Custom Threat Intelligence
Custom Threat Intelligence is information that is highly tailored to an organization’s specific needs and risk profile. It is not a generic, one-size-fits-all data feed but a bespoke approach that focuses on the unique context of a particular business. This involves defining and tracking specific entities—including the organization itself, its third-party vendors, and even fourth or “nth” parties in its supply chain—to customize the intelligence gathering process.
This approach offers several key benefits:
Strategic Alignment: It ensures that threat reconnaissance is aligned with the organization's specific business priorities. By defining and tracking entities such as brand names and critical third-party vendors, the intelligence gathered is directly relevant to the organization's most important assets and relationships.
Actionable Insights: It transforms raw data into a clear, prioritized view of threats. This allows security teams to focus their efforts and allocate resources effectively toward the risks that are most relevant to them.
Comprehensive Visibility: It helps organizations close critical visibility gaps by expanding the scope of monitoring beyond their immediate perimeter. By including third, fourth, and nth parties, it provides a more complete view of the threat landscape, enabling a proactive rather than reactive security posture.
Custom Threat Intelligence, in the context of cybersecurity, is a tailored approach that caters to an organization's specific needs, risk profile, and digital footprint. ThreatNG achieves this not by integrating external feeds, but by giving users the ability to define what matters most to them—from the organization itself to its third and fourth parties—and then applying its powerful reconnaissance and intelligence capabilities to that specific context.
ThreatNG's Use of Custom Threat Intelligence
ThreatNG’s platform transforms a generic view of the threat landscape into a customized, actionable, and defensible security posture.
External Discovery: ThreatNG's external discovery is the foundational element of its custom threat intelligence. It performs purely external, unauthenticated reconnaissance to map an organization's entire digital footprint, including forgotten subdomains, APIs, exposed development environments, and cloud services. This discovery process, which users can customize, enables the identification of shadow IT and misconfigured public-facing systems that an attacker could leverage for initial access.
External Assessment: ThreatNG goes beyond simple discovery by providing granular assessments of an organization's attack surface. For example, the Breach & Ransomware Susceptibility score assesses an organization's likelihood of falling victim to a ransomware attack by analyzing both external factors, such as exposed sensitive ports and known vulnerabilities, as well as internal factors, including compromised credentials. The Data Leak Susceptibility score determines whether sensitive data, such as compromised credentials or confidential files, has been leaked into publicly accessible areas, including misconfigured cloud storage buckets, exposed credentials, or mentions in legal documents. The External GRC Assessment provides a continuous, outside-in evaluation of a company's GRC posture, mapping external findings directly to compliance frameworks. This is crucial for organizations that need a real-time, objective view of their compliance standing.
Investigation Modules: These modules offer deep-dive capabilities for granular analysis of custom threat intelligence. For example, Domain Intelligence provides a comprehensive view of an organization's domain-related assets and security posture by analyzing DNS records, certificates, and IP addresses, as well as detecting domain name permutations. The Sensitive Code Exposure module scans public code repositories to identify exposed information, including API keys, cloud credentials, and database passwords. A user can define their brand name as an entity to identify look-alike domains and unsanctioned repositories, providing custom intelligence tailored to their brand protection needs.
Continuous Monitoring: ThreatNG provides constant monitoring of an organization's external attack surface and digital risk. This ensures that custom threat intelligence is always up-to-date with emerging threats and changes in the attack surface. The platform's customizable risk scoring and policy management features help prioritize the most critical findings, ensuring that security teams can focus on the areas with the most significant risk.
Intelligence Repositories: ThreatNG’s continuously updated intelligence repositories (DarCache) are invaluable for enriching custom threat intelligence efforts. They collect and vet data from numerous sources to deliver a holistic view of the digital risk landscape. This includes intelligence on ransomware groups, vulnerabilities (KEV, EPSS, PoC Exploits), compromised credentials, and ESG violations.
Working with Complementary Solutions
ThreatNG’s custom threat intelligence can work in conjunction with complementary solutions to create an even more robust defense.
SIEM/SOAR Solutions: ThreatNG can identify a "toxic combination" of external risks, such as an exposed SSH port, a related compromised credential on the dark web, and a high vulnerability score. This external intelligence can then be fed into a SIEM, which correlates the data with internal log data from firewalls and other tools. A SOAR platform could then automate the response by blocking the attacker's IP and creating a high-priority ticket for the security team to patch the vulnerability and reset the compromised credentials. This synergy allows an organization to correlate external risks with internal activity and automate a rapid response.
Extended Detection and Response (XDR) Solutions: ThreatNG's custom threat intelligence can enhance XDR platforms by providing crucial external context. For example, ThreatNG can flag a new, unsanctioned SaaS application that a company is using. This intelligence can be fed into an XDR platform, which can then use behavioral analytics to identify suspicious activity related to that application, such as credential abuse or large data uploads. This allows an organization to detect and respond to threats that are often invisible to traditional security tools.
