Views:

Configure and run an external attack surface scan to detect unexpected exposures and vulnerabilities in internet-facing assets.

Important
Important
This is a "Pre-release" feature and is not considered an official release. Please review the Pre-release disclaimer before using the feature.
Scans created from the external attack surface scan template help you understand your organization's security posture from an external attacker's view. External attack surface scans focus on public IPs, domains, and subdomains to identify misconfigurations, outdated software, and leaked services.
To configure an external attack surface scan, you need:
  • A Service Gateway deployed to your AWS account or Azure subscription with the latest version of the Network Vulnerability Scanner service installed
  • Public IP addresses, domains, and subdomains to scan
Important
Important
The following limitations and requirements apply to external attack surface scans:
  • External attack surface scans are only available when using Trend Micro solutions for internet-facing asset discovery. Scans are not supported if you are only using a third-party product for asset discovery. To discover assets on your network, consider creating and running a discovery scan.
  • Service Gateways used for scanning must be deployed to a public cloud platform such as AWS or Microsoft Azure and running to successfully scan external assets. Service Gateways not deployed to a cloud platform may be unable to reach internet-facing assets due to restrictions on your network. To learn more, see Deploying a Service Gateway virtual appliance with AWS and Deploying a Service Gateway virtual appliance with Microsoft Azure.
  • Service Gateways used for scanning must have the Network Vulnerability Scanner service version 1.1.0 or later installed. If necessary, you can update the Network Vulnerability Scanner service in Service Gateway Management.
  • Root domains and IPv6 addresses are not currently supported for scanning.

Procedure

  1. Install the Network Vulnerability Scanner service on your deployed Service Gateway.
    1. In Workflow and AutomationService Gateway Management, click the name of the desired Service Gateway to view details.
    2. Click Manage services to view the list of available services.
    3. Find and install the latest version of the Network Vulnerability Scanner service.
      Note
      Note
      The Network Vulnerability Scanner service requires at least 2 CPUs and 4 GB of virtual memory.
    The Network Vulnerability Scanner service appears in the list of installed services for the Service Gateway.
  2. Create a new external attack surface scan.
    1. In Cyber Risk Exposure ManagementVulnerability ManagementNetwork Vulnerability Scanner, click Create scan from either Network scans or under external attack surface scan in Scan templates.
    2. Specify a name and description for the scan.
    3. Select the Service Gateway to use for the scan. Only Service Gateways with the Network Vulnerability Scanner service installed are available.
    4. Click Select assets to choose up to 100 public IP addresses, domains, and subdomains to include in the scan. Only assets that appear on the Internet-facing assets list Attack Surface Discovery are available for scanning. To scan an asset not on the list, you must add the asset first.
    5. Choose whether to trigger the scan at a specified scheduled interval or to only allow manual scanning.
    6. Click Save only to save the scan and wait for the scan to run according to your configured schedule or Save and run scan to save and trigger the scan immediately.
    The newly configured scan appears on the list in Network scans.
  3. After the scan completes, you can download a report containing the scan results from Scan reports.
    Important
    Important
    • Scan duration varies based on the number of assets you have specified for the scan and the complexity of the external attack surface.
    • Only the most recent scan report for each scan is available. To keep a record of an earlier scan, download the report before the next scheduled scan.
  4. View asset information and manage risk.
    1. Go to Attack Surface Discovery to view any additional asset profile information discovered during the scan.
    2. Click View latest system configuration risk events in Scan reports to manage any risk events detected during the scan in Threat and Exposure Management.

Next steps

Tip
Tip
You can also manually scan for exposures in internet-facing assets from Attack Surface Discovery. For more information, see Internet-facing asset exposure scans.