CTEM (Continuous Threat Exposure Management)
Continuous Threat Exposure Management (CTEM) is a proactive and iterative approach to cybersecurity that helps organizations continuously identify, assess, and mitigate their exposure to cyber threats. Here's a breakdown:
Core Idea:
CTEM moves beyond traditional, periodic vulnerability assessments to continuously evaluate an organization's security posture.
It emphasizes understanding and prioritizing risks based on their potential impact on the business.
Key Components:
Discovery: Continuously mapping and understanding all digital assets and potential attack surfaces.
Prioritization: Assessing and ranking vulnerabilities based on their severity and the potential impact of their exploitation.
Validation: Testing the effectiveness of security controls through attack simulations and penetration testing.
Remediation: Taking action to fix identified vulnerabilities and strengthen security defenses.
Monitoring: Continuously observing the environment for new threats and vulnerabilities.
Goals:
Reduce the likelihood and impact of cyberattacks.
Improve overall cyber resilience.
Enable organizations to make informed security decisions.
Help security teams focus on the most critical risks.
CTEM is about shifting from a reactive to a proactive security stance, enabling organizations to stay ahead of evolving cyber threats.
Here's how ThreatNG addresses the key aspects of Continuous Threat Exposure Management (CTEM):
ThreatNG excels in external discovery.
It can perform purely external unauthenticated discovery, meaning it doesn't need internal connectors to map an organization's attack surface.
ThreatNG provides various external assessment capabilities, offering detailed insights into an organization's risk posture. Here are some key examples:
Web Application Hijack Susceptibility: ThreatNG analyzes externally accessible parts of web applications to find potential entry points for attackers. It uses external attack surface and digital risk intelligence, including Domain Intelligence, to provide this rating.
Subdomain Takeover Susceptibility: ThreatNG evaluates a website's susceptibility to subdomain takeovers using external attack surface and digital risk intelligence, including Domain Intelligence. This involves comprehensively analyzing subdomains, DNS records, SSL certificate statuses, and other relevant factors.
BEC & Phishing Susceptibility: ThreatNG derives this rating from various intelligence sources, including Sentiment and Financials Findings, Domain Intelligence (DNS and Email Intelligence), and Dark Web Presence (Compromised Credentials).
Brand Damage Susceptibility: This assessment is derived from attack surface intelligence, digital risk intelligence, ESG Violations, Sentiment and Financials (Lawsuits, SEC filings, SEC Form 8-Ks, and Negative News), and Domain Intelligence.
Data Leak Susceptibility: ThreatNG derives this from external attack surface and digital risk intelligence based on Cloud and SaaS Exposure, Dark Web Presence (Compromised Credentials), Domain Intelligence, and Sentiment and Financials (Lawsuits and SEC Form 8-Ks).
Cyber Risk Exposure: ThreatNG considers parameters from its Domain Intelligence module, such as certificates, subdomain headers, vulnerabilities, and sensitive ports, to determine cyber risk exposure. It also factors in Code Secret Exposure by discovering code repositories and their exposure level and investigating their contents for sensitive data. Cloud and SaaS Exposure is also evaluated. Additionally, compromised credentials on the dark web are considered.
ESG Exposure: ThreatNG evaluates an organization's vulnerability to environmental, social, and governance (ESG) risks using external attack surface and digital risk intelligence, Sentiment and Financials findings. This involves examining factors like sentiment analysis of media coverage, financial analysis, and publicly available information, highlighting areas such as Competition, Consumer, Employment, Environment, Financial, Government Contracting, Healthcare, and Safety-related offenses.
Supply Chain & Third-Party Exposure: ThreatNG derives this from Domain Intelligence (Enumeration of Vendor Technologies from DNS and Subdomains), Technology Stack, and Cloud and SaaS Exposure.
Breach & Ransomware Susceptibility: This is calculated based on external attack surface and digital risk intelligence, including domain intelligence (exposed sensitive ports, exposed private IPs, and known vulnerabilities), dark web presence (compromised credentials and ransomware events and gang activity), and sentiment and financials (SEC Form 8-Ks).
Mobile App Exposure: ThreatNG evaluates an organization's mobile app exposure by discovering them in marketplaces and analyzing their contents for access credentials, security credentials, and platform-specific identifiers. Examples of access credentials it looks for include Amazon AWS Access Key ID, APIs, and Facebook Access Token. Security credentials include PGP private key blocks, RSA Private Keys, and SSH Private Keys. Platform-specific identifiers include Admin Directories, Amazon AWS S3 Bucket, and GitHub.
3. Reporting
ThreatNG provides various reporting options, including Executive, Technical, Prioritized, Security Ratings, Inventory, Ransomware Susceptibility, and U.S. SEC Filings reports.
ThreatNG continuously monitors external attack surface, digital risk, and security ratings for all organizations.
ThreatNG includes investigation modules with detailed intelligence capabilities:
Domain Overview: Provides a digital presence in Word Cloud, Microsoft Entra Identification and Domain Enumeration, and Bug Bounty Programs.
DNS Intelligence: Includes Domain Record Analysis (IP and Vendor/Technology Identification), Domain Name Permutations (Taken and Available), and Web3 Domains (Taken and Available).
Email Intelligence: Provides Security Presence (DMARC, SPF, and DKIM records), Format Predictions, and Harvested Emails.
WHOIS Intelligence: Includes WHOIS Analysis and Other Domains Owned.
Subdomain Intelligence: Analyzes HTTP Responses, Header Analysis (Security and Deprecated Headers), Server Headers (Technologies), Cloud Hosting (AWS, Azure, GCP), Website Builders, E-commerce Platforms, Content Management Systems (CMS), CRM, Email Marketing, Communication and Marketing tools, Landing Page Builders, Sales Enablement tools, Online Course Platforms, Help Desk Software, Knowledge Base Software, Customer Feedback Platforms, Code Repositories (Bitbucket, Github), Cloud Hosting (Heroku, Pantheon, Vercel), API Management, Developer Tools, Documentation Platforms, Product Management tools, Video Hosting, Blogging Platforms, Podcast Hosting, Digital Publishing, Photo Sharing, Content Experience platforms, Translation Management tools, Brand Management platforms, Website Monitoring tools, Status Communication platforms, Survey Platforms, Project Management tools, and Shipment Tracking.
It also assesses Subdomain Takeover Susceptibility, Content Identification (Admin Pages, APIs, Development Environments, VPNs, Errors, Applications, Google Tag Managers, Javascript, Emails, Phone Numbers), Ports (IoT/OT, Industrial Control Systems, Databases, Remote Access Services), Known Vulnerabilities, and Web Application Firewall Discovery and Vendor Types.
IP Intelligence: Provides IPs, Shared IPs, ASNs, Country Locations, and Private IPs.
Certificate Intelligence: Analyzes TLS Certificates (Status, Issuers, Active, Certs without Subdomains, Subdomains without Certificates) and Associated Organizations (Domains, Certificates, and Emails).
Social Media: Provides posts from the organization under investigation, including content copy, hashtags, links, and tags.
Code Repository Exposure: Discovers public code repositories, uncovering digital risks like Access Credentials (API Keys, Access Tokens, Generic Credentials, Cloud Credentials, Security Credentials, and Other Secrets), Configuration Files, System Configuration, and Network Configuration. Examples of API keys include Stripe API key, Google OAuth Key, and AWS API Key.
Database Exposures: Discovers Database Files (Microsoft SQL database file, SQLite database file, etc.) and Database Credentials (e.g., Potential Jenkins credentials file, PostgreSQL password file).
Application Data Exposures: Discovers Remote Access (e.g., Remote Desktop connection file), Encryption Keys (e.g., Microsoft BitLocker recovery key file), Encrypted Data, Java Keystores, and Code Repository Data (e.g., git-credential-store helper credentials file).
Activity Records: Discovers Command History (e.g., Shell command history file, MySQL client command history file), Logs (e.g., Log file), and Network Traffic (e.g., Network traffic capture file).
Communication Platform Configurations: Discovers Chat Clients (e.g., Pidgin chat client account configuration file) and Email Clients (e.g., Mutt e-mail client configuration file).
Development Environment Configurations: Discovers Configuration files (e.g., Chef Knife configuration file, RubyGems credentials file).
Security Testing Tools: Discovers Pentesting tools (e.g., Recon-ng web reconnaissance framework API key database).
Cloud Service Configurations: Discovers Cloud CLIs (e.g., S3cmd configuration file, AWS CLI credentials file).
Remote Access Credentials: Discovers remote access (e.g., SFTP connection configuration file and FileZilla FTP configuration file).
System Utilities: Discovers Authentication files (e.g., Apache htpasswd file) and Database Management files (e.g., DBeaver SQL database manager configuration file).
Personal Data: Discovers Journaling files (e.g., Day One journal file).
User Activity: Discovers Social Media files (e.g., T command-line Twitter client configuration file).
Discovers mobile apps related to the organization under investigation within marketplaces (e.g., Amazon Appstore, Google Play).
It also discovers the contents of these Mobile Apps, identifying Access Credentials (e.g., Amazon AWS Access Key ID, APIs), Security Credentials (e.g., PGP private key block, RSA Private Key), and Platform Specific Identifiers (e.g., Admin Directories, Amazon AWS S3 Bucket).
Website Control Files: Discovers the presence of files like Robots.txt (to find secure directories, user directories, emails, admin directories, etc.) and Security.txt (to find emails, contact information, hiring information, etc.).
Search Engine Attack Surface: This solution helps users investigate an organization’s susceptibility to exposing various data via search engines, including errors, sensitive information, public passwords, and user data.
Discovers Sanctioned and Unsanctioned Cloud Services, Cloud Service Impersonations, and Open Exposed Cloud Buckets (AWS, Azure, GCP).
It also discovers SaaS implementations associated with the organization, across various categories: Business Intelligence and Data Analytics (e.g., Looker), Collaboration and Productivity (e.g., Atlassian), Content Management and Collaboration (e.g., Box, SharePoint), CRM (e.g., Salesforce), Customer Service and Support (e.g., Kustomer), Communication and Collaboration (e.g., Slack), Data Analytics and Observability (e.g., Splunk), Endpoint Management (e.g., JAMF), ERP (e.g., Workday), Human Resources (e.g., BambooHR), Identity and Access Management (e.g., Azure AD, Okta), Incident Management (e.g., PagerDuty), IT Service Management (e.g., ServiceNow), Project Management (e.g., Asana), Video Conferencing (e.g., Zoom), and Work Operating System (e.g., Monday.com).
Discovers Organizational Entity Presence within online Code-Sharing Platforms like Pastebin, GitHub Gist, Scribd, Slideshare, Prezi, and GitHub Code.
This section provides information on Organizational-Related Lawsuits, Layoff Chatter, SEC Filings of Publicly Traded US Companies (especially Risk and Oversight Disclosures), SEC Form 8-Ks, and ESG Violations.
Discovers various archived web pages, including API, BAK, CSS, Demo Pages, Document Files, Emails, Excel Files, HTML Files, Image Files, Javascript Files, JSON Files, JSP Files, Login Pages, PDF Files, PHP Files, Potential Redirects, Python Files, Txt Files, XML Files, Directories, Subdomains, User Names, and Admin Pages.
Discovers organizational mentions of related people, places, or things, associated ransomware events, and associated compromised credentials.
Identifies technologies used by the organization, such as Accounting Tools, Analytics, API Management, Blogging platforms, CDNs, CMS, CRM, Databases, Developer Platforms, E-commerce platforms, Email tools, Helpdesk Software, Incident Management tools, JavaScript libraries, Marketing Automation tools, Media tools, Operating Systems, POS systems, Security tools, and Web Servers.
6. Work with Complementary Solutions
The document does not provide explicit details on how ThreatNG "works with" complementary solutions in a deeply integrated way. However, its capabilities suggest strong potential for integration and complementarity:
Security Information and Event Management (SIEM) systems: ThreatNG's reporting and continuous monitoring data, especially around vulnerabilities, threats, and suspicious activity, could be fed into a SIEM for correlation, alerting, and incident management.
Vulnerability Management Tools: While ThreatNG performs vulnerability assessments, it could complement traditional vulnerability scanners by providing external attack surface context, helping prioritize vulnerabilities that are most exposed and exploitable from the outside.
Incident Response Platforms: ThreatNG's intelligence on dark web activity, compromised credentials, and potential attack vectors could enrich incident response workflows, providing valuable context for investigations and remediation.
Governance, Risk, and Compliance (GRC) tools: ThreatNG's assessments of ESG exposure, cyber risk exposure, and other risk factors can be valuable inputs for GRC platforms to track and manage organizational risk and compliance posture.
Examples of ThreatNG Helping
Proactive Risk Mitigation: By continuously discovering and assessing external attack surfaces, ThreatNG enables organizations to identify and address vulnerabilities before attackers can exploit them proactively. For example, the "Code Repository Exposure" feature can help an organization discover leaked credentials in public repositories, allowing it to remediate the issue before a breach occurs.
Prioritized Remediation: ThreatNG's assessment ratings and reporting capabilities help security teams prioritize remediation efforts based on the severity and potential impact of identified risks. For instance, the "Web Application Hijack Susceptibility" rating allows teams to focus on addressing the most critical web application vulnerabilities first.
Enhanced Visibility: ThreatNG provides comprehensive external visibility into an organization's digital footprint, including cloud assets, SaaS applications, and potential shadow IT. The "Cloud and SaaS Exposure" feature helps organizations gain control over their cloud and SaaS usage, reducing the risk of data leaks and security breaches.
Threat Intelligence Enrichment: ThreatNG's intelligence repositories, including dark web monitoring and ransomware tracking, provide valuable context for understanding the threat landscape and potential attacks targeting the organization. This information can be used to improve threat detection and response.
Examples of ThreatNG Working with Complementary Solutions
While the document doesn't detail specific integrations, here are some likely scenarios:
ThreatNG + SIEM: ThreatNG detects a potential phishing campaign targeting an organization (using "BEC & Phishing Susceptibility" assessment). It sends an alert with relevant details (e.g., malicious domains, suspicious email patterns) to the SIEM. The SIEM correlates this information with internal network logs to identify potentially affected users and trigger automated response actions.
ThreatNG + Vulnerability Scanner: A vulnerability scanner identifies a critical vulnerability in a web server. ThreatNG's "Cyber Risk Exposure" assessment reveals that this server is exposed to the Internet and has a high risk of exploitation. Based on ThreatNG's external exposure context, the vulnerability scanner prioritizes this vulnerability for immediate patching.
ThreatNG + Incident Response Platform: ThreatNG's "Dark Web Presence" monitoring detects compromised credentials for a company's employees being sold on a dark web forum. It sends an alert to the incident response platform, automatically initiating a password reset workflow for the affected accounts and investigating potential unauthorized access.
ThreatNG offers robust capabilities that align well with Continuous Threat Exposure Management principles. Its external discovery, assessment, reporting, continuous monitoring, and investigation modules provide valuable tools for organizations to proactively manage their external attack surface and reduce their exposure to cyber threats.