You can’t control when the next risk drops. You can control how much of your environment is displayed when it happens. The problem is that many groups have more exposure to the Internet than they realize. Intruder Security’s Head explores why this happens and how teams can target it.
Manipulation time is reduced
The larger and more unmanageable your attack surface, the more likely it is to be exploited. And the take-up window is shrinking fast. At the highest risk, exposure to exploitation can be as short as 24 to 48 hours. The Zero Day Clock projects it will be just a few minutes in 2028.
It’s not a lot of time when you consider what needs to happen before a patch is deployed: active scanning, waiting for results, raising tickets, critical consensus, implementation, and verifying fixes. If exposure takes hours, it takes even longer.
In most cases, vulnerable systems do not need to be exposed to the Internet in the first place. With attack surface visibility, teams can reduce unnecessary exposure upfront and avoid conflict altogether when a new vulnerability is discovered.
When day zero falls on Saturday
ToolShell was an unauthorized remote code execution vulnerability in Microsoft SharePoint. If an attacker can access it, they can run code on your server – and because SharePoint is connected to Active Directory, they’ll be starting from the most sensitive part of your environment.
This was a zero-day, meaning attackers were exploiting it before the patch was available. Microsoft disclosed on Saturday and confirmed that groups sponsored by the Chinese government had been exploiting it for two weeks before that. By the time most teams knew about it, opportunistic attackers were testing exposed conditions and exploiting at scale.
Intruder’s research found thousands of publicly accessible SharePoint instances at the time of the disclosure – despite the fact that SharePoint doesn’t need to look online. All of this exposure was unnecessary – and all unpatched servers were an open door.
Why exposure is missed
So why is disclosure often missed by security teams?
In a typical external scan, the information obtained is always under hundreds of critical, high, medium, and low. But that information may include findings that represent the actual risk of exposure, such as:
- An exposed SharePoint server
- A database exposed on the Internet, such as MySQL or Postgres
- Other protocols, which should generally be reserved for the internal network, such as RDP and SNMP
Here’s a real example of what that looks like:
In vulnerability scanning terms, classifying this as information sometimes makes sense. If the scanner resides in the same private subnet as the target, the exposed service can be really low risk. But when that service is exposed to the Internet, it carries real risks even without a known vulnerability attached to it. However.
The danger is that traditional scan reports treat both situations the same way, so the real risk is passing through the gaps.
Which involves the reduction of the effective attack surface
There are three important aspects to doing the job of reducing the attack surface effectively.
1. Asset acquisition: define your attack surface
Before narrowing down your attack surface, you need a clear picture of what you own and what is accessible outside. That starts with identifying the IT shadow – the systems your organization uses or uses but doesn’t scan or monitor yet.
Bridging that gap is important, and there are three key features we recommend:
- Integrating with your cloud and DNS providers so that when a new infrastructure is created, it is automatically downloaded and scanned. This is one area where defenders have a real advantage: you can link directly to your locations, attackers can’t.
- Subdomain calculation is used to reveal externally accessible hosts that are not in your list. This is especially important after acquisition, where you may have access to infrastructure that you haven’t seen before.
- Identifying infrastructure hosted by small, anonymous cloud providers. You may have a security policy that mandates development teams only use your primary cloud provider, but you need to check that practice is followed.
Take a deeper look at these strategies:
. Treat the exposure as a hazard
The next step is to treat the exposure of the attack surface as a risk category in itself.
That requires a the ability to see which identifies which information acquisition represents an exposure and provides appropriate severity. The exposed SharePoint instance, for example, might be treated as a medium-risk problem.
It also means drawing space for this work how to prioritize. If strategic efforts such as reducing the attack surface are always competing with emergency avoidance, they will always lose. That might mean setting aside time each quarter to review and reduce exposure, or giving clear ownership so someone is accountable for it — not just when a disaster strikes, but often.
3. Continuous monitoring
Attack zone reduction is not a one-time event. Exposures are constantly changing – a firewall rule is edited, a new service is implemented, a subdomain is forgotten – and your team needs to catch those changes quickly.
Vulnerability scans take time to complete, and full daily scans are not possible. Daily port scan it fits better. It’s simple, fast, and means you can see newly exposed services as they appear. If someone edits a firewall rule and accidentally exposes Remote Desktop, you get the date it happened – not in the next scheduled scan, which might be a month later.
Few services revealed, few surprises
If unnecessary services are not disclosed in the first place, they are much less likely to be caught in mass exploitation following a critical disclosure. That means fewer surprises, less hasty scrambling, and more time to proactively respond when new threats emerge.
The hacker automates the process – from finding IT security and monitoring new exposures, to notifying your team when something changes – so your security team stays ahead of exposure rather than reacting to it.
If you want to see what’s featured in your area, book an Intruder demo.
