Review Detected Exposures
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
This feature is currently available only to selected organizations.
What are Exposures?
Exposures in Shisho Cloud refers to ports or services running on ports, which are accessible from the internet. Exposures could be something intentionally make accessible from the internet by users (such as web applications, VPNs, etc.), or something that is unintentionally opened due to a configuration error.
Exposures differ from attack surfaces in how the information is obtained. Once an attack surface is discovered by configuration inspection, Shisho Cloud conducts an active scan, wherein connection to the resource/port in question is attempted, as well as attempting to determine the service running on any exposed ports, with minimal connections.
To summarize, exposure information is obtained by the following procedure:
- Automated/manually-triggered portscans against cloud resources detected to be accessible publicly
- Automated service detection scans against ports detected to be publicly accessible
Portscans and the scans that follow can only be conducted against resources detected to have a publicly-accessible IP Address, which is detected as attack surfaces. As such, the exposure detection feature depends on detection of attack surfaces, as well as the Cloud Security Assessment features and the information they provide.
While Cloud Security Assessments provide a comprehensive view of security posture of a wide range of your resources, exposure information builds on that information and enables a deeper look into the security of your resources by providing additional evidence on the security posture of resources obtained from active scans.
How to view detected Exposures
Users with exposures enabled for their organization can view all exposures detected in their organization by visiting the Exposures tab on Applications.
By selecting the resource name, users are directed to the security graph page of the resource, where the details of the exposures detected for that resource is shown.
The Attack surfaces section of the details on the left-hand side will indicate the IP address that the portscan was targeted for.
Below it, the Detected open ports section displays a list of detected exposures for that resource, detailing the protocol, port number, detected service name, as well as the time in which this exposure was last detected.
The exposure feature currently scans for a given range of ports known to be commonly used by services. Service detection scans also attempt to match the response of a given port connected to by matching it with known patterns. Should responses from ports not match any known patterns, we show a N/A value to indicate that there is no known service running on the exposed port.
Users are also able to trigger a scan manually with the Conduct re-scan button, to either confirm a scan result, or to confirm the state of an exposure after an unintended configuration was patched. Above the button, the time in which a portscan (as well as the following automated scans following the detection of an open port) is detailed.
At the moment, besides manually-triggered scans, portscans (and proceeding scans following it) are automatically conducted when an attack surface is first detected with an accessible public IP address, as well as whenever a change in configuration settings of the resource is detected.