What's Up with Tech?

What Happens When Critical Infrastructure Is One Click From Disaster

Evan Kirstel

Share episode

Interested in being a guest? Email us at admin@evankirstel.com

What if you could see the internet the way attackers do—before the headlines, before the breach, before the phish hits your inbox? We sit down with Aidan Holland, senior security researcher at Censys, to unpack how daily global scans reveal the live shape of the web: assets you didn’t know you own, services you thought were private, and the malicious infrastructure gearing up for its next move.

Aidan explains how distributed scanning nodes in eight regions capture real banners, certificates, and configuration details, then stitch that telemetry into a searchable index. We dig into two high-value outcomes: attack surface management that links stray assets back to your org through DNS and certs, and threat hunting that tracks bulletproof hosting, brand impersonation, and the flood of fake captcha kits. You’ll hear why internal inventories miss internet-facing systems—rotating IPs, scattered cloud accounts, mergers—and how external vantage points and AI assistants help teams query in plain English, triage vulnerabilities, and fix what matters first.

The stories are gripping and practical: wastewater controls left on the open web, shipboard networks forwarding every port over Starlink, and navigation systems exposed to anyone who could find them. We also talk about the quiet shift back to on-prem and the renewed pressure to patch Exchange-class systems on a tight cadence. Looking ahead, Aiden shares how IPv6 changes the game—no brute force, smarter traversal—and why faster, more diverse scanning is key to catching ephemeral threats.

If you care about cybersecurity, visibility, and measurable risk reduction, this conversation gives you tools and perspective you can use today. Subscribe, share with a teammate who wrangles shadow IT, and leave a review with the biggest “unknown asset” you’ve uncovered lately.

Support the show

More at https://linktr.ee/EvanKirstel

SPEAKER_01:

Hey everybody, looking forward to this chat today on internet visibility, a hot topic in cybersecurity with Census. Aiden, how are you?

SPEAKER_00:

I'm doing really well. Thanks for having us.

SPEAKER_01:

Well, thanks for being here. Really intrigued by the work you guys do. Maybe introduce yourself and what's the big idea at Census these days.

SPEAKER_00:

For sure. So my name is Aiden Holland. I'm one of our senior security researchers here at Census. Census is the Census of the Internet. So Census spelled with a Y. So Census of Systems. So we scan the entire internet every day. We actually hit every IPv4 host every four hours. So crazy speed, crazy visibility. It allows us to see a lot of malicious infrastructure before it pops up. It also gives us crazy visibility into industrial control systems and other systems that you wouldn't necessarily expect to see on the internet. So part of my job is taking that and making it sort of so that people can consume that either in the threat hunting space or in the government compliance side of things.

SPEAKER_01:

Super cool approach. And you know, what problems do customers usually uncover once they start using census?

SPEAKER_00:

Yeah, so a lot of the things that we end up finding, uh we have one platform called Attack Service Management, which allows us to help you find assets that you might not be aware of. There's a lot of this shadow IT, and you know, I'm sure it's things that folks are familiar with, but some developer spins something up in AWS and forgets about it. So, you know, same thing, you know, you move things into the cloud or you move things back into on-prem, things get lost, um, especially if you acquire more companies, uh, as we frequently see. Um, but one of our biggest pieces there is being able to tell you what things you might not know about by monitoring the cloud environments and monitoring any certificates and other details that would allow us to link a certain asset back to you. So there's that side of things that we see from our enterprise customers. We also see for our threat hunting customers, they use this for domain impersonation, they use this fronting down different threats, uh, so molested infrastructure tracking, same thing when it comes to bulletproof hosting, um, so criminal hosting providers. So kind of like ABUS, but for criminals. Um, so we we track those as well. Uh it gives us really kind of interesting data about um what new softwares people are using. So when there's new malware, it'll often be spun up first in a bulletproof hosting environment. Um so we track it for that. Um, same things with uh brand impersonation or other phishing uh type use cases. Um so we have pretty interesting uh visibility into that. Uh additionally, we can kind of tell when uh certain countries are either blocking us or you know uh might be uh shut down, you know, specifically with uh, you know, Russia or China or even Iran more recently. Um but tons of different uh avenues and we've even had people use uh some of the data for uh tracking where the star uh Starlink satellites are based on C, which is uh immensely fascinating to us.

SPEAKER_01:

Yeah, that's really interesting. Uh give us a peek behind the curtain. How does your scanning technology actually work?

SPEAKER_00:

For sure. So uh I think at this point we have about eight different locations around the world. Um so we have distributed server setups, um, and we are able to scan uh whatever chunk is is visible to that, uh, but we distribute the scans around so we're not, you know, say you access a website from China and might be a little bit different than the one you would get if you visited from the US. So we try to base it location based, um, and then we kind of piece those all back together and figure out okay, what software is this thing running, what type of hardware is this running, you know, parse out the different information about it, operating system versions, all that stuff. Um, we then take that and make it indexable uh for customers, uh, and then they can search it through one of our platform interfaces. Um so you can build out these really interesting queries that allow you to find. Um, like one of the big ones we've been looking at recently is something called clickfix, which I'm sure I'm sure you've seen, or you know, like the fake captcha stuff. Um, so one of the things that we do there is uh we actually on the internal side where we actually go in and click the button and we figure out, okay, what is it gonna give us? What's actually gonna happen? Um, but you can write regex queries or other regular expressions that allow you to find you know interesting pieces of data or patterns that you're starting to identify among other servers.

SPEAKER_01:

Very cool. And why do big companies struggle to see all of their internet-facing assets with their internal tools?

SPEAKER_00:

Yeah, so honestly, uh, as we've we've seen in the past, a lot of them don't have great internal tooling. There is things like snipe it or you know other inventory management systems, but that requires people being very uh diligent and very intense uh or intentional uh about what they store, the external IPs. You know, sometimes external IPs change, you know, from your ISP side, you just get a rotating one. Sometimes those things just get kind of lost in transitions. Say, you know, your company went through a little layoff, someone might have forgotten, you know, hey, we decommissioned that, or we spun up something else to aid with that process. And so it's kind of just a you know, too many wires, too many cooks in the kitchen type problem. Um, so that's that's really one of those uh areas that we we try to help in. Uh, but a lot of them are coming from uh you know just spreadsheets uh or or even more basic. You know, here's a file with all of our domains. That's about it. Um, so there's a lot of different starting points.

SPEAKER_01:

Amazing. Um we all know attack services are growing exponentially. It's been happening for years, but what's changed in the last couple, three years in particular?

SPEAKER_00:

Yeah, so you know, we're not really going through the like move to the cloud. We're honestly kind of seeing the opposite. We're kind of seeing people move back to on-prem and kind of having to patch things manually. Um, so I'm sure you've seen the the recent Outlook or Exchange vulnerabilities come out. Those have been, you know, if you've moved to the cloud and you're there, you know, maybe some of the Microsoft auto-patching stuff or the auto-updating stuff will help. Um, but in situations where you've started to move back to on-prem, now it's becoming more important to patch the on-prem devices and making sure that none of those are kind of left unseen or unpatched. And that's another one of those areas where we try to highlight things that need patching or need updates to make sure that your on-prem environment is not being left behind. Fantastic.

SPEAKER_01:

And I imagine you're using AI now to find and prioritize threats. How did that work exactly?

SPEAKER_00:

Yeah, absolutely. So um there's a couple different AI uh type tools that we've been building at Census. Um there's one that we use for the query assistant. So say you don't know what you're looking for or you don't know how to type in, um, it's kind of similar to SQL uh type query language. Um so you might not be familiar with it, you know, day one, um, but you can kind of put in English and it allows you to find the thing that you're looking for just from English. So instead of converting your English into the query language directly, it takes care of that. Um we've also implemented something called the Census Assistant, which allows you to come in with even less information. So I have this domain, I have this IP address, what do you know about it? And then our AI will go through a number of processes related to checking if it's a threat, checking if it's you know related to malicious infrastructure, then analyze that and give you context around the vulnerabilities on it and what might be either priority to patch or priority to make sure that uh you know it's included within your you know, patch Tuesday or whatever it might be.

SPEAKER_01:

Fantastic. And is this really designed for large enterprises, or or can smaller businesses uh see results take advantage of the tooling?

SPEAKER_00:

Yeah, so uh generally our ASM tool is for larger enterprise customers. Um, we do have our search platform, which allows smaller or medium-sized businesses to actually just type in either you know known domains, known uh registrants, or just even the organization name. That's one of the first things I do is I just put my organization name in quotes and see what the what's in the database. Wow. But yeah, that that's more really you'll see the the help for the smaller um small side of things. Um, but yeah, I definitely be able to get some benefit out of it. Uh we we do, however, hide some CVEs from the from the lower tiers. We want to be careful about that. We don't want that data to be end up um abused. Um, and so uh we make sure that we you know are responsible with that type of disclosure. I bet.

SPEAKER_01:

Yeah, any uh I mean scanning the internet every day. Any any interesting surprises or stories or anecdotes you can share without again revealing customers or names embarrassing anyone?

SPEAKER_00:

No, yeah, I'm happy to. Uh there's a constant stream of things that are on the internet that shouldn't be on the internet. Um, so we've seen things from wastewater treatment facilities to power plants to solar farms. Um, we've seen the whole the whole nine yards. Um, we've even seen infrastructure that like fully lives on ships. And so we'll be connecting through it uh through Starlink, and we'll see that on Starlink they've forded all of the ports to all the other servers that exist on the ship. Some are navigational equipment, some we've seen submarine uh like drone navigation equipment that allows you to literally control where the drones go. Um, so there's all sorts of things. Uh I think probably the most bizarre one that we've seen um was probably one of the wastewater treatment facilities because it literally had, you know, and we've seen more in the recent months, um, Russia and other type entities try to exploit this. But there's literally a number floor. What how much chlorine do you want to put in this water? How much of this do you want to shut off the system? There's just a button. Um, so really, really want to make sure that we're emphasizing the importance of you know securing those essential systems. And luckily we did work with the EPA and get these remediated and they no longer are public, thank goodness. Um, but it's uh, you know, every day I wake up and I'm like, why did someone put this on the internet? Who did this and why? Um so no, there's anymore.

SPEAKER_01:

It's an exciting space, terrifying, but exciting, intriguing work you're doing. Um shift to shadow IT, kind of an old-fashioned term, but you know, even when I was had a real job and at Oracle 10 years ago, still uh epidemic of over-the-top third-party apps. Um how big of an issue is it right now? Are are CIOs coming to grips with with shadow IT?

SPEAKER_00:

I think they're getting a much better understanding now. Um, and you know, even beyond the censor census customer space, um, they're they're slowly getting better insight into it. We're seeing the the platforms themselves either come out with APIs to help you track the infrastructure that you have within it. A lot of it is, you know, if you have ever managed an Amazon account or an Amazon AWS account, um, I'm sure you've you figured it out, you know. Okay, my organization has 10 different accounts. How do I keep track of all of those subsequent assets? Oftentimes we'll see people build custom tooling. Um, at Census, we've built uh custom tooling that will go in and do this for our customers. So it'll actually access their uh cloud workspace and make sure that we fetch and monitor those assets so that they're not forgotten. Honestly, though, it once you move outside of the cloud environment, then we're really dependent on did this person keep uh the certificates or uh domains pointed at it correctly, uh, making sure the DNS records are also up to date. Um, then we use a lot of that to keep track of that shadow IT. Um but it continues to be a pretty major problem. And even if it's just, you know, if it's not a security issue, it might just be a financial issue of, hey, who's actually paying for this? What budget is this coming out of? What business group is actually paying for this server? And sometimes we found that uh certain business groups were overpaying or you know, paying more than they had expected because they hadn't expected to see infrastructure deployed and where it was. Um, so it continues to be an issue. Uh, we I don't know if I have great numbers to share with you there, um, but continually an issue and something that we are continually fighting on our side as well. I bet.

SPEAKER_01:

Um, so what's next for census over the next year? Uh scanning the galaxy, intergalactic IP addresses, what what uh no, in all seriousness, what's what's on your radar?

SPEAKER_00:

No, for sure. So I think we're we're definitely seeing people move uh, you know, um the majority of our scanning infrastructure is around IPv4. IPv6 is the big thing that's coming. Um and so we're increasing our scanning rate and frequencies. Um, there's several new interesting algorithms that we're being used to traverse IPv6. You can't just brute force it as you could with IPv4, uh it's a little bit more difficult. Um, so we have that coming. We also have some really interesting threat hunting projects coming out. Um, so we're continually expanding which uh you know malware and threats that we're tracking. I think we're gonna be expanding more into phishing kits, uh, things like click fix, or we call it internally fake captcha, just because there's so many of them, it's hard to keep track. Um, but yeah, so mainly move improving the threat side of things. Um and we're also looking at you know potentially uh figuring out how to scan faster and uh from different infrastructure. So it's a lot of fun. Wow, very cool.

SPEAKER_01:

Well, keep up the great work, really important mission, and uh onwards and upwards. Thank you so much. Thanks, Hayden, for watching, uh uh for sharing, and everyone for watching sharing this episode. Uh until then, take care. Thanks, everyone. Thanks, Hayden.

unknown:

Bye-bye.