If you are using Shodan to search for your company’s assets or perform reconnaissance as part of blue or red teams routines – you need to keep reading. This blog unlocks insights that will help you eliminate more risks in less time and minimum effort.
Shodan (aka the hackers’ search engine) is a well-known Internet search engine that allows you to check the exposure status and metadata of every public IP address. It is used by both hackers and organizations.
Shodan is great for attackers. Having the internet at your fingertips is exactly what you need when trying to find exposed assets to attack. But for organizations, it’s a different story.
In order to stay ahead of attackers, you need a quick way to continuously map and monitor your ever-changing external attack surface. But trying to create an always up-to-date connected asset inventory by using an IoT search engine is like looking for a needle in the haystack while ignoring the rest of the barn. The inherent limitations of Shodan include manual searches, false positives, no prioritization, and result in partial visibility of your real attack surface.
The only way to eliminate shadow IT risks and unknown exposures are through complete automation of the discovery, analysis, prioritization, and monitoring processes.
10 years ago, Shodan was probably your best option, but today in 2022, using Shodan to search for your company’s assets is like trying to navigate at sea, with no GPS or sonars, relying only on the stars.
This blog presents a deep-dive comparison of the use of Shodan vs Reposify’s External Attack Surface Management platform for mapping the attack surface and eliminating unknown risks.
We’ll examine and compare 4 main aspects:
1. Internet scanning capabilities
2. Asset discovery capabilities
3. Insights actionability (asset classification, security insights, and risk prioritization)
4. Costs – is Shodan really that cheap?
- On average Reposify discovers 45% more assets than a search on Shodan yields. It also delivers more actionable insights.
- Reposify’s asset association based on more than 80 signature variations. Shodan doesn’t associate assets (apart from SSL string matching)
- Reposify assigns all issue a risk score and automatically prioritizes it. Shodan delivers no prioritization of issues.
- Reposify’s findings are delivered with a click of a button – the discovery, investigation, and prioritization processes are fully automated so you can focus on remediation.
#1 INTERNET SCANNING CAPABILITIES:
When searching for your internet-connected assets, the database on which queries are performed represents the ground truth for your search.
Both Reposify and Shodan scan and index ports and services running on devices across the internet. However, when it comes to scanning coverage and frequency they vary greatly.
While Shodan scans from few known locations (shodan census servers), Reposify’s scanning network is widespread across various locations around the globe and leverages adaptive scanning based on the environment.
Organization’s networks are in constant flux; new cloud instances go live every second, development environments that go up and down and the growing prevalence of ephemeral IP addresses all lead to frequent changes in organizations’ external attack surfaces. When things are changing so quickly – basing your analysis on stale data is dangerous.
Shodan’s website states that it crawls the internet at least once a month. It is possible to trigger on-demand scans for predefined IP addresses using the API, but what about all your unknown IP addresses? They are not covered.
Reposify scans the entire internet continuously.
Scanning coverage and frequency are the 2 most important factors which determine the size and quality of the database. Reposify has the world’s largest database of internet connected assets.
#2 ASSET DISCOVERY CAPABILITIES
If you are working as a security professional within an organization you are probably using Shodan to perform proactive security investigations into publicly exposed assets your organization owns. Mapping your complete exposed asset inventory is critical. We already established that Shodan’s data set is limited in coverage and freshness. But there is another challenge – finding the relevant assets within this pool of data.
Since Shodan is a search engine it doesn’t perform any asset association. Users can search for assets by keywords and find exposed services which have these keywords in the service’s banner (for example a company name) but this method is highly inaccurate and yields a long list of false positives. It’s literally like searching for a needle in a haystack. Therefore, most users need to have a well-researched starting point to get an actual set of relevant data. They go on to apply various search operators and develop scripts in order to do so.
But how can you look for something if you don’t even know it exists?
The digital transformation and migration to the cloud have turned organizations increasingly vulnerable to risky exposures resulting from unknown internet-connected assets.
Reposify’s team realized 2 important things:
- Your asset search must extend beyond your known network IP ranges and this requires a new level of sophistication and expertise.
- In the battle for cyber security, every minute counts. Manual searches and constant scripts updates are tedious tasks that detracts valuable time and resources from already over stretched security teams. The discovery and investigation should be automated so teams can focus on remediation.
With Reposify you get complete and always up-to-date connected asset inventory with just a click of a button. First, Reposify’s algorithms run a search within its proprietary database and autonomously map your organization’s structure (including subsidiaries) with no need for deployment or setup. Then Machine Learning algorithms automatically extract and enrich various identifiers in order to find your unknown assets across all environments and your supply chain. The asset discovery path and confidence level are presented for each asset to ensure full transparency for our customers.
Only automated discovery and investigation processes can yield a complete and always up-to-date map of your attack surface.
#3 INSIGHTS ACTIONABILITY
Complete visibility is necessary but insufficient for improving your security posture. The path from discovery to remediation includes understanding the asset type and associated risks, prioritizing it among all the other issues and understanding how to remediate it. The more insights you get the better your decisions will be.
Shodan delivers basic classification of assets which is based on the banner information. You will be able to see the asset’s platform, software version and geolocation.
Reposify leverages advanced techniques and delivers additional critical insights – for example it will indicate if a certain service belongs to a production or staging environment.
Security Issue Analysis:
Beyond the exposure status, Shodan delivers basic information on potential vulnerability to CVEs based on the platform version which might be stated in the asset’s banner.
Reposify takes it a step further. It leverages passive and non-intrusive techniques to analyze the assets for a range of security issues including misconfiguration and access control issues, potential data leakages, SSL and cryptographic issues, phishing risks and many more.
Risk Prioritization and Action Plan Generation:
Shodan delivers no prioritization of issues. With Reposify, all issues are assigned with a risk score and automatically prioritized. The platform also generates an action plan with remediation advice so teams can eliminate critical risks in real time and improve their security posture.
#4 COSTS- IS SHODAN REALLY THAT CHEAP?
Shodan offers a limited free online search, but most organizations that use this tool will have the enterprise level subscription. Although Shodan’s subscription cost might be considered cheap – the hidden costs of using Shodan should not be ignored.
Labor costs: The most obvious cost element is human labor.
- Organizations that use Shodan need to allocate several hours a week up to a full time position for writing and maintaining the query scripts and keep updating the pool of identifiers used to find their assets.
- Manually sifting through the data to detect false positives.
- Since Shodan offers limited security insights and no prioritization – these are done manually.
All these hours spent on discovering, investigating and assigning priorities could be put to a much better use if they were allocated directly to remediation.
Reposify automates these manual and inaccurate processes and so your team can focus on higher value tasks.
The cost of unknown critical exposures:
Reposify’s data shows that on average for every known exposed service a company is aware of, it has 5 unknown services. When trying to stay on top of your attack surface using limited and manual search capabilities you are bound to miss critical exposures that will result in a costly incident or a breach.
Time to discovery and remediation:
When it comes to critical vulnerabilities or exposure of critical assets – every minute counts. reducing the window of exposure for vulnerabilities
The average time to identify a breach in 2019 was 206 days and the average time to contain a breach was 73 days.
With Reposify you can avoid breaches by discovering your critical exposures and vulnerabilities in real-time.
We have reviewed the various critical parameters needed for successfully managing and safeguarding your organization’s attack surface. Reposify delivers superior data while fully automating inefficient processes so your team can resolve more issues in less time.
If you want to stay a step ahead of attackers – it’s time to leave IoT search engines to the hackers and embrace an enterprise grade attack surface management solution .
At the end of the day, the way to determine what works best for you is to try it out for yourself.
You can book a free personalized demo of Reposify’s platform here.
Reposify VS. Shodan – Capabilities Comparison
Internet-scale scanning coverage
50 countries worldwide
~30 countries worldwide
Asset association based on more than 80 signature variations and heuristics
Fresh data daily
Non CVE related security findings (e.g. CDN bypass, hostile subdomain takeover, exposed buckets)
Ability to find assets in all subsidiaries, supply chain and 3rd party vendors
Smart alert mechanism to define more than 22 different attributes of workflows (e.g. If an exposed database being exposed on specific subsidiary then get Slack alert)
API connectivity + cloud, SIEM, SOAR integrations (and others)
Ability to find unknown assets via AI & smart algorithms
Speed and reliability
Ongoing support & analysts to consult with
More than 3 years historical data about any given exposed IP