Exposed Ports

Exposed ports, in the context of cybersecurity, are Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports on a network-connected device (such as a server, router, or application) that are intentionally or unintentionally left open and accessible from an external, untrusted network, such as the public internet.

These ports act as communication endpoints, similar to doors on a building. While they are necessary for network operations, an exposed port is essentially an answering door for a specific service. The danger lies not in the port itself, but in the underlying service listening on that port.

Why Exposed Ports are a Security Risk

Exposed ports significantly increase an organization's attack surface and are among the first targets for attackers, who use automated scanning tools such as Nmap or Masscan to find them.

1. Initial Access Vector: An exposed port provides a direct, low-friction entry point for an attacker to bypass firewalls and other security measures.

2. Exploitation of Underlying Services: The exposed service may be unpatched, misconfigured, or running an outdated version, leaving it vulnerable to known exploits.

3. Brute-Force and Credential Theft: Ports associated with remote access services or login pages are targeted with credential brute-forcing and sniffing attacks to gain unauthorized control.

Examples of High-Risk Exposed Ports

Specific ports, due to the sensitive nature of the services running on them, pose a greater risk when exposed to the internet:

• Remote Access:

• Port 22 (SSH): Used for secure remote server login. Exposure allows attackers to brute-force credentials or exploit leaked SSH keys.

• Port 3389 (RDP): Used for Windows Remote Desktop connections. Exposure is a leading cause of ransomware attacks, as it grants attackers control of the entire system.

• Port 23 (Telnet): Used for remote connection, but transmits data in clear text (unencrypted), making it highly insecure.

• Databases:

• Port 3306 (MySQL): Exposure allows attackers to brute-force database credentials or exploit misconfigurations to steal or manipulate sensitive data.

• Port 1433 (Microsoft SQL): Used for MSSQL server communication; exposure risks unauthorized access to enterprise data.

• File Transfer and Sharing:

• Port 21 (FTP): Often used for file transfer, but is vulnerable to credential sniffing and brute-forcing due to unencrypted transmission.

• Port 445 (SMB): Used for Windows file and printer sharing. Vulnerabilities here, like those exploited by WannaCry, allow for lateral movement and the spread of malware.

To mitigate this risk, organizations must disable all unnecessary ports, use strong firewalls to restrict access to only essential services and authorized IPs, and ensure all services running on remaining open ports are fully patched and use encryption.

ThreatNG is highly effective at mitigating the risk of Exposed Ports by performing continuous, unauthenticated external discovery and assessment, which is precisely how attackers locate these vulnerabilities.

ThreatNG's Role in Mitigating Exposed Ports

External Discovery and Continuous Monitoring

ThreatNG performs purely external unauthenticated discovery to identify the organization's entire digital attack surface. Finding exposed ports is a fundamental component of this discovery, as it simulates an attacker performing network reconnaissance. This agentless approach is critical because it identifies ports accessible from the public internet. Through Continuous Monitoring, ThreatNG ensures that a port inadvertently opened by a configuration change, or a new server deployment, is detected and flagged immediately, minimizing the window of exposure.

External Assessment and Examples

The discovery of exposed ports directly impacts several of ThreatNG’s Security Ratings:

• Cyber Risk Exposure: This rating is based on findings across Subdomains intelligence, including exposed ports. This is a direct measure of the risk posed by unauthenticated access points.

• Example: ThreatNG identifies an exposed RDP port (TCP 3389) on a subdomain within the organization’s attack surface. This finding contributes to the Cyber Risk Exposure rating, indicating a high risk of remote system compromise and lateral movement.

• Breach & Ransomware Susceptibility: This rating is based on findings across Subdomains intelligence, including Exposed Ports. Ransomware often exploits exposed services to gain initial access.

• Example: ThreatNG discovers a publicly accessible FTP port (TCP 21) or an exposed, unsecure Telnet port (TCP 23). This exposure increases the Breach and Ransomware Susceptibility rating because these are common vectors for initial intrusion.

Investigation Modules and Examples

The Subdomain Intelligence investigation module is the primary tool for identifying exposed ports:

• Subdomain Intelligence (Ports): This submodule performs external port discovery and identifies and categorizes exposed services.

• Databases: ThreatNG identifies direct access to database ports such as SQL Server, MySQL, PostgreSQL, MongoDB, CouchDB, Redis, and Elasticsearch. Example: ThreatNG detects an exposed PostgreSQL port on a publicly reachable server, signaling a potential data exfiltration risk.

• Remote Access Services: It identifies exposed ports for management protocols such as SSH, Telnet, RDP, LDAP, and VNC. Example: A newly deployed staging server accidentally exposes SSH (TCP 22), which ThreatNG detects, allowing the security team to lock it down before it's brute-forced.

• IoT/OT (Operational Technology): ThreatNG even checks for protocols commonly used in operational environments, such as FTP, Telnet, SMTP, IMAP, Universal Plug and Play, and Exposed ICS Devices (HTTP). Example: ThreatNG detects an exposed VoIP Service or a publicly accessible Networked Security Camera port.

Intelligence Repositories and Complementary Solutions

• Intelligence Repositories (DarCache):

• Vulnerabilities (DarCache Vulnerability): This repository, incorporating NVD (technical details/severity) and KEV (active exploitation), is essential for prioritizing exposed ports.

• Example: ThreatNG discovers an exposed RDP port running an outdated version of the service. ThreatNG checks DarCache Vulnerability and confirms the version is associated with a known, actively exploited KEV vulnerability, instantly elevating the risk of this exposed port.

• Complementary Solutions:

• Security Information and Event Management (SIEM) Systems: ThreatNG can feed its prioritized alerts for high-risk exposed ports (e.g., exposed RDP or SSH) to a SIEM. The SIEM can then use this external finding to look for corresponding internal logs showing unauthorized connection attempts or successful logins on that specific IP address, providing immediate confirmation of a potential breach.

• Web Application Firewalls (WAFs) / API Gateways: ThreatNG’s discovery of exposed ports running web or API services can be shared with the WAF. The WAF can then use this inventory to ensure that protective rules are correctly configured for all ports, not just the standard ones like 80/443.

• Network Firewalls/Access Control Lists (ACLs): The list of public IP addresses and their exposed ports identified by ThreatNG can be sent to the organization's firewall management tool. Network operations can then use this precise external data to automatically or manually update ACLs to block all external traffic to specific high-risk ports (e.g., database and remote access ports), thereby reducing the attack surface.