Skip to main content
Skip to main content
Microsoft Security

Discover the anatomy of an external cyberattack surface with new RiskIQ report

  • Steve Ginty Principal Program Manager, Microsoft

The internet is now part of the network. That might sound like hyperbole, but the massive shift to hybrid and remote work and a multicloud environment means security teams must now defend their entire online ecosystem. Recent ransomware attacks against internet-facing systems have served as a wake-up call. Now that Zero Trust has become the gold standard for enterprise security, it’s critical that organizations gain a complete picture of their attack surface—both external and internal.

Microsoft acquired RiskIQ in 2021 to help organizations assess the security of their entire digital enterprise.1 Powered by the RiskIQ Internet Intelligence Graph, organizations can discover and investigate threats across the components, connections, services, IP-connected devices, and infrastructure that make up their attack surface to create a resilient, scalable defense.2 For security teams, such a task might seem like trying to boil the ocean. So, in this post, I’ll help you put things in perspective with five things to remember when managing external attack surfaces. Learn more in the full RiskIQ report.

Your attack surface grows with the internet

In 2020, the amount of data on the internet hit 40 zettabytes or 40 trillion gigabytes.3 RiskIQ found that every minute, 117,298 hosts and 613 domains are added.4 Each of these web properties contains underlying operating systems, frameworks, third-party applications, plugins, tracking codes, and more, and the potential attack surface increases exponentially.

Some of these threats never traverse the internal network. In the first quarter of 2021, 611,877 unique phishing sites were detected,5 with 32 domain-infringement events and 375 total new threats emerging per minute.4 These types of threats target employees and customers alike with rogue assets and malicious links, all while phishing for sensitive data that can erode brand confidence and harm consumer trust.

Every minute, RiskIQ detects:4

·       15 expired services (susceptible to subdomain takeover)

·       143 open ports

A remote workforce brings new vulnerabilities

The COVID-19 pandemic accelerated digital growth. Almost every organization has expanded its digital footprint to accommodate a remote or hybrid workforce. The result: attackers now have more access points to exploit. The use of remote-access technologies like Remote Desktop Protocol (RDP) and VPN has skyrocketed by 41 percent and 33 percent respectively as the pandemic pushed organizations to adopt a work from home policy.6

Along with the dramatic rise in RDP and VPN usage came dozens of new vulnerabilities giving attackers new footholds. RiskIQ has surfaced thousands of vulnerable instances of the most popular remote access and perimeter devices, and the torrential pace shows no sign of slowing. Overall, the National Institute of Standards and Technology (NIST) reported 18,378 such vulnerabilities in 2021.7

Attack surfaces hide in plain sight

With the rise of human-operated ransomware, security teams have learned to look for smarter, more insidious threats coming from outside the firewall. Headline-grabbing cyberattacks such as the 2020 NOBELIUM attack have shown that the supply chain is especially vulnerable. But threats can also sneak in from third parties, such as business partners or controlled and uncontrolled apps. Most organizations lack a complete view of their internet assets and how they connect to the global attack surface. Contributing to this lack of visibility are three vulnerability factors:

  • Shadow IT: Unmanaged and orphaned assets form an Achilles heel in today’s enterprise security. This aptly named shadow IT leaves your security team in the dark. New RiskIQ customers typically find approximately 30 percent more assets than they thought they had, and RiskIQ detects 15 expired services and 143 open ports every minute.4
  • Mergers and acquisitions (M&A): Ordinary business operations and critical initiatives such as M&A, strategic partnerships, and outsourcing—all of it creates and expands external attack surfaces. Today, less than 10 percent of M&A deals contain cybersecurity due diligence.8
  • Supply chains: Modern supply chains create a complicated web of third-party relationships. Many of these are beyond the purview of security and risk teams. As a result, identifying vulnerable digital assets can be a challenge.

A lack of visibility into these hidden dependencies has made third-party attacks one of the most effective vectors for threat actors. In fact, 53 percent of organizations have experienced at least one data breach caused by a third party.9

Ordinary apps can target organizations and their customers

Americans now spend more time on mobile devices than watching live TV.10 With this demand has come a massive proliferation of mobile apps. Global app store downloads rose to USD230 billion worldwide in 2021.11 These apps act as a double-edged sword—helping to drive business outcomes while creating a significant attack surface beyond the reach of security teams.

Threat actors have been quick to catch on. Seeing an opening, they began to produce rogue apps that mimic well-known brands or pretend to be something they’re not. The massive popularity of rogue flashlight apps is one noteworthy example.12 Once an unsuspecting user downloads the malicious app, threat actors can use it to deploy phishing scams or upload malware to users’ devices. RiskIQ blocklists a malicious mobile app every five minutes.

Adversaries are part of an organization’s attack surface, too

Today’s internet attack surface forms an entwined ecosystem that we’re all part of—good guys and bad guys alike. Threat groups now recycle and share infrastructure (IPs, domains, and certificates) and borrow each other’s tools, such as malware, phish kits, and command and control (C2) components. The rise of crimeware as a service (CaaS) makes it particularly difficult to attribute a crime to a particular individual or group because the means and infrastructure are shared among multiple bad actors.13

More than 560,000 new pieces of malware are detected every day.14 In 2020 alone, the number of detected malware variants rose by 74 percent.15 RiskIQ now detects a Cobalt Strike C2 server every 49 minutes.3 For all these reasons, tracking external threat infrastructure is just as important as tracking your own.

The way forward

The traditional security strategy has been a defense-in-depth approach, starting at the perimeter and layering back to protect internal assets. But in today’s world of ubiquitous connectivity, users—and an increasing amount of digital assets—often reside outside the perimeter. Accordingly, a Zero Trust approach to security is proving to be the most effective strategy for defending today’s decentralized enterprise.

To learn more, read Anatomy of an external attack surface: Five elements organizations should monitor. Stay on top of evolving security issues by visiting Microsoft’s Security Insider for insightful articles, threat reports, and much more.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Microsoft acquired RiskIQ to strengthen cybersecurity of digital transformation and hybrid work, Eric Doerr. July 12, 2021.

2Episode 37, “Uncovering the threat landscape,” Steve Ginty, Director Threat Intelligence at RiskIQ, Ben Ben-Aderet, GRSEE. November 29, 2021.

3How big is the internet, and how do we measure it? HealthIT.

4The 2021 Evil Internet Minute, RiskIQ.

5Number of unique phishing sites detected worldwide from 3rd quarter 2013 to 1st Quarter 2021, Joe Johnson. July 20, 2021.

6RDP and VPN use skyrocketed since coronavirus onset, Catalin Cimpanu. March 29, 2020.

7With 18,378 vulnerabilities reported in 2021, NIST records fifth straight year of record numbers, Jonathan Greig. December 8, 2021.

8Top Five Cyber Risks in Mergers & Acquisitions, Ian McCaw.

9Mitigating Third-Party Cyber Risk with Secure Halo, Secure Halo.

10Americans Now Spend More Time Using Apps Than Watching Live TV, Tyler Lee. January 13, 2021.

11App Annie: Global app stores’ consumer spend up 19% to $170B in 2021, downloads grew 5% to 230B, Sarah Perez. January 12, 2022.

12The Top Ten Mobile Flashlight Applications Are Spying On You. Did You Know? Gary S. Miliefsky. October 1, 2014.

13The Crimeware-as-a-Service model is sweeping over the cybercrime world. Here’s why, Pierluigi Paganini. October 16, 2020.

14Malware Statistics & Trends Report, AV-TEST. April 12, 2022.

15Malware statistics and facts for 2022, Sam Cook. February 18, 2022.