Attack Surface Intelligence
In cybersecurity, attack surface intelligence is the process of continuously discovering, analyzing, and monitoring an organization's digital assets that are exposed to the Internet and, therefore, potentially vulnerable to cyberattacks.
Here's a breakdown of what that entails:
Discovery: This involves identifying an organization's assets that an attacker could target. This includes websites, web applications, APIs, cloud storage, email servers, DNS records, and any other systems accessible from the outside.
Analysis: Once the assets are discovered, they are analyzed to understand their security posture. This can include:
Vulnerability scanning to find weaknesses in software.
Configuration reviews to identify misconfigurations that could be exploited.
Assessment of security controls like firewalls and intrusion detection systems.
Evaluation of the asset's business criticality and the potential impact if it were compromised.
Monitoring: The attack surface constantly changes as organizations add new systems, update existing ones, and change their configurations. Continuous monitoring is crucial to staying on top of these changes and identifying new potential vulnerabilities.
Strong attack surface intelligence allows organizations to proactively identify and mitigate risks, reduce their exposure to cyberattacks, and improve their overall security posture.
Here's how ThreatNG addresses attack surface intelligence:
ThreatNG uses "purely external unauthenticated discovery" without needing connectors. This is fundamental to attack surface intelligence because it allows ThreatNG to identify all external-facing assets that an attacker could target. This comprehensive discovery is the first step in understanding the attack surface.
ThreatNG performs a variety of external assessments that directly contribute to attack surface intelligence:
Web Application Hijack Susceptibility: ThreatNG analyzes externally accessible parts of web applications to find potential entry points for attackers. This reveals vulnerabilities in web applications, a key component of the attack surface.
Subdomain Takeover Susceptibility: ThreatNG evaluates websites' susceptibility to subdomain takeovers by analyzing subdomains, DNS records, and SSL certificate statuses. This identifies a specific attack vector within the broader attack surface.
Cyber Risk Exposure: ThreatNG considers parameters from its Domain Intelligence module, including certificates, subdomain headers, vulnerabilities, and sensitive ports, to determine cyber risk exposure. It also factors in Code Secret Exposure and Cloud and SaaS Exposure, providing a broad view of the attack surface's risk profile.
Mobile App Exposure: ThreatNG evaluates an organization’s mobile app exposure by discovering them in marketplaces and analyzing their contents. Mobile apps are an increasingly important part of an organization's attack surface.
3. Reporting
ThreatNG provides various reports, including Technical and Security Ratings reports. These reports communicate findings about the attack surface, enabling security teams to understand and address identified risks.
ThreatNG provides continuous monitoring of the external attack surface. This is essential for attack surface intelligence, as the attack surface is dynamic. Continuous tracking helps organizations stay aware of changes and new potential vulnerabilities.
ThreatNG's investigation modules provide detailed information about the attack surface:
Domain Intelligence: This module includes extensive information about an organization's domain and related assets, including:
DNS Intelligence: Analyzes domain records.
Subdomain Intelligence: Analyzes subdomains, HTTP responses, headers, server headers, and more.
This module provides a deep understanding of a critical part of the attack surface.
IP Intelligence: This module provides information about IPs.
Certificate Intelligence: This module analyzes TLS certificates.
Sensitive Code Exposure: This module discovers public code repositories and uncovers exposed secrets. Code repositories can be a significant source of vulnerabilities in the attack surface.
Mobile Application Discovery: This module discovers and analyzes mobile apps.
Search Engine Exploitation: This module helps users investigate an organization’s susceptibility to exposing information via search engines.
Cloud and SaaS Exposure: This module identifies sanctioned and unsanctioned cloud services and SaaS implementations, which are an increasingly important part of the modern attack surface.
Technology Stack: This module identifies the technologies used by the organization. This information can be used to identify potential vulnerabilities associated with specific technologies.
ThreatNG's intelligence repositories provide data that is used to inform its attack surface analysis:
Known Vulnerabilities: ThreatNG includes information on known vulnerabilities, which helps assess the risk associated with discovered assets.
7. ThreatNG Working with Complementary Solutions
The document does not explicitly detail how ThreatNG works with complementary solutions. However, its attack surface intelligence data can be valuable for:
SIEM: Providing context for security events.
Vulnerability Management: Enriching vulnerability scans with external attack surface information.
8. Examples of ThreatNG Helping
Discovering Shadow IT: ThreatNG helps organizations gain visibility into a previously unknown part of their attack surface by identifying unsanctioned cloud services.
Identifying Exposed APIs: ThreatNG can discover exposed APIs, often a source of vulnerabilities.
ThreatNG empowers organizations to gain superior attack surface intelligence by providing comprehensive external visibility and detailed analysis.
