Asset Fingerprinting and Contextualization

External Attack Surface Management (EASM)

Asset fingerprinting and contextualization are crucial cybersecurity processes that help organizations comprehensively understand their digital assets and associated risks.

Asset Fingerprinting: This involves creating a unique "fingerprint" of each asset within an organization's IT environment. This fingerprint is a collection of characteristics that uniquely identify the asset, such as:

  • Operating System: Windows, Linux, macOS

  • Software versions: Applications, services, libraries

  • Network protocols: HTTP, HTTPS, SSH

  • Open ports: 80, 443, 22

  • Hardware characteristics: CPU, memory, network interfaces  

Contextualization: This process involves enriching the asset fingerprint with additional information to understand its role, importance, and potential risks within the organization. This context can include:

  • Business criticality: How important is this asset to the organization's operations?

  • Data sensitivity: What type of data does this asset store or process?

  • Network location: Is this asset exposed to the internet or on an internal network?

  • Ownership: Who is responsible for managing and securing this asset?

  • Compliance requirements: Are any regulatory or compliance requirements apply to this asset?

How ThreatNG Helps with Asset Fingerprinting and Contextualization

ThreatNG's capabilities make it a valuable tool for asset fingerprinting and contextualization:  

  • Discovery: ThreatNG's superior discovery capabilities identify all external-facing assets, including subdomains, IP addresses, cloud services, and web applications.

  • Assessment: ThreatNG analyzes each asset to create a detailed fingerprint, including software versions, open ports, and known vulnerabilities.

  • Intelligence Repositories: ThreatNG leverages its intelligence repositories to enrich asset fingerprints with contextual information, such as dark web mentions, compromised credentials, and ransomware events.  

  • Investigation Modules: ThreatNG's investigation modules provide deeper insights into each asset, such as:

    • Domain Intelligence: Identify associated domains, subdomains, certificates, and DNS records.  

    • Social Media: Analyze social media mentions to understand the asset's public exposure and potential risks.  

    • Sensitive Code Exposure: Identify exposed code repositories that may reveal sensitive information about the asset.

    • Search Engine Exploitation: Uncover sensitive information exposed through search engines that could compromise the asset.  

    • Cloud and SaaS Exposure: Identify cloud services and SaaS applications associated with the asset and assess their security posture.

    • Online Sharing Exposure: Detect sensitive information shared online that could put the asset at risk.

    • Archived Web Pages: Analyze historical data to understand the asset's evolution and potential vulnerabilities.

    • Technology Stack: Identify the technologies the asset uses to assess its potential vulnerabilities and security posture.

Complementary Solutions/Services

ThreatNG can be further enhanced by integrating with complementary solutions and services:

  • Vulnerability Scanners: Integrate with vulnerability scanners to obtain detailed vulnerability information for each asset.

  • Configuration Management Databases (CMDBs): Integrate with CMDBs to enrich asset information with internal context, such as ownership and business criticality.

  • Security Information and Event Management (SIEM): Integrate with SIEMs to correlate asset information with security events and alerts.

Examples

  • Identifying Shadow IT: ThreatNG discovers an unknown web server hosting sensitive data. Further investigation reveals that this server is not documented in the CMDB and is not being managed by the security team.

  • Prioritizing Vulnerability Remediation: ThreatNG identifies a critical vulnerability in a web application that handles customer payment information. Due to the asset's high business criticality and data sensitivity, this vulnerability is prioritized for immediate remediation.

  • Detecting Compromised Assets: ThreatNG's Dark Web Presence module identifies a server's IP address mentioned in an underground forum discussing compromised credentials. This allows the security team to investigate and take action to secure the asset.

By effectively using ThreatNG's asset fingerprinting and contextualization capabilities, organizations can comprehensively understand their attack surface, prioritize security efforts, and effectively mitigate risks to their digital assets.