External Attack Surface Management (EASM) FAQs

Ivanti Neurons for External Attack Surface Management (EASM) has technology partnerships that enable asset discovery and exposure detection, adhering to well-known industry standards such as MITRE ATT&CK framework, NIST, OWASP.

1. Protocols used for asset detection.
   
   Ivanti Neurons for EASM tools use Layer 4 and Layer 7 protocols to detect open ports and exposures on assets. Layer 4 includes UDP, TCP and ICMP. while Layer 7 encompasses a larger set of commonly used protocols and established guidelines.

2. How are the compromised emails discovered?
   
   Ivanti Neurons for EASM tools discover the emails by analyzing publicly accessible sources such as DNS records, breached data repositories, and OSINT feeds.

3. How do you detect data leaks?
   
   Ivanti Neurons for EASM integrates intelligence from a variety of trusted security sources to identify potential breach-related exposures linked to an organization. This includes detecting leaked credentials, exposed email addresses and other sensitive data that adversaries might exploit. By providing early visibility into such risks, Ivanti helps organizations proactively secure their attack surface before threats materialize. We aggregate intelligence from multiple vetted sources, including breach databases and security research feeds, ensuring accuracy and relevance while maintaining strict confidentiality around collection methods.

4. How do you detect assets especially lateral domains?
   
   The word lateral comes from one of the tactics used in MITRE ATT&CK framework "Lateral Movement". Ivanti uses a combination of publicly available data and security intelligence techniques to map an organization’s extended domain ecosystem. This ensures that security teams have complete visibility into their external attack surface without relying solely on internal asset inventories.

5. How do you determine the asset is vulnerable?
   
   Ivanti Neurons for EASM tools assess vulnerabilities based on multiple signals, including publicly disclosed security weaknesses, misconfigurations, and outdated software versions. This approach ensures accurate detection while minimizing false positives, providing security teams with actionable insights to reduce risk efficiently.

6. Are all assets reported in EASM publicly discoverable? The assets are classified as either private or public. What does 'private' mean in this context?
   
   Yes, all the assets are discovered publicly, but sometimes due to DNS misconfiguration, it can happen that the host asset (subdomain) is resolving to any of the internal IP Ranges. Whenever the IP Address of any asset resolves to any of the Internal IP Ranges (Class A, Class B and Class C), that asset is tagged as Private.

7. If an API, ASN, or netblock is configured as a seed, does the scan exclusively look for similar externally published APIs or those specific asset types, or does it also identify other asset types, such as servers within the same domain and others?
   
   When an API is configured as a seed, the scan identifies the server hosting the API, performs port scanning, and detects vulnerabilities on that server. However, it does not search for similar externally published APIs beyond the specified seed. For an ASN (Autonomous System Number), the scan identifies any associated netblocks (CIDRs), enumerates the individual IP addresses within those netblocks, scans for open ports, and detects vulnerabilities. In both cases, the scan focuses on infrastructure tied to the seed, rather than broadly seeking other asset types, such as domains or unrelated servers, unless they are explicitly connected to the seed’s scope.

8. Is there any variation in the scan results when using an API, ASN, or netblock as a seed compared to using a domain or URL?
   
   Yes, the scan results do vary depending on the type of seed asset, as each influences the scope of discovery and vulnerability detection in different ways. For instance, when a domain is used as a seed, the scan can uncover credential leaks exposed on the internet and perform subdomain enumeration—capabilities not available with API, ASN, or netblock seeds, as these lack the domain context required for such findings. Conversely, API and netblock seeds focus more on server-level insights (e.g., ports and vulnerabilities), while ASNs provide a broader network-level view, resulting in distinct outcomes based on the starting point.

9. Are there particular scenarios or use cases where setting an API or ASN as the seed is notably effective for asset discovery or exposure detection?
   
   An API seed functions similarly to a URL seed, yielding comparable results, such as server details, open ports, and vulnerabilities tied to that endpoint. This is particularly useful for pinpointing exposures in specific services. ASNs, on the other hand, are especially valuable for companies managing data centers or large network infrastructures. These organizations often prioritize identifying open ports and the services running behind them across their servers. In this context, an ASN seed excels by providing a comprehensive view of the network, enabling effective asset discovery and exposure detection across their owned IP ranges.