Evidence-Based Risk Prioritization
Evidence-based risk prioritization in cybersecurity is a systematic approach to managing cyber risks by ranking them based on concrete data and analysis rather than relying solely on intuition or subjective judgment. It involves several key components:
Data Collection: Gathering comprehensive data about potential threats, vulnerabilities, and the assets they could impact. This data can include vulnerability scan results, threat intelligence feeds, security audit findings, and logs from security devices.
Analysis: Examining the collected data to determine various cyber threats' likelihood and potential impact. This analysis may involve statistical modeling, trend analysis, and correlation of different data points.
Contextualization: This step considers the organization's specific context, including its industry, size, regulatory requirements, and business objectives. It ensures that risk prioritization aligns with the organization's unique risk tolerance and priorities.
Prioritization: Ranking risks based on their assessed likelihood and impact. This ranking helps security teams focus on addressing the most critical risks first.
Communication: Communicating the prioritized risks to stakeholders, including management, IT staff, and business units. This communication ensures that everyone understands the organization's risk posture and the rationale behind security decisions.
Using evidence-based risk prioritization, organizations can make more informed decisions about their cybersecurity investments, improve their security posture, and reduce the likelihood and impact of cyberattacks.
Here's how ThreatNG facilitates evidence-based risk prioritization in cybersecurity:
ThreatNG excels in external discovery by performing "purely external unauthenticated discovery" without needing connectors. This is crucial for evidence-based risk prioritization because it provides a comprehensive view of an organization's attack surface from an attacker's perspective. By discovering all external-facing assets, including those that might be unknown or forgotten, ThreatNG ensures that risk assessments are based on a complete picture of potential threat entry points.
ThreatNG's external assessment capabilities are fundamental to evidence-based risk prioritization. It delivers various assessment ratings:
Web Application Hijack Susceptibility: ThreatNG analyzes web applications accessible from the outside world to pinpoint potential entry points for attackers. This assessment uses external attack surface, digital risk intelligence, and Domain Intelligence to provide evidence-backed insights into the likelihood of web application hijack attacks.
Subdomain Takeover Susceptibility: ThreatNG evaluates a website's susceptibility to subdomain takeovers by analyzing subdomains, DNS records, SSL certificate statuses, and other relevant factors. This detailed external attack surface and digital risk intelligence, incorporating Domain Intelligence, offers concrete evidence for prioritizing risks associated with subdomain takeovers.
BEC & Phishing Susceptibility: This assessment is derived from Sentiment and Financial Findings, Domain Intelligence (including Domain Name Permutations, Web3 Domains, and Email Intelligence), and Dark Web Presence (Compromised Credentials). By combining these diverse external data points, ThreatNG provides a strong evidentiary basis for prioritizing risks related to business email compromise (BEC) and phishing attacks.
Brand Damage Susceptibility: This is derived from attack surface intelligence, digital risk intelligence, ESG Violations, Sentiment and Financials (Lawsuits, SEC filings, SEC Form 8-Ks, and Negative News), and Domain Intelligence (Domain Name Permutations and Web3 Domains). ThreatNG's analysis uses concrete external data to assess and prioritize risks to an organization's brand reputation.
Data Leak Susceptibility: This assessment is derived from external attack surface and digital risk intelligence based on Cloud and SaaS Exposure, Dark Web Presence (Compromised Credentials), Domain Intelligence, and Sentiment and Financials (Lawsuits and SEC Form 8-Ks). ThreatNG's approach provides evidence for prioritizing risks related to data leaks.
Cyber Risk Exposure: This considers parameters from the Domain Intelligence module, including certificates, subdomain headers, vulnerabilities, and sensitive ports, to determine cyber risk exposure. Code Secret Exposure, Cloud and SaaS Exposure, and compromised credentials on the dark web are also factored into the score. This multi-faceted assessment provides a data-driven foundation for prioritizing cyber risks.
ESG Exposure: This rates an organization based on discovered environmental, social, and governance (ESG) violations through external attack surface and digital risk intelligence findings. It analyzes Competition, Consumer, Employment, Environment, Financial, Government Contracting, Healthcare, and Safety-related offenses. ThreatNG uses external evidence to prioritize risks related to ESG compliance and reputation.
Supply Chain & Third-Party Exposure: This is derived from Domain Intelligence (Enumeration of Vendor Technologies from DNS and Subdomains), Technology Stack, and Cloud and SaaS Exposure. ThreatNG's assessment provides evidence for prioritizing risks associated with an organization's supply chain and third parties.
Breach & Ransomware Susceptibility: This is derived from external attack surface and digital risk intelligence, including domain intelligence (exposed sensitive ports, exposed private IPs, and known vulnerabilities), dark web presence (compromised credentials and ransomware events and gang activity), and sentiment and financials (SEC Form 8-Ks). ThreatNG's analysis delivers evidence-based insights for prioritizing risks related to breaches and ransomware attacks.
Mobile App Exposure: This evaluates an organization’s mobile app exposure by discovering them in marketplaces and analyzing their contents for access credentials, security credentials, and platform-specific identifiers. ThreatNG provides evidence for prioritizing risks related to mobile app security.
Positive Security Indicators: ThreatNG identifies and highlights an organization's security strengths, detecting beneficial security controls and configurations, such as Web Application Firewalls or multi-factor authentication. It validates these measures from an external attacker's perspective, providing objective evidence of their effectiveness. This capability offers a balanced view of an organization's security posture.
3. Reporting
ThreatNG offers various reporting options, including Executive, Technical, Prioritized (High, Medium, Low, and Informational), Security Ratings, Inventory, Ransomware Susceptibility, and U.S. SEC Filings reports. These reports present the findings of ThreatNG's assessments in a clear and actionable format, enabling stakeholders to understand and prioritize risks based on evidence.
ThreatNG continuously monitors external attack surface, digital risk, and security ratings. This ongoing monitoring ensures that risk assessments are always up-to-date, and organizations can react quickly to new and emerging threats. Continuous monitoring provides the ongoing evidence needed to maintain accurate risk prioritization.
ThreatNG includes several investigation modules that provide in-depth information for risk assessment and prioritization:
Domain Intelligence: This module offers a comprehensive view of an organization's digital presence, including:
Domain Overview: Digital Presence Word Cloud, Microsoft Entra Identification and Domain Enumeration, and Bug Bounty Programs.
DNS Intelligence: Domain Record Analysis (IP Identification, Vendors and Technology Identification), Domain Name Permutations (Taken and Available), and Web3 Domains (Taken and Available).
Email Intelligence: Security Presence (DMARC, SPF, and DKIM records) Format Predictions, and Harvested Emails.
WHOIS Intelligence: WHOIS Analysis and Other Domains Owned.
Subdomain Intelligence: HTTP Responses, Header Analysis (Security Headers and Deprecated Headers), Server Headers (Technologies), Cloud Hosting, E-commerce Platforms, Content Management Systems, and more. It also assesses Subdomain Takeover Susceptibility, Content Identification, Ports, Known Vulnerabilities, Web Application Firewall Discovery, and Vendor Types.
IP Intelligence: This module provides information on IPs, Shared IPs, ASNs, Country Locations, and Private IPs.
Certificate Intelligence: This module analyzes TLS Certificates (Status, Issuers, Active, Certs without Subdomains, Subdomains without Certificates) and Associated Organizations.
Social Media: This module analyzes organization-wide posts, including content, hashtags, links, and tags.
Sensitive Code Exposure: This module discovers public code repositories and uncovers digital risks, including Access Credentials, Access Tokens, Cloud Credentials, Security Credentials, and other secrets. It also identifies Database Exposures, Application Data Exposures, Activity Records, Communication Platform Configurations, Development Environment Configurations, Security Testing Tools, Cloud Service Configurations, Remote Access Credentials, System Utilities, Personal Data, and User Activity.
Mobile Application Discovery: This module discovers mobile apps in marketplaces and analyzes their contents for Access Credentials, Security Credentials, and platform-specific identifiers.
Search Engine Exploitation: This module discovers Website Control Files like Robots.txt and Security.txt and assesses the Search Engine Attack Surface, helping users investigate an organization’s susceptibility to exposing information via search engines.
Cloud and SaaS Exposure: This module identifies Sanctioned and Unsanctioned Cloud Services, Cloud Service Impersonations, and Open Exposed Cloud Buckets. It also identifies SaaS implementations.
Online Sharing Exposure: This module identifies organizational presence within online Code-Sharing Platforms.
Sentiment and Financials: This module provides information on Organizational Related Lawsuits, Layoff Chatter, SEC Filings, SEC Form 8-Ks, and ESG Violations.
Archived Web Pages: This module identifies various archived files and data from the organization’s online presence.
Dark Web Presence: This module identifies organizational mentions, Associated Ransomware Events, and Associated Compromised Credentials.
Technology Stack: This module identifies the technologies used by the organization.
These modules provide detailed evidence for understanding and prioritizing different types of cyber risks.
6. ThreatNG Working with Complementary Solutions
The document does not explicitly detail how ThreatNG works with complementary solutions. However, its comprehensive external view and detailed findings would make it a valuable source of information for integration with other security tools:
SIEM (Security Information and Event Management): ThreatNG's findings on external threats and vulnerabilities can enrich SIEM data, providing context for security events and improving threat detection and response.
Vulnerability Management: ThreatNG's external vulnerability assessments can complement internal vulnerability scans, providing a more complete picture of an organization's vulnerability posture.
SOAR (Security Orchestration, Automation and Response): ThreatNG's intelligence can be used to automate security workflows and response actions in SOAR platforms.
GRC (Governance, Risk, and Compliance): ThreatNG's risk assessments and reporting capabilities can support GRC programs by providing evidence for risk management and compliance activities.
Examples of ThreatNG Helping
Identifying Shadow IT: ThreatNG's discovery of unsanctioned cloud services can help organizations identify and address shadow IT risks.
Preventing Brand Impersonation: ThreatNG's monitoring for brand impersonation and phishing susceptibility can help organizations avoid brand damage and protect customers.
Prioritizing Vulnerability Remediation: ThreatNG's risk-based vulnerability assessments enable security teams to prioritize remediation efforts based on the likelihood and potential impact of vulnerabilities.
Improving Third-Party Risk Management: ThreatNG's supply chain and third-party exposure assessments help organizations identify and mitigate risks associated with their vendors and partners.
ThreatNG empowers organizations to make informed decisions and prioritize their cybersecurity efforts by providing comprehensive external visibility and evidence-based risk assessments.
