External Vulnerability Assessment

External Vulnerability Assessment (EVA) scans are automated vulnerability tests used to verify the strength of your externally facing services and to increase your security posture.

Scans should only include IP addresses and domains that you own or are authorized to scan.

Arctic Wolf IP addresses should be excluded from your security platforms that might prevent scanning. For more information about allowlist requirements, see Allowlist requirements.

Note: EVA scans can have a high operational impact in your environment. Activities like SQL injection tests may generate requests that exercise upstream systems, potentially resulting in billable actions. Select your scan targets to reduce operational impact in your environment and prevent unnecessary additional costs. To reduce operational impacts, consider enabling WAF or API gateway rules or contact your Concierge Security® Team (CST) to adjust your scan targets.

Scan types

These configurable scans are used in EVA:

  • Vulnerability — This active scan performs port enumeration, subdomain enumeration, vulnerability scanning, and web server scanning.
    • Configurable targets:
      • IP address (X.X.X.X)
      • IP address range (X.X.X.X - X.X.X.X)
      • CIDR (X.X.X.X/Y)
      • Domain name
      • Cloud account
  • Account Takeover (ATO) — This passive scan searches dark and gray web sources for your email domain to identify exposed credentials. For example, emails and usernames.
    • Configurable targets:
      • Domain name
    Note: Risks may appear in ATO scan results up to 45 days after the credentials have been detected as exposed.

Feature availability

These features are available depending on the Arctic Wolf solution that your organization uses:

Scan type

Managed Risk

Managed Detection and Response

Managed Security Awareness

Feature

Vulnerability scanning

Yes

Yes

No

Risk reports.

Yes

No

No

Risk management in the Risk Dashboard.

ATO scanning

Yes

Note: ATO risks for MR customers are included in the External Vulnerability Review report.

Yes

Note: ATO risks for MDR customers are included in the External Vulnerability Review report.

Yes

Note: ATO risks for Managed Security Awareness customers are in the Account Takeover Risks report.

Alerting on high and critical severity breaches.

Yes

Yes

No

Enriched quarterly report with an ATO risk summary, which includes all breaches detected, and a list of email addresses exposed.

Yes

No

No

Note: ATO risks for Managed Security Awareness customers are in the Account Takeover Risks report.

A review of ATO risks in the Arctic Wolf Portal.

Yes

Yes

No

External Vulnerability Review report.

Account Takeover data breach risk severity

Account Takeover (ATO) scan reports contain data breach risks that are categorized into these types:

Data Breach Risk Type

Score

Description

Informational User Data Breach

1

The breached data includes email addresses without passwords.

Minor User Data Breach

4

The breached data does not include passwords, or includes passwords that cannot be decrypted.

Severe User Data Breach

8

The breached data includes passwords in plain text or passwords that can be decrypted.

Critical User Data Breach

10

The breached data includes passwords. These users have been identified in a botnet.

EVA scan operations

For vulnerability scans that are IP address based, including IP address ranges and CIDR, an initial scan runs using a limited list of ports and ICMP. If Arctic Wolf receives any port response in the initial scan, the IP address is added to a list of scan targets. The scan continues with the list of scan targets using the top 1,000 common ports. By default, vulnerability scans are scheduled monthly.

IP based vulnerability scans use Nessus Attack Scripting Language (NASL) vulnerability definitions and receive daily updates. For vulnerability scans targeting web servers, Zed Attack Proxy (ZAP) definitions are used, and these definitions are updated as new versions become available.

For ATO scans, your email domain is used to identify exposed credentials, including emails and usernames, against information from dark and gray web sources. By default, ATO scans are scheduled monthly.

EVA port states

The table below describes the port states that EVA scanning recognizes. For more information about port scanning, see Port Scanning Overview.

Port state

Description

open

The application is actively accepting TCP queries on this port.

closed

The port is accessible, but there is no application listening on it.

filtered

Arctic Wolf cannot determine whether the port is open because packet filtering prevents probes from reaching the port. This could be due to a firewall, router rules, or host-based firewall software.

unknown

Arctic Wolf is unable to determine if the port is open, closed, or filtered. This typically happens when a port is initially found to be open, but changes state during the scan. This can indicate interference from an intrusion prevention system (IPS) or a web application firewall (WAF). For accurate vulnerability scan results, make sure that Managed Risk Scanner IP address ranges are excluded from devices causing interference.