Foresee the Shadows of Digital Landscapes: External Attack Surface Management (EASM) Inventory

Foreword

Amidst the complex geopolitical and economic landscape of East Asia, Taiwan serves not only as the global hub for semiconductor and high-tech manufacturing but also as the front line of global cyber warfare. With the explosive growth of AI applications and cloud technologies, corporate assets are no longer confined to physical data centers; instead, they are scattered across a global "Digital Landscape."

These unidentified and forgotten "Shadow IT" assets have become the ultimate springboards for attackers to launch initial intrusions, particularly within the highly tense geopolitical environment of East Asia. Referencing Gartner’s Continuous Threat Exposure Management (CTEM) framework, this study utilizes non-intrusive detection to provide a deep-dive analysis of the exposure status of 145 critical organizations in Taiwan (including 87 listed companies and 58 government entities). Our goal is to assist decision-makers in focusing on External Attack Surface Management (EASM), gaining visibility into hidden risks, and strengthening supply chain resilience.

In this study, you will discover:

• Anticipate Potential Corporate Risk Categories:
  Focusing on eight major risk categories based on detected risk characteristics, this report forecasts potential external attack surfaces. This enables enterprises to identify institutional risks, formulate mitigations, and continuously manage and monitor exposures.
• Inventory Cyber Risks Across Taiwan’s Industries:
  This research categorizes businesses into six major industries (including traditional industry, financial sector, upstream electronics, medstream electronics, downstream electronics, and governement agencies). Utilizing non-intrusive security assessments, we quantify a “Cybersecurity Hygiene Value,” highlighting critical risk trends and dark web analysis results.

• Provide Strategic Recommendations for Cyber Defense:
  By cross-referencing the exposure vectors and threats exploited in compromised organizations, this report offers management teams tailored cybersecurity defense recommendations and blueprints for each industry, serving as a benchmark for strengthening corporate security strategies.

Why EASM is the Key to Counter-Reconnaissance

According to a March 2026 report by Group-IB, cyberattack incidents in the Asia-Pacific (APAC) region grew by 107% compared to the previous month. Australia and Thailand tied for the top spot on the most-attacked list, followed by India and Malaysia. Attackers are increasingly using EASM tools to detect forgotten cloud testing environments or unmanaged endpoints. By acquiring initial access credentials, they can bypass Multi-Factor Authentication (MFA) to infiltrate an enterprise’s core systems. This report reflects a pivotal shift in APAC cybersecurity in 2026: attackers have moved from "randomly searching for vulnerabilities" to "exploiting identity credentials." External digital assets that are "not on the managed list" have become the perfect entry points for such attacks.

Because attackers conduct months of network reconnaissance before launching an assault, traditional defense technologies are no longer sufficient to counter contemporary threats: vulnerability scanning typically targets known and managed internal/external assets to identify specific known weaknesses in operating systems, applications, and network equipment. Breach and Attack Simulation (BAS) focuses on simulating attacker behavior to test specific access controls and response procedures, but it can only validate the strength of "existing defenses."

EASM provides visibility into the enterprise from a hacker’s perspective. It does not just identify and evaluate risks in known assets; it reveals unknown, uncontrolled, or neglected assets. Furthermore, it prioritizes discovered threats based on the asset’s role within the organization, providing a more comprehensive security risk assessment and allowing personnel to address risks more effectively. Relying on automated tools for continuous monitoring and status updates, EASM achieves persistent security oversight. This comprehensive external perspective is the unique hallmark of EASM, elevating cybersecurity from "passive patching" to "proactive counter-reconnaissance."

Industry Cybersecurity Posture Analysis

CyCraft research team scans 233 cybersecurity risks, including 8 major risk
categories (as shown in Table 1): EmailSecurity, CertificateHealth, SslTlsStrength, IPDomainReputation, DnsSecurity, DnsHealth, NetworkSecurity, and DarkWebLeak. Through surveying various industries in Taiwan, this investigation renders a comprehensive cybersecurity risk evaluation.

The scanning focuses on external attack surfaces of enterprises, including but not limited to domains, IPs, or URLs. The investigation adheres to standard access methods to obtain relevant configuration settings, excluding any intrusive behaviors such as penetration or attacks.

Among the surveyed 145 organizations, CyCraft research team has detected 18,704 cybersecurity risks, meaning averagely over 100 security risks per organization. Based on these statistics, we define a “Cybersecurity Hygiene Value” to rank the cybersecurity posture of every organization. The higher the Cybersecurity Hygiene Value, the better cybersecurity posture and the lower exposure.

Additionally, we conducted an exposure analysis on 129 predominantly international companies that fell victim to ransomware attacks during our investigation. The source data for these compromised companies was gathered from publicly listed ransomware victims on ransomwatch  between March 26 and April 15, 2024.

Compare to the average number os risks per company across all Taiwanese industries, the number of average risk of organizations hit by ransomware remains significantly higher, indicating the reliability and reference value of this investigation statistics. Upon comparing the Cybersecurity Hygiene Values across sectors, we discovered that the Midstream Electronics sits within a dangerous threshold. Whether looking strictly at risk volume or factoring in severity weighting, this sector exhibits a significantly higher level of risk.

Featured Observation

• Midstream Electronics Targeted by Supply Chain Risks: The number of risks identified in this sector is 50% higher than the overall average. As critical component suppliers for major manufacturers, midstream vendors focus heavily on the production and processing of essential parts. While these vendors possess in-house IT capabilities and often choose to develop services internally to save costs, they frequently lack sufficient knowledge and skills regarding cybersecurity. Furthermore, because they do not face the same market pressure or public visibility as consumer-facing brands, they tend to invest fewer resources into security measures related to brand image (such as DNS, Certificates, and SSL). Within the East Asian supply chain, these vendors are highly susceptible to becoming "springboards" for attackers to infiltrate core global manufacturers.
• Government Agencies Vulnerable to Social Engineering: With an EmailSecurity PR value of only 25, government organizations represent the front line of public service. These entities often require extensive mail services, resulting in numerous and fragmented independent mail server domains. However, they frequently lack the necessary cybersecurity resources to ensure secure configurations. The absence of SPF and DMARC protocols makes email spoofing highly effective, posing a direct threat to the credibility of national digital governance.

Dark Web Exposure Analysis: Government Agencies, Downstream Electronics, and Financial Sectors are Especially Favored by the Underground Market

In addition to the above mentioned non-intrusive testing, CyCraft research team also conducts the dark web exposure analysis under the condition that no sensitive data is unnecessarily retrieved. The research target focuses on data sold by Infostealer on the dark web.

Since 2021, Infostealer has become more and more prevalent. Attackers implant Infostealer malware, such as Redline, Raccoon, and Vidar, into victims’ endpoints to steal data like website credentials, cookies, and other sensitive information. Then, attackers can log into victims’ internal websites through this information, or even spread malicious software like ransomware. This attack technique is known as Initial Access Broker (IAB). With leaked IAB Logs, we are able to analyze
which websites’ information is leaked from endpoints infected by Infostealers.

Among the 145 enterprises, CyCraft research team found that 92 of them have been leaked and sensitive data has been sold on the dark web, meaning a 63.45% breach rate. In total, 3,549 pieces of information have been leaked, the top 3 affected industries are: government agencies (87 on average), downstream electronics (26.98 on average), and financial sectors (21.95 on average).

Government agencies are prime targets of the dark web market since they handle national security, citizen personal data, internal policy enactment, and other highly sensitive information. Downstream electronics contain profitable intellectual property and business secrets of high-tech products. Financial sectors store large amounts of personal and corporate financial data inclusive of bank accounts and transaction records. Once attackers get hold of this mentioned data, they can directly withdraw funds, rendering financial sectors one of the main victims of these digital criminals.

Cybersecurity Exposure Survey: 4 Major Trends and Issues

1. Increasing Cloud Assets: A Rising Cybersecurity Threat of Enterprises.

CyCraft research team has discovered 4 major cybersecurity trends and issues through this exposure survey. First, the increasing usage of cloud assets is becoming a new challenge to enterprises. In the scope of external scanning, we found out that every enterprise has been using cloud assets, with the electronic industry the largest (40-50%) followed by government agencies (25.86%), traditional industries (21.62%), and financial sectors the least (5%).

In the past, financial sectors were strictly forbidden to use cloud services, relying solely on on-premise services. However, in order to strengthen cybersecurity resilience, ensure off-site data backups, and sustain uninterrupted external services, financial regulatory authorities have gradually loosened restrictions on cloud applications, resulting in the increasing demand of cloud cybersecurity management.

Currently, cloud assets widely used by enterprises are mainly AWS, Azure, and Microsoft 365, with each industry adopting different services depending on their scenarios. Many enterprises prefer Azure and Microsoft 365 for easier IT management, while those choosing AWS and GCP often opt for their specific services and for offering cloud-based services to their users.  The electronics industry, which is often connected to their internal IT environments, tends to choose Azure and Microsoft 365, while financial sectors, despite their gradual shift to cloud services, still use cloud services provided by external vendors without the internal IT system connection, rendering AWS a more common choice.

2. 95% of Enterprises Misconfigure SPF, DKIM, DMARC, Increasing Risks of  Social Engineering Attacks.

Phishing email attacks have long been a major security challenge for enterprises. Although they often organize phishing email training to raise employees' security awareness, this can not solve the root cause. Attackers can still easily launch social engineering attacks using various techniques to obtain confidential information. In return, enterprises can enhance their defenses by implementing mechanisms such as SPF, DKIM, and DMARC. These mechanisms effectively prevent attackers from spoofing enterprises’ domains, reducing the number of phishing emails.

Enterprises should not only strengthen their own security measures, but also make sure that suppliers, partners, and other related entities have properly configured these security mechanisms. Only by fostering good cybersecurity habits within the entire industry ecosystem can risks of social engineering be effectively reduced.

However, our survey results show that many enterprises still do not recognize the importance of these mechanisms. Out of 145 entities surveyed, 138 enterprises have not configured SPF, 137 have not configured DMARC, and many other misconfigurations exist. This indicates that almost no one in Taiwan sets up these security mechanisms correctly, indirectly allowing phishing attacks to become more rampant.

Therefore, we urge enterprises to take SPF, DKIM, and DMARC security mechanisms more seriously. Simultaneously, by strengthening  supervision and training across the entire industry ecosystem can we jointly build a more secure email system.

3. Outdated SSL/TLS Versions: A Persistent Security Risk

Today, ensuring secure website connections is essential to corporate cybersecurity, and the SSL/TLS protocol is a key tool for protecting network communications. However, TLS versions, prior to 1.2, contain exploitable security vulnerabilities, and their encryption algorithms are insufficient to meet modern security demands. In response to these threats, major browser vendors have suspended their support for TLS 1.0/1.1 in 2020, and the IETF officially deprecated these versions in 2021. Simultaneously, the U.S. National Security Agency (NSA) also urged all users to upgrade to the more secure versions: TLS 1.2 or TLS 1.3 protocols.

Despite being released in 2008 and facing numerous security challenges over the years, TLS 1.2 still offers relatively high security compared to TLS 1.1. In 2018, TLS 1.3 was officially released, gradually becoming the preferred protocol for website connections. TLS 1.3 not only offers stronger encryption algorithms and security features, but also improves transmission efficiency by simplifying the handshake process and reducing the number of communication rounds. Overall, using TLS 1.2 or TLS 1.3 is currently the most reliable option for maintaining network communication security.

In this survey, CyCraft research team detects 40 instances still using TLS 1.1 or even older versions. We recommend that enterprises actively upgrade to newer protocol versions to ensure the confidentiality and integrity of data and to protect user privacy.

4. 12 Enterprises Contain High-Risk DNS IXFR Misconfigurations.

IXFR (Incremental Zone Transfer) is a mechanism in DNS used to transfer only the modification in DNS zone data, rather than the entire zone file. When DNS data changes, such as adding, modifying, or deleting DNS records, DNS servers need to synchronize these changes with other servers to maintain consistency. IXFR requests transmit only the modified data, enabling faster synchronization.

However, if DNS servers respond to global IXFR requests, this can lead to zone information leakage. Attackers could send IXFR requests to a target DNS server, requesting the incremental zone data and obtaining sensitive information such as hostnames, IP addresses, and other DNS records. To mitigate the risk of DNS zone transfer attacks, it is crucial to implement proper access controls and security settings on DNS servers, including restricting zone transfer requests to authorized IP addresses, setting up firewall rules to block unauthorized requests, and regularly monitoring DNS server logs for suspicious activities. In our survey, this is a high-risk issue that could directly result in security problems, with 12 enterprises having problematic DNS configurations that require immediate correction.

Improvement Strategy: Establishing a CTEM Mechanism

Cybersecurity defense should not be a one-time scan; it must be integrated into the corporate operational lifecycle.

Short term (1-3 months): Patching Vulnerability

• Complete a comprehensive review of existing configurations and policies.
• Conduct preliminary technical assessments and risk evaluation, to plan the
  implementation details for each phase.
• Implement various improvement recommendations, to test their feasibility and scalability.

Midterm (3-6 months): Optimizing Structure

• Implement technical updates and complete improvement recommendations.
• Update internal security policies and conduct employee security training.
• Collaborate with the IT department and third-party security consultants to ensure the
  correctness of configurations and deployments.

Long term (6 months and beyond): Establishing Resilience

• Continuously monitor, assess, and adjust security measures, as well as continuously
  conduct employee training.
• Establish a culture that continuously prioritizes security and rapidly responses to security
  incidents.

Conclusion

Why can attackers penetrate targets and make plans ahead, while enterprises struggle to understand their own environments and deploy countermeasures? Most cyber criminals will conduct reconnaissance before launching attacks and target enterprises that overlook external attack surface management.

CyCraft research team has compiled this White Paper with 8 major risk categories and a total of 233 cybersecurity risks. After analyzing the external and dark web exposure intelligence of 145 entities, we conclude 3 most serious security issues:

1. 95% of the investigated do not correctly configure email security settings, making them vulnerable to social engineering threats:

Phishing attacks have always been a significant security challenge for enterprises. While raising employee security awareness through training can help, it is still just a symptomatic solution. Enterprises can adopt more fundamental measures, such as enabling SPF, DKIM, and DMARC mechanisms to effectively prevent attackers from spoofing their domains and reduce phishing emails. However, our survey shows that among the entire 145 investigated companies, 138 do not properly set up SPF, and 137 do not correctly set up DMARC, indicating that most companies within this survey range have failed to configure email security mechanisms correctly.

2. 63.5% of the investigated have experienced data breaches and sensitive information has been sold on the dark web:

There are a total 3,549 data breaches within the survey scope, with government agencies (87 on average), downstream electronics industry (26.98 on average), and financial sectors (21.95 on average) being the top three.

Government agencies are prime targets of the dark web market since they handle national security, citizen personal data, internal policy enactment, and other highly sensitive information. Downstream electronics contain profitable intellectual property and business secrets of high-tech products. Financial sectors store large amounts of personal and corporate financial data inclusive of bank accounts and transaction records.

3. 50.8% of compromised companies have flaws in their external website certificates:

After cross-comparing recently attacked foreign companies with Taiwanese companies, it is evident that the cybersecurity management agility of hacked companies differs significantly from normal companies. For instance, concerning digital certificate-related categories, over half of the attacked companies have noticeable flaws in their external website certificates.

In the silent digital warfare of East Asia, mastering your external exposure is equivalent to foreseeing the attack path. An enterprise cannot protect assets it cannot see; only through continuous monitoring and the systematic neutralization of exposure factors can an organization advance securely amidst constant change.

This article is adapted from the Taiwan Cybersecurity Exposure Inventory White Paper. This white paper provides recommendations on common risks, technical solutions, and management strategies across six major sectors—including government agencies, traditional industries, and the electronics supply chain (upstream, midstream, and downstream). It enables organizations to implement targeted solutions based on their exposure profile and establish a remediation timeline to comprehensively eliminate threats.

‍