Detecting hacking before it happens

Why threat hunting and attack surface management are essential

Written by it-sa Team

The reality: Attackers are faster than defenders

The latest State of the Internet Report 2025 reveals an alarming trend:

Over 3,000 active malware instances worldwide
Germany ranks sixth with 123 identified C2 infrastructures
Most common malware: CobaltStrike, Viper, Silver, Remcos
55% of malicious activity originates in China and the USA

These figures prove that command-and-control servers (C2) are distributed globally – and often operate unnoticed.

Threat hunting: From reacting to acting

Threat hunting means proactively searching for threats before they cause damage. Modern platforms enable:

Daily updated maps of active threat infrastructures
Tracking of known groups such as FIN7 or APTs
Automated block lists for firewalls
Live scans to check for changes

An example: The FIN7 group operates over 600 active hosts worldwide. Continuous monitoring allows their activities to be detected early – and blocked.

Relevant providers in the field of threat hunting

Attack surface management: What is visible from the outside?

Many companies underestimate how much of their infrastructure is publicly accessible. Practical examples:

Open camera streams without authentication
Telnet access with standard passwords
Control systems (HMI) directly accessible via the Internet

These systems are not only vulnerable – they are often undocumented or overlooked by the IT department.

A helpful tool for analysing such risks is a platform such as Censys. It allows you to view your own infrastructure from an attacker's perspective: Which services are publicly accessible? Which protocols are running on unusual ports? Are there any indications of outdated software or incorrectly configured systems?

With features such as:

daily scans
historical status comparisons
automated risk analyses
and threat intelligence on known attacker groups

companies can systematically identify and reduce their attack surface – before it is exploited.

What companies should do now

Identify the attack surface: Which systems are publicly accessible? Which protocols are open?
Use threat intelligence: Which threat groups are active? Which IPs should be blocked?
Perform live scans: Has anything changed? Are there any new vulnerabilities?
Clarify responsibilities: Who is responsible for external visibility and response?
Establish security by design: Security aspects must be part of development and operations.

________________________________________

Conclusion: Visibility is the first step towards security

If you don't know what is visible, you cannot protect yourself. Threat hunting and attack surface management are not optional extras – they are essential. Only those who know their digital attack surface can defend themselves effectively.

More info on the topic? Watch the recording now!

Editorial note:
This article is based on the corresponding presentation during the IT Security Talk on the topic of regulation on 31 July 2025 and was created with the support of KI.

Author

it-sa Team

Organisation & Community

NürnbergMesse GmbH

Loading component...

The reality: Attackers are faster than defenders

The latest State of the Internet Report 2025 reveals an alarming trend:

Over 3,000 active malware instances worldwide

Germany ranks sixth with 123 identified C2 infrastructures

Most common malware: CobaltStrike, Viper, Silver, Remcos

55% of malicious activity originates in China and the USA

These figures prove that command-and-control servers (C2) are distributed globally – and often operate unnoticed.

Threat hunting: From reacting to acting

Threat hunting means proactively searching for threats before they cause damage. Modern platforms enable:

Daily updated maps of active threat infrastructures

Tracking of known groups such as FIN7 or APTs

Automated block lists for firewalls

Live scans to check for changes

An example: The FIN7 group operates over 600 active hosts worldwide. Continuous monitoring allows their activities to be detected early – and blocked.