The first section you will see after logging in is the Exposures dashboard. An exposure is an error in the software or configuration of a device that allows a hacker to break into a system.
The Exposures dashboard displays different types of charts and graphs that provide information about assets in your inventory that may be vulnerable to a cyber attack or are at risk.
The dashboard also offers a quick view of the status of these exposed assets and other important details. Furthermore, you can click on parts of the graphs to obtain more data details.
My Investigation Tracker
The details in Investigation Tracker provide the following information:
All In-Progress - Exposed assets that were discovered by scoutINSPECT over the past 30 days or more. Click on the bars to see which days had the most activity.
My Burn Down Rate - Assets that have been assigned ownership over the past 30 days or more.
Currently Active - Ongoing investigations of exposed asset, tracked hourly.
The details in Issue Trends include the following:
Total Exposures - This pie chart shows the number of assets over the past 30 days that have been impacted by exposures, as well as percentages for issues that are/were Open, Resolved, and have been marked as Responding.
Breakdown by Exposure - These three pie charts breakdown the types of exposures impacting assets by:
Completed Exposures by Day - This graph is for viewing the number of completed exposures on a daily basis.
Inventory Exposure Summary
Inventory Exposure Summary - Displays a bar chart that summarizes current asset exposures by criticality: medium, high, and critical.
Most Vulnerable Inventory - Displays which assets (e.g., domain, IPs, DNS records) have the most exposures.
Top Exposure Threats
For information on the Top Exposure Threats graph, please click here.
Attack Surface Hotspots
Attack Surface Hot Spots shows a graph of the software currently in your inventory that cyber criminals are attacking across the Internet. This does not mean that you are being actively attacked, but that you should know which software hackers or threat actors are most after at the moment.
scoutINSPECT will only display software assets that could be at risk if they make up more than 2% of your inventory.
Let's imagine that you have 3 out of 100 servers running nginx. The percentage that will show in the Attack Surface Hot Spots graph in this case will be 3%, meaning that those 3 servers could be targets of a cyber attack.
Exposures & Issues Table
The second half of the Exposures page shows a table of impacted assets in your inventories with the following information:
Exposure Name - The asset has been impacted by a Vulnerability or Risky-Service.
Asset Name - IP address, DNS Record, Network, or other.
Asset Type - Software, Vulnerability, or Risky-Service.
Source Domain - A domain linked to particular exposure or inventory. It can also be a subdomain of a seed domain.
Exposure Details -
For Risky-Service - The column will show the service name and the port number.
For Vulnerability - The column will display the CVE number and the vulnerability name.
Risk - Level of criticality: Medium, High, and Critical. Rarely you may see an "Unknown" level which occurs when the system can't confirm an asset's risk level.
Status - Impacted asset issues that are Open, In-Progress, Closed, and Resolved.
Owner - Who in the teams owns the asset.
Last Seen - When the issue was last updated.
Tags - Labels used to identity assets (e.g., "Finance Server," "Application Server," "Main domain name," etc.).
Editing and Updating Items in Exposures/Issues Table
You can edit or update Risk level, Status, and Owner for assets listed on the Exposures' issues table.
To do this, hover your mouse on the desired item, then click on the pencil icon that appears on the right, then make your selection
Filter Items in Exposures/Issues Table
The table also allows you to use filters to find impacted assets by name, type, exposures name, service name, and more.
Here are a few ways how you can sort through the data:
Using the Filter Field
Simply type the word of what you are looking for, then click Filter.
You can also filter by using the drop-down menus that appear at the top of the table when you click on Filter.
You can filter by:
By Clicking on a Graph
You can also filter items on the table by clicking on any of the graphs on the first half of the page.
The second half of the page will display the filter that was applied when you clicked on the graph. The table will also be sorted based on what was clicked.
When you click on the IP address, domain name, or DNS Record of an impacted asset in the Exposures & Issues Table, a page will load with details about the exposure/issue.
Breakdown of Items on Issues Page
#1. This section shows the asset's exposure type and asset name. Below is background information about the exposure type. You can add a tag for the asset here as well.
#2. This section contains details about the asset's risk level, status, the date exposure was discovered, asset type, the asset owner, and the name of the analyst assigned to respond to the issue.
#3. This section shows the progression for handling the asset exposure issue:
Validate Exposure - Where details of exposure have been confirmed by analyst.
Validate Inventory - Guidance on validating inventory.
Respond -This section is used to respond to the issue by sending email communication to relevant recipients if the status is set to Responding.
Responding to an Asset Exposure
scoutINSPECT has an email feature that allows you to send the details of an asset exposure to others in your team and even to those outside of your organization. Recipients of these details can take steps to mitigate the exposure and/or take another incident response measure
To send details of an asset exposure to others, follow these steps:
1. On the Issue Detail page of the impacted asset, click Respond on the Validation bar across the page.
3. The next page will display a form containing a link to the Exposure Report, the name of the analyst who was assigned the asset, the Urgency level, and the name of the exposure in the Subject line. You can also add a description in the Overview section if you would like.
To add one or more email addresses, click on the pencil icon to Add recipients.
4. There is no "send" button on the page to send the communication, instead change the issue's Status to Responding.
5. You will be asked to confirm sending the communication to the recipients. If you approve, click Send. If you want to return to the form, click Cancel.
Issue Details includes a section called Notebook where analysts can write comments or ask questions about the issue.
Furthermore, when the issue is assigned an asset owner and/or an analyst is assigned to handle the issue, Notebook will record the activity and add it as comments (e.g., "Set assigned to: John Willis," and "Set owner: Jane Dully.")