L E S S O N S I N A T T A C K S U R F A C E M A N A G E M E N T

B A S E D O N O B S E R V A B L E D A T A A N D
N O T S E L F - R E P O R T E D S U R V E Y S

2022 CORTEX XPANSE

ATTACK SURFACE
THREAT REPORT
VOL. 2.1
Contents
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Key Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Takeaway 1: Cloud Continues to Be a Big Target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Takeaway 2: Low-Hanging Fruit Continues to Hang . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Takeaway 3: End-of-Life Software Means End-of-Life for Your Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Business Impact Takeaway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Takeaway 4: Issues Are Complex and Unique Across Industries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Utilities & Energy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Healthcare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Transportation & Logistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Wholesale & Retail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Financial Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Professional & Legal Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
High Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Media & Entertainment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Insurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Takeaway 5: What Is New Becomes Old on Attack Surfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
How to Fix It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Takeaway 6: RDP and Cloud Exposures Are Persistent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Active Cloud Issues per Month . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Conclusion and Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

About Cortex Xpanse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Cortex by Palo Alto Networks | 2022 Cortex Xpanse Attack Surface Threat Report 2
Executive Summary
Introduction
Do you stay up at night wondering about the next zero day on the horizon? Or do you wake up
­screaming with the thought that someone in your organization might have created a new cloud asset
outside of your security processes and not bothered with something simple, like disabling Remote
Desktop Protocol (RDP)?
Seasoned security professional already know zero days get the headlines, but the real problems always
come from the dozens of decisions a day made inside your organization. Just one mistake or lapse in
security protocols is all it takes to create the low-hanging fruit that attackers count on. It has become
easy and inexpensive for attackers to find any vulnerabilities, exposures, or other unknown open doors
and decide what path will likely offer the least resistance in a cyberattack.
Even lower-skilled attackers can perform a rough scan of the internet to uncover assets ripe for com-
promise. While some may take a shot at breaching that exposure, far more enterprising threat actors
sell this scan data on the dark web to bidders who can then launch more sophisticated attacks. For
example, exposed RDP instances (services to remotely log in to a device for work) sell for anywhere
between $3–$101 to deploy ransomware on the unsuspecting target’s network.
Luckily, attackers aren’t the only ones able to scan the entire internet and discover exposures—­Cortex
Xpanse can too. To help organizations fight fire with fire, the Xpanse research team studied the
­public-facing internet attack surface of some of the world’s largest organizations.
What follows are key findings on the state of the global attack surface based on observed scan data, not
self-reported surveys, to help organizations find exposures before adversaries do.
We monitored scans of 50 million IP addresses—over 1% of the entire internet—associated with
100+ global enterprises to understand how quickly adversaries can identify vulnerable systems for
fast ­exploitation. Takeaways 1 through 5 were based on data collected from March 2021 to S
­ eptember
2021, while part of takeaway 5 and all of takeaway 6 were based on data collected from December
2021 to June 2022.
Here is a summary of our key findings:
• Cloud continues to be a big target.
• Low-hanging fruit continues to hang.
• End-of-life software means end-of-life for your security.
• Issues are complex and unique across industries.
• What is new becomes old on attack surfaces.
• RDP and cloud exposures are persistent.

Key Findings
Our data continues to show that overall cloud issues continue to be a problem, and so do exposed RDP
servers. When looking at fundamental issues of poor security, we discovered a troubling amount of
exposures in administrative login pages as well as in internet-facing end-of-life (EOL) software.
According to our data, risks and exposures are persistent because modern attack surfaces are inher-
ently dynamic, constantly shifting, moving, and growing. All too often, this means without the right
visibility and processes, more threats arise as you remediate current issues.

1. Brian Krebs, “Hacked Via RDP: Really Dumb Passwords,” Krebs on Security, December 13, 2013,
https://krebsonsecurity.com/2013/12/hacked-via-rdp-really-dumb-passwords/.

Cortex by Palo Alto Networks | 2022 Cortex Xpanse Attack Surface Threat Report 3
Takeaway 1: Cloud Continues to
Be a Big Target
On-Prem
According to 2021 data, just under 80% of On-Prem 9%
all observed issues were present in cloud 20.7%
infrastructures, and this increased to 91% of
all observed issues in the data gathered from
December 2021 to June 2022. This should
come as no surprise given the aggressive
move to the cloud that was accelerated by
the pandemic.
The sheer volume of issues found on the
cloud as opposed to on-premises indicates
that deploying to the cloud is easy to do but Cloud
difficult to secure. There are myriad reasons 79.3% Cloud

for this, from cloud assets being created 91%

outside of security ­controls to insecure
defaults, or just the sheer amount of assets
in the cloud that can overwhelm under-­ Figure 1: Per data from mid-2021, nearly 80% of new
resourced security teams. The cloud is the issues discovered were in the cloud (left), but that number
modern attack surface in a microcosm: jumped to 91% in the first half of 2022 (right)
moving and changing at such a rapid pace
that traditional security practices often
can’t keep up.
Insecure Apache Web Server Insecure Microsoft IIS Web Server
We took a deeper look into the cloud On-Prem

vs. on-­premises split between the four 3.5% On-Prem

recent issue types which have had 22.1%
­observed exploits in the wild and were
mentioned in s ­ everal federal adviso-
ries (more details in takeaway 5). We
observed that insecure Apache Web
Server issues are almost exclusively
seen in the cloud (97%). This is similar
to insecure Microsoft List Server and
F5 BIG-IP TMUI vulnerabilities as
well. However, we see that this trend Cloud

77.9%
is inverted when looking at insecure Cloud

­Microsoft Exchange Servers, which 96.5%

might imply that these deployments F5 BIG-IP TMUI Insecure Microsoft Exchange Servers
are still primarily on-premises. Orga-
On-Prem Cloud
nizations without a clear view of where 17.6% 14.9%
their deployments are will be limited
in their ability to respond to new CVEs
that affect their network.
Keeping in mind that the cloud is
where 91% of issues occur lends valu-
able context to the rest of our findings.

Cloud On-Prem

82.4% 85.1%

Figure 2: Whether issues are in the cloud can

depend on the type of server being set up

Cortex by Palo Alto Networks | 2022 Cortex Xpanse Attack Surface Threat Report 4
Takeaway 2: Low-Hanging Fruit Continues to Hang
If an attacker is looking for an open door, they often don’t need to look very far. On the internet, leaving
an administrative login page exposed publicly is akin to having a neon sign inviting attackers to knock.

Other RDP Server

24.1% 25%

Unencrypted Login

4%
Networking and Security
Building Control System Infrastructure

13.8% 17%

Data Storage and Analysis

16.1%
Figure 3: Distribution of risks across the global attack surface

Nearly one out of every four issues we found on the attack surface was related to an exposed RDP
server, but even looking at the second most common issue, networking and security, the end result
was often an exposed system administration login portal.
In the case of RDP, breaching that exposed login gives an attacker rights equivalent to logging in with
legitimate user credentials. The networking and security-related issues revealed IT admin portals,
which would give an attacker even more privileges and access to an organization’s core networking
infrastructure. Beyond that, Xpanse research uncovered over 700 unencrypted login pages for several
IT services that were unencrypted and publicly exposed to the internet.
Unencrypted logins make it dramatically easy for attackers to steal credentials, so organizations
should identify these and shut them down. If those same credentials can be used on another exposed
portal, that just makes the attacker’s job all the easier.
But any exposed portal leaves an organization open to simple brute-force attacks if multifactor
authentication isn’t used, and in the case of unpatched systems, they can be accessed by exploiting
known vulnerabilities. Worse, these exposures are preventable by placing these login portals behind a
VPN or firewall.
These exposures are not only prevalent but costly as well. RDP has become the ransomware ­deployment
protocol, and the average cost of a successful ransomware attack in 2021 was $312,493, according
to the latest 2022 Unit 42 Ransomware Threat Report. In light of the surge in ransomware attacks in
recent years, C-suites around the world are deploying active ransomware prevention programs, and
many boards of directors are asking for attack surface management plans to ensure no unknown assets
­become vectors for attack.
Close to 3,000 database storage and analytics systems were also frequently left exposed to the p
­ ublic
internet. These systems can contain critical customer data or intellectual property and were never
meant to be accessed from the public internet, but these were still showing up likely on account of
­accidental misconfigurations.
Our research also uncovered over 2,500 critical building control systems (BCS) accessible from
the public internet, which indicates that in a remote-first world, organizations should be not only
concerned about their IT assets but also their Operational Technology (OT) assets. These assets are
frequently operated and managed by facilities or office divisions and are thus not necessarily tracked
or monitored by IT security systems.

Cortex by Palo Alto Networks | 2022 Cortex Xpanse Attack Surface Threat Report 5
Takeaway 3: End-of-Life Software Means End-of-Life for Your Security
If exposed remote access or remote login protocols are like neon signs inviting attackers to knock, end-
of-life software is like leaving your valuables in a straw house in autumn. It may survive the rainy season
if it was well-built, but winter is coming, and no one is around to patch all of the inevitable holes.
During the course of our observation, while we saw organizations across industries running end-of-life
versions of software, when looking specifically at the following applications below, we saw on average
around 30% of organizations were running end-of-life (EOL) software versions.

Apache Web Server ­~32% running EOL versions

Microsoft Exchange Server 29% running EOL/unsupported versions

Additionally, organizations are still running unpatched versions of software with active observed
exploits. Despite patches being available for between four and five months at the time of detection,
Xpanse research discovered the following based on the application’s self-reported version:
• 11,511 instances of Apache Web Servers running unsecured on the public internet were vulnerable to
CVE-2021-41773 and CVE-2021-42013
• 2,700 instances were vulnerable to CVE-2021-26084 (Atlassian Confluence)
• 74% of instances of Zoho ManageEngine ­ServiceDesk Plus software (3,400 total) were vulnerable to
two critical CVEs (CVE-2021-44077 and C
­ VE-2021-44526), one of which was actively being exploited
in the wild.
Exploits like these can allow malicious actors to gain access to a victim’s network, escalate privileges,
move laterally, and execute remote code.

Business Impact Takeaway

Attackers don’t need to preselect victims because it is all too easy to find exploitable weaknesses,
and nothing presents more weaknesses than end-of-life software. There is no reason why any asset
running end-of-life software should ever be internet-facing. If an asset cannot be updated to secure
versions of software, it should be isolated or decommissioned altogether.
The opportunist attacker can find potential victims by simply scanning the internet for assets or
­services exposed to accidents or misconfigurations. Organizations need to automatically discover end-
of-life software, misconfigurations, and unknown assets to identify all non-zero-day vulnerabilities
on their attack surface.

Takeaway 4: Issues Are Complex and Unique Across Industries

Common security wisdom often results in something like victim-blaming, where organizations are
asked to consider why you might be the target of an attacker. Adversaries may want your data if you’re
in financial services, or they might know you’re more likely to give in to demands because to risk
downtime would extoll a cost far too high, such as in healthcare.
Knowing why you might be a target should help in terms of isolating data and systems that don’t need
to be publicly accessible, but when it comes to internet-connected devices, the more important task is
to identify exposures and vulnerabilities. So, from an attacker’s perspective, organizations are often
more similar than different.
Xpanse research showed similar types of issues across industries, but what issues were most common
varied dramatically. So, organizations often had exposures falling into some combination of RDP server
exposures, networking and security, or data storage and analytics, but the specific details regarding assets,
types of exposure, and the reasons why they might be targeted by an attacker make situations unique.

Real-World Disruption
Looking at industry verticals in broad terms, there are two general reasons why attackers might target
certain organizations: operational disruption or stealing high-value data. The first category includes
industries like utilities and energy, healthcare, transportation and logistics, and (sometimes) whole-
sale and retail. The aim of attackers here is to disrupt or threaten to disrupt the business operations of
the organizations, either under political motives or because attackers hope the ransom demanded is a
substantially smaller loss for the organization to incur than the disruption caused or threatened.

Cortex by Palo Alto Networks | 2022 Cortex Xpanse Attack Surface Threat Report 6
Utilities & Energy
Utilities and energy companies can almost be considered a class of their own because the issues seen are
vastly different than most other industries, but also because historically, industrial infrastructure has
been a key target for attacks with political motives.
The most famous example of this is Stuxnet, a worm built by the US and Israeli governments to disrupt
Iran and reportedly the North Korean nuclear programs.
The biggest issue type observed was related to exposed admin panels of IT infrastructure. Several criti-
cal OT systems, like their building control systems which are not supposed to be on the public internet,
were also found during the course of our analysis.
Utilities and energy industries need to focus on securing their key IT and OT infrastructures. Critical en-
ergy and utilities are key targets for nation-state attackers and as a consequence, having a BCS system
admin portal that is discoverable on the public internet makes it significantly easier for a bad actor to
cause significant business disruptions by controlling building systems, including fire alarms, elevators,
and fire suppression systems.
For example, the attack on Colonial Pipeline in April 2021 was due to a single compromised user account
and VPN access that didn’t have multifactor authentication enabled, but it led to a ransomware attack
and the entire pipeline being shut down for five days.

Other

16%

Embedded System
Networking and Security
4.1% Infrastructure
RDP Server 40.7%
4.2%

Unencrypted FTP

5.2%
Data Storage and Analysis

6.1%

Building Control System

23.7%

Figure 4: Distribution of risks across the utilities and energy industry attack surface

Healthcare
A HIPAA-compliant RDP server allows healthcare professionals to work remotely and still have access
to the same information they could view and update if they were working at a hospital. Remote desktop
access allows healthcare professionals to work efficiently from home and while traveling.
According to our analysis, RDP risks are the single biggest avenues for compromise in the healthcare
industry, and this leaves them more vulnerable than other industries to ransomware attacks. This is
especially dangerous because disruption in healthcare facilities could lead to loss of life.
According to the 2022 Unit 42 Ransomware Threat Report, RDP servers are now the preferred attack
vector for ransomware gangs as it is easier to discover an accidentally exposed RDP server and brute
force their way in.
The healthcare industry has been in the crosshairs of ransomware attacks for years now, and because
the potential damage is so great, many hospitals have to pay the ransom rather than risk impacting
operations, which makes them attractive ransomware targets.

Cortex by Palo Alto Networks | 2022 Cortex Xpanse Attack Surface Threat Report 7
 Other

15.3%

Data Storage and Analysis

5.6%
Rpcbind Server

6%

Networking and Security

Infrastructure

6.2%
RDP Server

66.9%

Figure 5: Distribution of risks across the healthcare industry attack surface

Transportation & Logistics

RDP risks are again the major issues in the transportation and logistics industry. Organizations should
work with their supply chain logistics partners to identify and remediate their critical RDP exposures
before there is a significant incident.
In 2017, Danish shipping company Maersk was hit by a ransomware attack that disrupted operations for
two weeks and reportedly cost the company approximately $300 million.
Since the beginning of the pandemic, global supply chains have faced significant turbulence and
as n
­ ations emerge from the pandemic, the demand for goods is extremely high. As a consequence,
­ransomware actors are now targeting organizations in the global transport and logistics industries.

Other

16.6%

Data Storage and Analysis

10.8%
RDP Server

50.8%

Networking and Security

Infrastructure

21.8%

Figure 6: Distribution of risks across the transportation and logistics industry attack surface

Cortex by Palo Alto Networks | 2022 Cortex Xpanse Attack Surface Threat Report 8
Wholesale & Retail
Wholesale and retail lives somewhat on the border between targets attacked in order to create
­real-world disruption and those with high-value data that could be stolen. The disruption that could
be caused by attacking retail is extremely high, but if it is point-of-sale systems being targeted, that
puts customer credit card data at risk.
Ransomware gangs are more likely to target wholesale and retail organizations as they need to f­ unction
at all times and, therefore, will quickly pay the ransom to continue operations. Wholesale and retail
organizations should be extremely concerned about this. We discovered that RDP servers account for
more than 60% of issues found on the wholesale and retail industry attack surface. It is the single
­biggest issue type in this industry.
One of the biggest cyberattacks in history befell Target in 2013 when the credit card information of 40
­million customers was stolen, and other information on 70 million customers was exposed. Target report-
edly spent more than $200 million in legal fees and ended up paying states $18.5 million in damages.

Other

23.2%

Data Storage and Analysis

3.7%
Rpcbind Server RDP Server
7.8% 65.3%

Figure 7: Distribution of risks across the wholesale and retail industry attack surface

Valuable Data
When real-world disruption isn’t enough, attackers tend to target high-value data. This could mean
financial data that could then be resold to identity thieves, or it could mean data that is valuable to an
organization, like intellectual property.

Financial Services
IT regulations and compliance directives are perhaps the strongest in the financial services industry. One
result of this is that financial industries tend to be early adopters of cybersecurity practices and products,
but malicious actors still target these organizations due to the critical data they hold.
More than 80% of all issues observed in the financial industry’s attack surface were either related to
exposed RDP servers or, worse, were related to accidentally exposed database storage and analytics sys-
tems. Database systems should never be available over the public internet and should always be behind a
firewall or a VPN.
Data storage exposures in this industry are worrying as they could contain key customer or transaction
data. Additionally, with everyone working from home, these exposures become even riskier as employees
are accessing critical information through potentially vulnerable, non-consumer-grade access points.

Cortex by Palo Alto Networks | 2022 Cortex Xpanse Attack Surface Threat Report 9
 Other

Networking and Security 10.4%

Infrastructure
3.9%
Insecure Microsoft
Exchange Server
4.4%

RDP Server

54%
Data Storage and Analysis

27.3%

Figure 8: Distribution of risks across the financial services industry attack surface

Professional & Legal Services

The combination of the most prevalent issues we’ve observed in the professional and legal services
industry makes for an incredibly dangerous scenario. Organizations that have data storage exposures
with unencrypted logins are opening themselves up to a “when” and not an “if” scenario as it relates to
a serious data breach or ransomware.
A potential breach in this industry could put intellectual property, critical customer information, and
other highly sensitive information at risk.

Other

Networking and Security 10.4%

Infrastructure
3.9%
Insecure Microsoft
Exchange Server
4.4%

RDP Server

54%
Data Storage and Analysis

27.3%

Figure 9: Distribution of risks across the professional and legal services industry attack surface

Cortex by Palo Alto Networks | 2022 Cortex Xpanse Attack Surface Threat Report 10
High Technology
In high-tech companies, exposed IT admin portals are the biggest issues found on attack surfaces, and
as we noted above, these exposures are extremely appealing for attackers because a successful exploit
here grants attackers access to the entire network and privileges to cause untold damage. High-tech
companies need to be able to quickly discover their exposed IT admin login pages and immediately put
them behind a firewall or VPN.
FTP is not an industry-standard protocol anymore and is in violation of numerous regulatory compli-
ance standards. It relies on clear-text usernames and passwords for authentication and does not use
encryption, but they seem to still be lurking (6.9% of issues) in this industry in this industry from our
observations. Data sent via FTP is vulnerable to sniffing, spoofing, and brute-force attacks, among
other basic attack methods.

Other

22.2%

Embedded System
4.8%
Networking and Security
Data Storage and Analysis Infrastructure

5.1% 55.6%
RDP Server

5.4%
Unencrypted FTP

6.9%

Figure 10: Distribution of risks across the high technology industry attack surface

Media & Entertainment

Data storage and analysis infrastructure potentially containing key IP and critical customer data were
the biggest risks observed on the attack surface of the media and entertainment industry.
One of the most notable attacks in this space was on Sony Pictures in 2014, when attackers stole terabytes
worth of data and Sony had to shut down its network for days. Following the breach, five movies, four of
which were unreleased at the time, were leaked by the attackers.
RDP services were the second biggest issue type, and potential attacks could cripple the industry in its
ability to service its customers.

Other

16.1%

Unencrypted FTP

4.3%
Colocated SMB Server

5%
Data Storage and Analysis

47%

RDP Server

27.6%

Figure 11: Distribution of risks across the media and entertainment industry attack surface

Cortex by Palo Alto Networks | 2022 Cortex Xpanse Attack Surface Threat Report 11
Insurance
Data storage, RDP servers, and networking infrastructure vulnerabilities show up in almost equal
­measure in the insurance industry.
In May 2021, insurance company CNA Financial reportedly paid $40 million in ransom after being
unable to restore systems for two weeks after an attack. Additionally, the personal information of more
than 75,000 customers was compromised in the breach.

Other Data Storage and Analysis

14.3% 19.9%
Rpcbind Server

4.1%
SharePoint Server

6.9%

RDP Server
Building Control System
18.3%
9.4%

Embedded System

10.6% Networking and Security

Infrastructure

16.5%

Figure 12: Distribution of risks across the insurance industry attack surface

Business Impact Takeaway

While attack surfaces may seem unique to an attacker, there are certain exposure types that are usually
more readily available, so the initial attack vector may not vary too much. As we can see in the data,
there are multiple ways remote access protocols or remote logins can and are exposed, leading to easy
entry points for attackers.
Whether the ultimate aim is real-world disruption or high-value data, industries have to know what
exposures are putting them at risk because no one wants to deal with a ransomware attack, stolen data,
or both.
Knowing the most common risks can help vulnerability management to focus efforts, but even beyond
the major issues for each industry, there are many other exposures lurking in the shadows. The best bet
is to have a comprehensive and continuously updated inventory of all assets and potential exposures in
order to minimize all risks.

Takeaway 5: What Is New Becomes Old on Attack Surfaces

If we’ve imparted nothing else up until this point, it should be that the global attack surface is a living
thing that grows and changes constantly. This highlights a reality for security practitioners, which is
that the work is never done. Worse, the work that doesn’t get done becomes a seemingly insurmount-
able backlog of issues and exposures.
The unfortunate truth of attack surfaces is that there is a constant stream of new issues—new vulnera-
bilities, changing configurations leading to exposure, expiring certificates, etc.—and each one of those
new issues that aren’t fixed then becomes the low-hanging fruit discussed in takeaway 2.
In our initial study of the global attack surface in 2021, we focused on the four specific vulnerabilities
which had observed exploits in the wild and were mentioned in several federal advisories:
• Insecure Apache Web Server
• F5 BIG-IP TMUI
• Insecure Microsoft Exchange Server
• Insecure Microsoft IIS Web Server
During the course of our analysis of these four issue types, we observed them on an unmanaged attack
surface over the course of a month.

Cortex by Palo Alto Networks | 2022 Cortex Xpanse Attack Surface Threat Report 12
We can see that, across industries, even if organizations worked to remediate active issues in a month,
newer issues kept cropping up throughout the month. One could make the claim that these organi-
zations were never secure and remained vulnerable throughout the month as the unmanaged attack
surface continues to grow and compounds security issues that an organization faces.

Min Lower Median Upper Max

Media and Entertainment - F5 BIG-IP TMUI Healthcare - F5 BIG-IP TMUI Wholesale and Retail - F5 BIG-IP TMUI High Technology - F5 BIG-IP TMUI Financial Services - F5 BIG-IP TMUI
20 16 8 160 4

18
14 7 7 140
16
# of vulnerabilities

# of vulnerabilities

# of vulnerabilities
12

# of vulnerabilities
6 120 3 3

# of vulnerabilities
14
10 10 5 100
12
11
10 10 8 4 80 2 2
7
8
6 3 60
6
4 2 40 1
4
2 1 1 20
2

0 0 0 0 4 2 0
Median Monthly Median Monthly Median Monthly Median Monthly Median Monthly Median Monthly Median Monthly Median Monthly Median Monthly Median Monthly
Active Issues New Issues Active Issues New Issues Active Issues New Issues Active Issues New Issues Active Issues New Issues

High Technology - Healthcare - Wholesale and Retail - Insurance - Financial Services -

Insecure Apache Web Server Insecure Apache Web Server Insecure Apache Web Server Insecure Apache Web Server Insecure Apache Web Server
1000 2000 600 160
600
900 1800
140
500
800 1600 500

# of vulnerabilities
# of vulnerabilities

# of vulnerabilities

# of vulnerabilities

120

# of vulnerabilities
700 1400
400
100 99 400
600 1200

500 1000 300 80

300
400 800
220 60
200
300 600 200
268
40
200 400
100
20 100
220 71
100 200
54 79 9
0 0 0 14
0 9
0
Median Monthly Median Monthly Median Monthly Median Monthly Median Monthly Median Monthly Median Monthly Median Monthly
Median Monthly Median Monthly
Active Issues New Issues Active Issues New Issues Active Issues New Issues Active Issues New Issues
Active Issues New Issues

High Technology - Healthcare - Insurance - Media and Entertainment - Utilities and Energy -
Microsoft IIS Web Server Microsoft IIS Web Server Microsoft IIS Web Server Microsoft IIS Web Server Microsoft IIS Web Server
450 2000 250 1200 400

400 1800
350
1000
350 1600 200
# of vulnerabilities

# of vulnerabilities
# of vulnerabilities

300
# of vulnerabilities

# of vulnerabilities

1400
300 800
250
1200 150
250 242
1000 600 200
200 113
800 100
150
150 400
600
100 95
100
400 50
200
50
50 200 101
148
3 0 4 0 4 0 3 0 6
0
Median Monthly Median Monthly Median Monthly Median Monthly Median Monthly Median Monthly Median Monthly Median Monthly Median Monthly Median Monthly
Active Issues New Issues Active Issues New Issues Active Issues New Issues Active Issues New Issues Active Issues New Issues

Figure 13: Median active and new issues per month per company in an industry

These four issue types only constitute a small sliver (<1%) of the overall issue types seen on an attack
surface. So, as part of our new research based on data collected from December 2021 through June
2022, we widened the scope to look at the rate at which all new issues of high and critical severity were
­discovered on attack surfaces.
We discovered that regardless of the industry, new issues are constant; not one industry we studied
showed success in reducing its attack surface.

Cortex by Palo Alto Networks | 2022 Cortex Xpanse Attack Surface Threat Report 13
 Min Lower Median Upper Max

Utilities and Energy Healthcare Manufacturing Wholesale and Retail

25% 45% 12% 25%

40%
10%
20% 35% 20%

30% 8%
Rate of change

Rate of change

Rate of change

Rate of change
15% 15%
25% 24% X

6%
20%
10% 10%
15% 4% 4% X
8% X

6% X
10%
5% 5%
2%
5%

0% 0% 0% 0%

Financial Services Professional and Legal Services High Technology Media and Entertainment
40% 80% 30% 30%

27%
35% 70%
X

25% 25%

30% 60%

20% 20%
Rate of change

Rate of change

Rate of change
Rate of change

25% 50%

20% 40% 15% 15%

15% 30%
10% 10%
9% X

10% 20%
8%
5% 5%
X

5% 10% 9% X

0% 0% 0% 0%

Professional and Legal Services Business Services Pharma and Life Sciences
35% 80% 40%

30% 70% 35%

26% X
60% 30%
25%
Rate of change

Rate of change

Rate of change

50% 25% 24%

20%
X

40% 20%
15%
30% 15%

10%
20% 10%
16% X

5% 10% 5%

0% 0% 0%

Figure 14: Rate of change of attack surface over the course of a month segmented by industry

In industries where you might expect a higher proportion of on-premises assets compared to the
cloud, like transportation and logistics or utilities and energy, new issues increased more slowly
than other industries with median rates of 3.67% and 6.36%, respectively. On the other hand, a more
cloud-forward industry like media and entertainment had a higher rate of change at 26.89%.
But there were a number of interesting outliers with healthcare, insurance, and pharma and life
sciences, which one might assume are all verticals that would skew towards a higher proportion
of on-premises assets but had some of the highest rates of new attack surface issues at 24%,
26.2%, and 24%, respectively. Exposures in these industries are very troubling, though, given
the amounts of personal data and intellectual property at risk and, of course, the human risk if a
hospital is disrupted.

Cortex by Palo Alto Networks | 2022 Cortex Xpanse Attack Surface Threat Report 14
Business Impact Takeaway
The ultimate goal should always be attack surface reduction, but obviously, that is not currently pos-
sible with manual processes and manual effort. Across all industries, attack surfaces are growing, and
security teams are left chasing a moving goal post. New issues are not remediated, so they become the
old issues that are the low-hanging fruit that attackers feast on.
When considering the rate of new issues occurring on attack surfaces, it highlights the need for more
resilient security processes. Organizations need visibility into their attack surfaces and exposures, but
they also need to put in place more automated processes to make remediating issues faster and less
human effort-intensive.

How to Fix It
Security teams have far too much to do to constantly remediate the same types of issues. A powerful solu-
tion would be to pair an attack surface management tool with a security orchestration, automation, and
response (SOAR) tool. This way, newly discovered issues can be automatically identified, prioritized, and
either remediated or routed to the relevant stakeholder with full context data.

Takeaway 6: RDP and Cloud Exposures Are Persistent

The need for resiliency is further illustrated in new data gathered around the persistence of attack sur-
face issues.
RDP exposures raise cyberattack risk.
A favorite target of attackers has long been exposed RDP. Palo Alto Networks Unit 42™ found that
exposed RDP was the initial attack vector in half of all incidents in its 2020 Unit 42 Incident Response
and Breach Report, and the latest 2022 Unit 42 Ransomware Threat Report said brute-force attacks
focused primarily on RDP are one of the top three initial access vectors in all case data.
With that context in mind, it is worrisome to see that seven of the 12 industries covered in Xpanse data
averaged more than seven days per month with an active RDP exposure, and transportation and logistics
had an average of 13.5 days with an active exposure. Considering the damage and disruption seen in the
2017 ransomware attack on Maersk, detailed above, one would hope that the industry as a whole would
make it a priority to tamp down RDP exposures.

Table 1: Number of RDP Instances Exposed to the Public Internet During the Observation Period
and Average Number of Days There Was an Active, Exposed RDP Instance in Any Given Month
Avgerage number of days RDPs are
Industry Number of RDP exposures observed
exposed to the public internet
Transportation & Logistics 24,113 13.49
High Technology 397,615 9.71
Utilities & Energy 46,497 9.59
Media & Entertainment 334,428 9.08
Business Services 154,238 8.36
Professional & Legal Services 128,545 8.19
Financial Services 151,209 7.78
Insurance 38,102 5.78
Healthcare 112,525 5.58
Wholesale & Retail 87,916 4.87
Telecommunications 189,907 4.64
Pharma & Life Sciences 53,808 4.13

Looking at the lower end of the data, the other five industries don’t look too bad in comparison, but they
all average at least four days per month with an RDP exposure. Unfortunately, that’s not exactly a cause
for optimism. Any exposures can lead to devastating ramifications, and in industries like healthcare,
where human lives are on the line, even 5.6 days per month with an active RDP exposure is too much
because, over the course of our six months of gathering data, that equates to approximately 34 days where
there was exposed RDP available for an enterprising attacker to exploit.

Cortex by Palo Alto Networks | 2022 Cortex Xpanse Attack Surface Threat Report 15
Active Cloud Issues per Month
Widening our scope to look at the number of active cloud issues per month, we see more evidence of the
persistence of cloud issues, but this time there appears to be a clear split among industries.
There is a group of industries with fewer than 200 median active cloud issues per month:
• Utilities and Energy
• Financial Services
• Professional and Legal Services
• Manufacturing
• Insurance
• Business Services
• High Technology

Min Lower Median Upper Max

Utilities and Energy Financial Services Professional and Legal Services Manufacturing
10,000 30,000 3,500 300

3,000
25,000 250
8,000

2,500
Rate of change

Rate of change

Rate of change
Rate of change

20,000 200
6,000
2,000

15,000 150 143 X

1,500
4,000

10,000 100
1,000

2,000
5,000 50
500

147
202 82
X

0 X
0 X 0 0

Insurance Business Services High Technology

800 3,500 16,000

700 3,000 14,000

600 12,000
2,500
Rate of change
Rate of change

Rate of change

500 10,000
2,000

400 8,000
1,500
300 6,000

1,000
200 4,000

100
116 X
500 2,000

159 X

0 0 0 156 X

Figure 15: Number of new issues in the cloud in any given month segmented by industry

While the rest of the industries tracked all had more than 400 median active cloud issues per month:
• Healthcare
• Wholesale and Retail
• Media and Entertainment
• Telecommunications
• Pharma and Life Sciences

Cortex by Palo Alto Networks | 2022 Cortex Xpanse Attack Surface Threat Report 16
 Min Lower Median Upper Max

Healthcare Wholesale and Retail Media and Entertainment

2,500 10,000 3,000

2,500
2,000 8,000

Rate of change

Rate of change
Rate of change

2,000
1,500 6,000

1,500

1,000 4,000

1,000

500 2,000
400 X 500 400 X

446 X

0 0 0

Telecommunications Pharma and Life Sciences

700 3,000

600
2,500

500
467
Rate of change

Rate of change

X
2,000

400

1,500
300

1,000
200

500
100 434 X

0 0

Figure 16: Number of new issues in the cloud in any given month segmented by industry

Having hundreds of active cloud exposures per month obviously means higher risk. The maxim of
cybersecurity is that attackers only have to be successful once, while defenders need to be successful at
every turn, so hundreds of exposures per month are not a sign of success.
However, another important note in this data is the high variability seen in some industries. High tech-
nology was on the lower end with a median of 156 active cloud issues per month but had an upper range
of 3,661 issues in the 75th percentile and 15,381 in the 90th percentile. Similarly, wholesale and retail
had 446 median active cloud exposures, but those numbers bloomed to 5,613 in the 75th percentile and
9,954 in the 90th percentile. The most extreme example was financial services, which had the lowest
median of all industries but an extreme of 27,196 active cloud issues in the 90th percentile.
These extremes obviously do not represent the norm, but they do indicate how much fluctuation there
can be in issues each month. Between this and the number of new issues per month, it should be clear
that security teams don’t have the time or the resources necessary to remediate every issue that arises.
This should not be a sign to give up, of course. It just means there needs to be a better way than endless
loops of manual remediation that have a high cost in human effort.
As we saw in takeaways 2, 3, and 5, the issues leaving industries exposed are not exotic zero days;
they are commonplace exposures in widely used software and services like RDP, exposed admin login
portals, etc. Automating the discovery and remediation of issues like these not only creates resiliency
in SecOps but also frees up security teams to tackle bigger issues rather than being bogged down with
repetitive tasks.

Cortex by Palo Alto Networks | 2022 Cortex Xpanse Attack Surface Threat Report 17
Conclusion and Recommendations
Security is hard. Sometimes it’s as simple as that. Security teams do the best they can with the resources
and the data they have, but visibility is often the deciding factor as to whether an asset is secure or not,
while resilient processes are often the deciding factor in whether new issues remain persistent.
If you don’t know where exposures live, it’s impossible to ensure issues are remediated. For many
organizations, the cloud and RDP are going to be persistent issues to target, but the constellation of
exposures and vulnerabilities on your attack surface will only continue to grow as attack surfaces get
more complex.
Unfortunately for defenders, attackers just need one crack to find their way in. The best option for
security teams is to ensure they have the same view of their own attack surface. From an attacker’s
point of view, identifying and prioritizing issues for remediation gets far easier.
This also means that focusing on metrics like mean time to detect (MTTD) and mean time to respond
(MTTR) is inherently flawed. In the case of a breach, MTTD and MTTR are acceptable, but security
should be focused on doing all they can to prevent breaches before they happen. That means putting
more stake in mean time to inventory (MTTI) because it is impossible to secure unknown assets and
unknown exposures.
Modern attack surfaces are dynamic. Without clear visibility that is constantly updated and resilient,
and automated security processes, it is all too easy to have persistent exposures and unmanaged assets.
Security practitioners can only be as good as the data they have, so having a strong foundation of con-
tinuous discovery and monitoring ensures you can keep up with modern, dynamic attack surfaces in
order to find, prioritize, and mitigate exposures as they arise.
Want to see your attacker’s view into your attack surface/network? Reach out to a Palo Alto Networks
representative for a custom outside-in view into your organization.

Methodology
Xpanse operates a proprietary platform that continuously collects more than one petabyte per day of
information related to all systems on the public internet to ascertain how attackers view potential targets.
Using the externally available attack surface from global enterprises, Xpanse researchers examined and
interpreted data to help defenders understand the attack surface in order to:
• Quantify and remediate externally facing vulnerabilities.
• Provide security teams with attack surface benchmark metrics.
• Optimize threat modeling.
• Convey the threat landscape to technical and nontechnical audiences.
• Deploy proactive security measures.
In this analysis, Xpanse looked at 2021 data (beginning of March to end of September) as well as 2022
data (beginning of December 2021 to beginning of June 2022) from 100+ tenants spanning multiple
industries. Data for a given industry was only displayed in this report if the industry included data from
seven or more organizations in that industry category. Key Common Vulnerabilities and Exposure (CVE)
observations are based on observed data from January to February 2022.
It is important to note that the majority of metrics in this report are medians. The reason for this is that
when it comes to global internet asset data, there are frequent outliers that can heavily skew the mean/
average for a given issue type or industry, and using medians helps us avoid seeing a biased view.

About Cortex Xpanse

Cortex® Xpanse™ is an automated attack surface management (ASM) platform that provides a c ­ omplete
and accurate inventory of an organization’s global internet-facing assets and misconfigurations to
continuously discover, evaluate, and mitigate security issues on an external attack surface. Xpanse
­customers include leading Fortune 500 companies as well as both US government organizations,
­including all five branches of the US military.

3000 Tannery Way
Santa Clara, CA 95054
Main: +1.408.753.4000
Sales: +1.866.320.4788
Support: +1.866.898.9087
© 2022 Palo Alto Networks, Inc. Palo Alto Networks is a registered ­
trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
marks mentioned herein may be trademarks of their respective companies.
cortex_xpanse-attack-surface-threat-report_071222

www.paloaltonetworks.com