IDENTIFYING RDP EXPOSURES
The state police department first began working with Expanse (now Palo Alto Networks Cortex Xpanse) when Expanse discovered an exposed RDP server and proactively reached out to the state chief information security officer (CISO) with the associated certificate, IP address, and other information to flag the risky asset and support remediation.
After receiving the information, the CISO immediately initiated an internal investigation. The following day, Expanse discovered more than 75 additional examples of publicly accessible RDP servers following the same naming convention; most of these corresponded with state police cruiser laptops. The state agency was only able to find 36 of the 75 RDP servers Expanse had surfaced with an internet scanning tool it had used previously. In addition to surfacing the exposures for the state police department, Expanse alerted the state’s CISO to seven additional exposed RDP servers belonging to the state’s health department, the state legislature, the Environmental Protection Agency, and other state agencies. In less than a day, Expanse had reported the IP address, port, and certificate signature for each exposure to the CISO to inform and drive remediation efforts.
“RDPs are very concerning exposures, and we really appreciate the information Expanse provided to us,” said the State CISO. “After Expanse’s initial tip, we tried to find all additional exposures using publicly available tools, and we weren’t able to do so. The data Expanse provided aided our investigation and helped us rapidly address a serious issue that could have had significant consequences for the operations of the state.”