Whiteboard Wednesday:

ICER UK FTSE 250+ Report

June 26, 2019

Kwan Lin, senior data scientist at Rapid7, discusses key takeaways from the recent Industry Cyber-Exposure Report on the UK’s FTSE 250+, including the average amount of exposed devices and the rate companies are upgrading to HTTPS. He also explains steps you can take to combat the common vulnerabilities uncovered. Learn more about the report in this week’s Whiteboard Wednesday. 

Video Transcript

Hi there, I’m Kwan Lin, Senior Data Scientist at Rapid7, and I’d like to share some details about the recently released Industry Cyber-Exposure Report (or ICER) for the United Kingdom. We focus on the security profiles of organizations included in the FTSE 250 Index, as well as a few other additional groups. We refer to this set as the FTSE 250+ set.

Show more Show less


The intent of this ICER report is to systematically assess the configurations of internet-connected services to make a generalized assessment of current levels of exposure in the United Kingdom. 


One of the underlying assumptions we make is that the set of organizations in our analysis are well-resourced and technically capable. Our findings of exposure within this group might suggest that other smaller and less-well equipped groups are likely comparably or more exposed.


The data we collect for this report originates from Project Sonar, which performs internet-wide surveys across numerous services and protocols to identify exposure to common vulnerabilities, as well as Project Heisenberg, which is an unadvertised network of honeypots that should not receive any legitimate internet traffic.




Using Sonar, we searched for publicly exposed systems and services in the FTSE 250+ organizations. We found that on average, each organization exposed about 35 services. Each of these exposed services expands the attack surface.  When we segmented the data, we also found quite a bit of variation of degrees of exposure across different sectors.




Phishing remains one of the most commonly leveraged attack vectors. One method to minimize the threat of phishing is to utilize Domain-based Message Authentication, Reporting, and Conformance (or DMARC). DMARC allows organizations to signal when emails originate from authorized senders and to manage malicious emails.  We can examine DMARC records to determine if organizations are in fact using DMARC. 


Our analysis revealed that 70% of the FTSE 250+ have not implemented DMARC in any form.




In another thread of analysis, we found that 17% of the FTSE 250+ did not automatically upgrade HTTP requests to the more secure HTTPS variant. This potentially leaves visitors exposed to person-in-the-middle attacks. There are a number of issues with this, but one particular issue is the General Data Protection Regulation (or GDPR) does de facto impose an expectation that data transmissions are secured. Allowing visits using HTTP instead of HTTPS potentially allows for unsecured data transmissions.


System Compromise


By examining Heisenberg data, we found evidence of quite a few connections originating from various sectors of the FTSE 250+ - a situation that should not be manifesting unless there are cases of system compromise or misconfiguration. When we dug deeper, we found further evidence suggesting impact by SMB-related malware like WannaCry, DNS denial of service attacks, and credential brute-forcing. 


We’ll conclude now with some tips for organizations in the UK derived from our analysis of the FTSE 250+ organizations.


First, aim to reduce your attack surface. The fewer exposed services there are, the fewer opportunities there are for malicious actors to exploit. Understandably, some services do need to be exposed, but if so, ensure there are measures in place to minimize risk - such as vulnerability management programs or active monitoring practices.


Second, given the persistent prevalence of phishing, we suggest that organizations implement DMARC as a means to minimize the danger posed by phony, phishy emails. It reduces risk to outside organizations that yours engage with, and it also makes it trickier to spoof your internal emails. 


Third, check that visits to your domains are automatically upgraded from unsecure HTTP requests to the more secure HTTPS variant. It’s both good practice and necessary for GDPR compliance.


Fourth, given that our Heisenberg honeypots picked up activity originating from the FTSE 250+, it’s probably worth checking on egress filters that could block undesirable outbound traffic. 



We covered a lot in this brief Whiteboard Wednesday, but there’s still plenty more detail in the full ICER report.


Hop on over to our website at Rapid7.com if you’re interested in seeing the complete ICER UK report.


If you have any questions, feel free to contact us by email at research@rapid7.com.


Hopefully some of these tidbits are useful to you. We wish you luck in better securing your organization.

Industry Cyber-Exposure Report: FTSE 250+

Gain actionable insights from the Industry Cyber-Exposure Report: FTSE 250+ and improve your security.

Learn More
New to threat hunting and detection?

Learn about the defensive methods available to help you detect and mitigate threats in your environment quickly.

Read Here