SANS ISC shares an excellent list of free or low-cost tools to test vulnerabilities of the network & endpoints.  It does require a learning curve for security ADMINs to master these tools, but that investment of time is worthwhile to better protect company on a more “do it yourself” basis. 

https://isc.sans.edu/forums/diary/Keeping+Track+of+Your+Attack+Surface+for+Cheap/28304/

Zeek

I mention Zeek first because if Zeek works for you, you are done. Zeek is excellent at identifying new services. It offers a number of logs to help (e.g. known_services, known_hosts, software, known_certs …). Out of the box, it does pretty much everything you need and it is pretty straightforward to collect the logs in a console like ELK. So why continue reading? Well, Zeek may not cover everything. You may have hosts in the cloud, or even in home networks, that are not covered by your Zeek setup.

Nmap

Nmap, the granddaddy of port scanning tools is easily scripted to periodically scan networks for open ports (= exposed services). It even got pretty good tools to identify services. The issue with Nmap is that you will only get a snapshot in time, and some services may only be exposed occasionally. It may also be a bit tricky to scan various networks you do not directly control. For example, how to deal with employee home networks? At the very least, you should get permission to scan the home network of employees (may not be a bad idea if this is a work-from-home setup). But there are several technical and ethical issues.

DNS

DNS isn’t a specific tool. But you should occasionally review which IP addresses your various hostnames point to. This will get you a list of IPs to scan with nmap to make sure you do not forget anything. But DNS is a classic first-stop for your attackers, so you should try it too.

Shodan / Onyphe

Now I am starting with various services that scan the internet for you. Shodan isn’t 100% free, in particular, if you search for IP addresses, but with occasional sales, it is close enough to free. Shodan essentially runs the nmap scan for you and even has some alerting and custom scan functions (again: if you pay).  Onyphe.io is a service very similar to Shodan with some paid/free services.

Censys

Censys has a commercial “attack surface management” service. But it’s simple (free) search may be all you need for occasional checks.

RiskIQ

RiskIQ does collect data from various databases like Whois, DNS, and others, and will inform you of any changes. They do have a limited free service as part of their Passivetotal acquisition.

Internet Storm Center 🙂

Can’t hurt to search here for your IP address. While we do not track exposed services, you will see your footprint in our sensor network.