Investigating Assets - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Product
Cortex XPANSE
Version
2
Creation date
2024-08-29
Last date published
2024-11-12
Category
User Guide
Solution
Cloud

The following sections provide information about how to use filters to monitor and find potentially vulnerable assets in your Inventory.

Validating recently added assets will ensure you always have an accurate and up-to-date asset inventory and are receiving alerts on incidents that are important to you.

  1. Navigate to InventoryUnified Inventory or Inventory<Asset Type>.

  2. Sort on the First Observed column by clicking on the up/down arrow next to the First Observed column heading.

find-assets.png

Note the difference between the First Observed and Date Added columns:

  • First Observed: the first time Cortex Xpanse sees the asset.

  • Date Added: when the asset was added to the map (applies to an IP range or domain).

Expired certificates open up multiple attack vectors, including phishing attacks and data breaches, weakening your web applications security. Additionally, using an expired certificate can cause reputation loss for users who are greeted by an expired certificate warning on your public interfaces. This could also result in revenue loss for customers who choose not to engage with the warning messages.

  1. Navigate to InventoryCertificates

  2. Click the filter icon filter-icon.png in the upper right corner to display the filter.

  3. Set the filters as follows:

    • Certificate Classifications Contains Expired

    • +AND

    • Last Observed = Last 7D

  4. Click anywhere outside the filter to activate it.

find-expired-certificates.png

To remediate expired certificates, identify where the expired certificate is within your IT ecosystem, renew the expired certificate, and install a new digital certificate.

A self-signed certificate is a certificate that is not signed by a publicly trusted certificate authority (CA). When used in production environments, self-signed certificates leave systems exposed to vulnerabilities and security breaches. Additionally, the security warnings associated with self-signed certificates can drive away potential clients and impact brand reputation.

Use the following filter to find self-signed certificates that Cortex Xpanse has observed in the last week:

  1. Navigate to InventoryCertificates

  2. Click the filter icon filter-icon.png in the upper right corner to display the filter.

  3. Set the filters as follows:

    • Certificate Classifications Contains SelfSigned

    • +AND

    • Last Observed = Last 7D

  4. Click anywhere outside the filter to activate it.

find-selfsigned-certificates.png

To remediate, exchange self-signed certificates for signed certificates.

A dangling DNS record is a DNS record that has been misconfigured or points to a domain that has been abandoned. Because it is abandoned, this domain can be easily hijacked by threat actors and used to gain initial access into a network. Dangling DNS records can be easily exploited for domain hijacking, subdomain takeover, including loss of control over the content of the subdomain, cookie harvesting from unsuspecting visitors, and phishing campaigns.

Use the following filter to find dangling DNS records.

  1. Navigate to InventoryDomains

  2. Click the filter icon filter-icon.png in the upper right corner to display the filter.

  3. Set the filters as follows:

    • Resolves = Yes

    • +AND

    • Has Active Services = No

    • +AND

    • Externally Detected Providers not Contains On Prem

  4. Click anywhere outside the filter to activate it.

find-dangling-dns.png

To remediate a dangling DNS record, update and remove DNS records that are not associated with an active service.

Shadow IT refers to any IT used by employees without the approval or oversight of the IT organization. The limited visibility introduced by shadow IT increases the probability for vulnerabilities, misconfigurations, and policy violations. The expanded attack surface also increases chances of data theft since these assets are not protected by security solutions, or could be used as a pathway into the organizations broader network.

Use the following filter to find shadow IT.

  1. Navigate to InventoryServices

  2. Click the filter icon filter-icon.png in the upper right corner to display the filter.

  3. Set the filters as follows:

    • Discover Type = Directly Discovered

    • +AND

    • Externally Detected Providers not Contains On Prem, Amazon Web Services, Google, Microsoft Azure

  4. Click anywhere outside the filter to activate it.

find-shadow-it.png

To remediate, make sure your organization enforces your security posture, policies, and compliance.

Public-facing internal IP addresses provide an indication of what your internal subnets are and can be used as track back-end servers for load balancer purposes. They can also be an indication of a misconfigured asset.

There are two ways to find internal public-facing IP addresses: from the Domains page and from the Services page.

How to find public-facing internal IP addresses from the Domains page
  1. Navigate to InventoryDomains

  2. Click the filter icon filter-icon.png in the upper right corner to display the filter.

  3. Set the filters as follows:

    • Externally Detected Providers Contains Reserved Ips

  4. Click anywhere outside the filter to activate it.

find-public-internal-ips-domains.png
How to find public-facing internal IP addresses from the Services page
  1. Navigate to InventoryServices

  2. Click the filter icon filter-icon.png in the upper right corner to display the filter.

  3. Set the filters as follows:

    • Discover Type = Directly Discovered

    • +AND

    • Active Classifications Contains InternalIpAddressAdvertisement

  4. Click anywhere outside the filter to activate it.

find-public-internal-ips-services.png

To remediate public-facing internal IP addresses, reconfigure relevant services to mask private addresses and rewrite addresses with anonymous identifiers so that an attacker cannot infer any useful information about your infrastructure.

Non-standard port usage increases the potential for malicious actors to gain unauthorized access to your network. Non-standard port usage can also be an indication of a misconfigured asset.

  1. Navigate to InventoryServices

  2. Click the filter icon filter-icon.png in the upper right corner to display the filter.

  3. Set the filters as follows:

    • Discovery Type = Directly Discovered

    • +AND

    • Service Name Contains http server

    • +AND

    • Port != 80,443

  4. Click anywhere outside the filter to activate it.

find-nonstandard-port-usage.png