Copy link

The External Attack Surface section of the Command Platform also hosts all seeds and discoveries from the Rapid7 External Asset Engine. The External Attack Surface is divided into several pages:

  • Network Services: Displays open network ports indicating a service responding at the given address.
  • Certificates: Displays SSL certificates associated with a web service.
  • Domains: Displays top-level domains or subdomains that are accessible using the Domain Name System (DNS).
  • IP Addresses: Displays independent IPv4 or IPv6 addresses referring to a discovered method of reaching an asset (note that the same asset may be listed by multiple addresses if it is accessible via multiple addresses).
  • Discovery Seeds: Provides two tabs to display and manage your seeds and dynamic seed queries.
ℹ️

Continuous Red Teaming (Vector Command) user?

If you have a Continuous Red Teaming (Vector Command) license, you can also access your assessment reports from Findings > Red Team Findings.

Add seeds manually

Seeds are registered domains and public IP networks that help describe your external footprint on the Internet. These seeds drive a discovery process that uncovers the operational subdomains, network services, and TLS certificates used by your organization. Dynamic seed queries can also add and maintain seeds automatically.

To add seeds manually:

  1. Log in to Attack Surface Management (Surface Command).
  2. Go to Discovery Seeds.
  3. Click + Seeds. A window containing a free text field opens.
  4. Enter seeds (separated by spaces, commas, or line breaks) into the text field.
  5. Click Add Seeds. Rapid7’s External Asset Engine begins scanning your seeds immediately. You will see discoveries populate the External Attack Surface pages as appropriate.

Filter external attack surface

You can filter any External Attack Surface page using the Filter icon in any column header. Click Filter and adjust the operator to get started.

If you want to filter by types from third-party sources (for example, Microsoft, Cisco, Crowdstrike), you must add additional columns to the view.

To manage table columns:

  1. Build a query or go to an External Attack Surface page.
  2. Click the Manage table columns icon in the last column header.
  3. Optionally, toggle on Show source types to reveal third-party source types.
  4. Click + next to an entry to add the column or click - to remove the column.

Save and use filters

After filtering an External Attack Surface page, you can save the filter for later access. Anyone in Attack Surface Management (Surface Command) can access a saved filter.

To save a filter:

  1. Filter the External Attack Surface page as necessary.
  2. Click Save View.
  3. Enter a name for the view.
  4. Optionally, enter a description for the view.
  5. Click Save.

To access a saved filter:

  1. Go to an External Attack Surface page.
  2. Click Filter views (top-left corner).
  3. Select a filter. The filters with a lock icon denote a pre-made filter created by the Attack Surface Management (Surface Command) team.

To modify a saved filter:

  1. Go to an External Attack Surface page.
  2. Click Filter views (top-left corner).
  3. Select a filter.
  4. Remove, add, or modify filters as necessary.
  5. Save the filter:
    1. Click Save View to update the filter with the current configuration. This option is not available for pre-made filters.
    2. Click Save as… to save the current configuration as a new filter.

Manage and explore widgets

Widgets are used to populate dashboards. You can explore all widgets associated with the current filter view using the Widgets panel.

To explore widgets:

  1. Open an Attack surface page.
  2. Optionally, filter the Attack Surface page or click Filter views to load a saved filter.
  3. Click Widgets > View Widgets. If the View Widgets button is inactive, there are no widgets for the current filter view.
  4. Search or filter the list as needed.

Hover your cursor on a widget to show a menu where you can edit a widget, duplicate a widget, see how many dashboards the widget is on, or delete a widget.

You can also create a widget from a filtered view.

To create a widget:

  1. Filter the Attack Surface page as needed or click Filter views to load a saved filter.
  2. Click Widgets > New Widget.
  3. Enter a name for the widget.
  4. Optionally enter a widget description.
  5. Select a widget type.
  6. Configure the widget as needed.
  7. Click Save.

Visit Managing dashboards for details on using dashboards.

Manage seeds

After you add a seed manually or a dynamic seed query adds a seed, you can allow or block the seed. To check the status of a seed, open Attack Surface Management (Surface Command) > Discovery Seeds > Seeds and hover your cursor on the status to show a pop-up containing details about the seed’s current status.

To allow or block a seed:

  1. Open Attack Surface Management (Surface Command) and go to Discovery Seeds > Seeds.
  2. Filter the list as necessary.
  3. Find a seed to edit.
  4. Hover on the Status value, click the Edit icon (pencil), and select an option:
    • Allowed: Enter a reason for allowing the seed to discover external attack surface assets uniquely associated with that seed.
    • Blocked: Enter a reason for blocking the seed to remove external attack surface assets uniquely associated with that seed.
  5. Confirm the action. It may take some time to update for any changes to your discovered external assets.

If a seed is added only manually (not by a dynamic seed query), you can delete it at any time. If a seed is added manually and by a dynamic seed query, you can opt to delete the duplicate, manual source. You cannot delete a dynamic seed.

To delete an exclusively manually-added seed:

  1. Open Attack Surface Management (Surface Command) and go to Discovery Seeds > Seeds.
  2. Filter the list as necessary.
  3. Find a seed to edit.
  4. Click Menu (…).
  5. Click Delete Seed.
  6. Confirm the action.

To delete a manually-added seed source for a dynamic seed:

  1. Open Attack Surface Management (Surface Command) and go to Discovery Seeds > Seeds.
  2. Filter the list as necessary.
  3. Find a seed to edit.
  4. Click Menu (…).
  5. Click Delete Manual Source.
  6. Confirm the action.

Manage dynamic seed queries

Dynamic seed queries are added by supported connectors and automatically manage seeds to keep your external asset inventory in sync with the connected tool. Dynamic seed queries add and remove seeds as the tool’s inventory changes, ensuring your view of the attack surface stays current.

The following connectors contain dynamic seed queries:

  • Markmonitor 
  • NetBox 
  • Rapid7 Command Platform (using Application Security (InsightAppSec))
    • This connector is installed automatically with Attack Surface Management
ℹ️

You must activate dynamic seed queries

After you install a connector with dynamic seed queries, the queries are added automatically to the Dynamic Seed Queries page but are inactive by default.

To view the seeds associated with a dynamic seed query:

  1. Open Attack Surface Management (Surface Command) and go to Discovery Seeds > Dynamic Seed Queries.
  2. Filter the list as necessary.
  3. Find a query.
  4. Hover on the Results value and click the Expand icon.

To change the status of a dynamic seed query:

  1. Open Attack Surface Management (Surface Command) and go to Discovery Seeds > Dynamic Seed Queries.
  2. Filter the list as necessary.
  3. Find a query to edit.
  4. Hover on the Status value, click the Edit icon, and select an option:
    • Active: Results of the query are included as seeds for external asset scans.
    • Inactive: Results of the query are no longer included as seeds for external asset scans.
  5. Confirm the action.

View properties

You can access properties from these locations:

  • Query results - click the asset or identity in the results table.
  • Widgets - click View results or View all query results, then click the asset or identity in the results table.
  • Relationships graph - click an asset or identity node, then click Show details.

Properties are organized into two categories depending on where they come from: General properties and connector properties. This means you’ll see multiple tabs when you open the properties side panel. Navigate to a connector tab to see the properties associated with that particular connector.

Update statuses (Red Team Findings only)

ℹ️

Requires a Vector Command license

Updating statuses for your seeds requires an active Vector Command license. To learn more about Vector Command, visit Continuous Red Team Service .

After seeds have been added and the external attack surface discovery process has completed, you can update the status of discovered domains and IP addresses to adjust or filter your Red Team Findings attack plan.

To update the status of an individual asset:

  1. Log in to Attack Surface Management (Surface Command).
  2. Go to the Domains or IP Addresses page.
  3. Hover over the Testing Status value for an asset.
  4. Click Edit EASM Status (pencil icon).
  5. Select a status:
    • Approved: Indicates the asset has been reviewed and determined to be owned by your organization and part of your attack surface.
    • Rejected: Indicates the asset has been reviewed and determined not to be owned by or relevant to your organization. This asset is not part of your attack surface.
    • Not Reviewed: Indicates the asset has not been reviewed or confirmed yet.
    • Not Approved: Indicates the asset has been reviewed and determined to be owned by your organization but should not be considered part of your attack surface.
    • SaaS: Indicates the asset is related to a Software as a Service (SaaS) product your organization uses and does not own but should be part of your attack surface.
ℹ️

Notice an Unknown status?

Unknown statuses are rare but can occur if other data sources are providing IP addresses or Domains that Rapid7 has not discovered yet. You cannot change an Unknown status.

To update the status of assets in bulk:

  1. Log in to Attack Surface Management (Surface Command).
  2. Go to the Domains or IP Addresses page.
  3. Filter the page as necessary.
  4. Click Change Status.
  5. Select the group of assets to change status for:
    • This page: Change status for all assets on the current page (limited to 25 assets).
    • All results: Change status for all assets.
    • Filtered results: This option is available if a filter is currently applied. Change status for all filtered assets.
  6. Select a status:
    • Approved: Indicates the asset has been reviewed and determined to be owned by your organization and part of your attack surface.
    • Rejected: Indicates the asset has been reviewed and determined not to be owned by or relevant to your organization. This asset is not part of your attack surface.
    • Not Reviewed: Indicates the asset has not been reviewed or confirmed yet.
    • Not Approved: Indicates the asset has been reviewed and determined to be owned by your organization but should not be considered part of your attack surface.
    • SaaS: Indicates the asset is related to a Software as a Service (SaaS) product your organization uses and does not own but should be part of your attack surface.
  7. Click Change Status. A summary of the changed statuses is displayed.
  8. Click Close and Refresh.