In this lab, you'll learn the difference between scalable External Attack Surface Management (EASM) reconnaissance and internal log analysis methodologies.
You have just joined "OmniCorp Global" as an L3 Security Analyst. OmniCorp has acquired 14 companies over the past year, leaving the IT infrastructure heavily fragmented across AWS, Azure, and legacy on-premise datacenters.
Your first task is to perform an external exposure assessment. You need to identify publicly exposed assets (subdomains, open ports, exposed S3 buckets) before threat actors find them. Because of the vastness of the infrastructure, you must rely on automated and highly scalable techniques.
You begin executing various tools to map out the infrastructure. Review the terminal output of the attempts below:
*Notice how the automated DNS and OSINT tools rapidly map the external perimeter, while applying log aggregation techniques (Stack Counting) fails on unstructured external data.*
A newly hired SOC analyst has just joined a fast-growing multinational organization that manages a vast IT infrastructure across multiple regions. The analyst's first task is to quickly assess the company's external exposure and identify potential security risks before threat actors can exploit them. To begin the assessment, the analyst considers various techniques, including analyzing publicly available information, scanning for exposed services, reviewing DNS records, and gathering intelligence from external sources. However, given the sheer volume of data spanning multiple subsidiaries, cloud environments, and third-party integrations, the analyst quickly realizes that some methods may not scale well for large, complex infrastructures and may lead to delays or incomplete insights. Which technique is less practical for handling large or diverse data sets in this scenario?
What is happening?
The analyst is conducting an External Attack Surface Management (EASM) exercise. The goal is to act like an attacker and map the external perimeter of the organization. Because the organization is massive, the analyst must use highly scalable, automated tools that can discover assets globally.
Why Option A is Correct:
Stack Counting is highly impractical for unstructured external reconnaissance. Stack counting is a Threat Hunting technique used *internally* on structured log data (like Windows Event Logs or proxy logs) to identify anomalies. It works by counting the occurrences of specific data points (e.g., process names) and sorting them to find the "long tail" (rare events). It does not scale or function properly when trying to map diverse, external infrastructure footprints without pre-existing standardized logs.
Why the others are wrong:
While Stack Counting is the wrong answer for external reconnaissance, it is a highly valuable technique for internal SOC Threat Hunting inside a SIEM like Splunk.
How to do it: You group high-volume, structured data and look for the absolute lowest occurrences. Attackers try to blend in, but their specific tools or typos often create a unique, single log entry.
If you see svchost.exe executed 450,000 times, that is normal. If you see svch0st.exe executed exactly 1 time, you have just used Stack Counting to find a threat actor.
Ready to sharpen your defensive skills further?
Explore more CSA simulations