And this is the part where I say, “I told you so.”
(Okay, no I won’t, because I’m not really that type of person). But anyway, here’s the story.
A long time ago, in a local star cluster somewhere near a minor star, we wrote a service cleverly called “OPD,” which stands for Open Port Detector. It’s function was essentially to run Nmap in order to tell you what is open externally on your network. Now, here’s the fun part... At the time, most people were saying, “We don’t need that, because we already know what’s on the outside of our network.” So, we killed it and buried it unceremoniously - or, in other words, built it into a Splunk app and left it alone.
Allow me to (modestly) brag a little bit about OPD
Since it can’t talk and defend itself, I'm here to tell you a couple quick success stories for OPD.
There once was a situation where a network engineer at one of our clients accidentally left his laptop plugged in externally, unpatched and vulnerable. Fortunately, this client was using OPD, which detected this situation and then caused us to yell at them to remove it and not to plug it back into the network. Ultimately, the potential for a very bad situation was eliminated with the help of OPD.
What else can OPD do? Well, OPD also lovingly alerts on things, like when your Internet Service Provider (ISP) leaves SSH open to the free world on your router that they “manage” (which has happened on numerous occasions). In all reality, it's the ISPs that are more horrifying than anything sometimes...
I’m basically saying all of that to say this: OPD is your friend, or at least it wants to be.
Okay, so what's the use case?
The biggest pushback to this “friendly” tool, that I always got in the past, was the question, “But, what’s the use case?” I’m so glad you asked, because the answer I would give, often, was that the internet knows all your secrets, so maybe you should know them first?
Fast forward to now and we have this thing called AutoSploit. This is a tool that uses Shodan to figure out what ports are open and then lovingly flings MetaSploit exploits at them. AutoSploit is NOT your friend (alright, it CAN be your friend), but it is a solid use case for OPD.
This brings me to my final point.
Now you can use OPD and Splunk.
OPD is now available as a Splunk app and technology add-on. I know you're excited! We even integrated it with our Shodan App for Splunk so you can see exactly what someone running AutoSploit would see. Of course, you could always just run AutoSploit by yourself, but you probably don’t want to do that. Knowing what your enemy knows is half the battle. So, you know, use all this free stuff to find out what the internet knows about you.
No matter what the cool kids, your network admins, or anyone else says, the perimeter is not dead, it’s just being attacked regularly and you should probably know why.