External Discovery

In cybersecurity, external discovery refers to the process of identifying and mapping an organization's digital assets accessible from the Internet. This process is conducted from an outsider's perspective, meaning the discovery is performed without any inside access or credentials to the target systems.

Here's a breakdown of what that entails:

• Identifying Assets: This involves finding all internet-facing assets such as websites, web applications, servers, domains, subdomains, cloud storage, and any other systems an organization exposes to the public network.

• Gathering Information: Once assets are identified, external discovery involves gathering information about them. This might include details about the technologies used, open ports, server configurations, SSL certificates, DNS records, and more.

• Unauthenticated Approach: A key characteristic of external discovery is that it's typically unauthenticated. This means the discovery process does not involve logging into systems or using credentials. It simulates the perspective of a potential attacker probing the organization's defenses from the outside.

• Purpose: External discovery's purpose is to understand the organization's "external attack surface," which is the set of all points where an unauthorized user could try to enter information into or extract information from an environment. By understanding what assets are exposed and how they might be vulnerable, organizations can better manage and secure their systems.

ThreatNG's Approach to External Security

ThreatNG is designed as an all-in-one platform for external attack surface management, digital risk protection, and security ratings. A core strength of ThreatNG lies in its ability to conduct purely external, unauthenticated discovery. This means it can identify and assess an organization's security posture from the same perspective as an external attacker without needing any internal access or credentials.

1. External Discovery

ThreatNG excels at external discovery by identifying an organization's internet-facing assets. This process involves finding assets like:

• Websites and web applications

• Domains and subdomains

• Servers and network infrastructure

• Cloud services and SaaS solutions

• Mobile applications

This comprehensive discovery provides the foundation for ThreatNG's subsequent assessment and risk analysis.

2. External Assessment

ThreatNG performs various external assessments to evaluate an organization's security risks. These assessments provide detailed insights into multiple attack vectors and vulnerabilities:

• Web Application Hijack Susceptibility: ThreatNG analyzes web applications to identify potential entry points for attackers, using external attack surface and digital risk intelligence, including domain intelligence. For example, it assesses input fields, authentication mechanisms, and application logic to determine how easily an attacker could compromise the application.

• Subdomain Takeover Susceptibility: ThreatNG evaluates the risk of subdomain takeovers by analyzing subdomains, DNS records, and SSL certificate statuses. For instance, it checks for orphaned DNS records pointing to inactive services that attackers could claim and exploit.

• BEC & Phishing Susceptibility: ThreatNG assesses the organization's susceptibility to business email compromise (BEC) and phishing attacks by analyzing domain intelligence (like email security presence) and dark web presence (compromised credentials). An example would be ThreatNG's ability to detect weak email security configurations (e.g., lack of SPF, DMARC records) that make the organization's domain easier to spoof.

• Brand Damage Susceptibility: This assessment uses attack surface intelligence, digital risk intelligence, ESG violations, sentiment, financials, and domain intelligence to determine the potential for brand damage. For example, ThreatNG monitors negative news, social media sentiment, and the registration of lookalike domains that could be used for phishing.

• Data Leak Susceptibility: ThreatNG identifies potential data leaks by analyzing cloud and SaaS exposure, dark web presence (compromised credentials), and domain intelligence. ThreatNG's detection of exposed cloud storage buckets containing sensitive information is an example.

• Cyber Risk Exposure: This assessment considers factors like certificates, subdomain headers, vulnerabilities, and sensitive ports to determine cyber risk. For instance, ThreatNG identifies outdated software versions or exposed databases that increase the risk of a cyberattack.

• Code Secret Exposure: ThreatNG discovers code repositories and checks for exposed secrets like API keys and credentials. For example, it Can find a public GitHub repository containing an exposed AWS secret access key.

• Cloud and SaaS Exposure: ThreatNG evaluates the security of the organization's cloud services and SaaS solutions. For example, it can identify misconfigured cloud storage or SaaS applications with weak access controls.

• ESG Exposure: ThreatNG rates the organization based on discovered environmental, social, and governance (ESG) violations. For instance, it analyzes information related to competition, consumer, employment, and environmental offenses.

• Supply Chain & Third-Party Exposure: ThreatNG assesses risks associated with the organization's supply chain and third parties by analyzing vendor technologies and cloud and SaaS exposure. An example is identifying third-party vendors with known security vulnerabilities.

• Breach & Ransomware Susceptibility: This assessment uses external attack surface and digital risk intelligence, including domain intelligence and dark web presence, to determine the likelihood of breaches and ransomware attacks. For example, ThreatNG can detect compromised credentials on the dark web, which increases the risk of a violation.

• Mobile App Exposure: ThreatNG evaluates an organization’s mobile app exposure by discovering them in marketplaces and analyzing their contents for sensitive information, such as access and security credentials. ThreatNG’s detection of hard-coded API keys within a mobile app is an example.

• Positive Security Indicators: ThreatNG also identifies and highlights an organization's security strengths, such as Web Application Firewalls and multi-factor authentication.

3. Reporting

ThreatNG provides various reporting options to communicate its findings effectively. These reports can be tailored for different audiences, including:

• Executive summaries for high-level decision-makers

• Technical reports for security teams

• Prioritized reports based on risk level (high, medium, low)

• Security ratings reports

• Inventory reports of discovered assets

• Ransomware susceptibility reports

• U.S. SEC Filings

4. Continuous Monitoring

ThreatNG monitors organizations' external attack surfaces, digital risks, and security ratings. This ongoing monitoring helps organizations stay informed about their evolving risk posture and promptly detect new threats and vulnerabilities.

5. Investigation Modules

ThreatNG includes investigation modules that provide in-depth information and tools for analyzing specific security areas. These modules offer valuable insights for security professionals:

• Domain Intelligence: This module provides a comprehensive analysis of domains, including:

  • Domain Overview (Digital Presence Word Cloud, Microsoft Entra Identification and Domain Enumeration, Bug Bounty Programs)

  • DNS Intelligence (Domain Record Analysis, Domain Name Permutations, and Web3 Domains)

  • Email Intelligence (Security Presence, Format Predictions, and Harvested Emails)

  • WHOIS Intelligence (WHOIS Analysis and Other Domains Owned)

  • Subdomain Intelligence (HTTP Responses, Header Analysis, Server Headers, Cloud Hosting, E-commerce Platforms)

  • IP Intelligence (IPs, Shared IPs, ASNs, Country Locations, Private IPs)

  • Certificate Intelligence (TLS Certificates, Associated Organizations)

• Social Media: This module monitors social media posts for mentions of the organization.

• Sensitive Code Exposure: This module discovers public code repositories and uncovers digital risks, such as exposed credentials and API keys.

• Mobile Application Discovery: This module discovers mobile apps in marketplaces and analyzes them for sensitive information.

• Search Engine Exploitation: This module helps users investigate an organization’s susceptibility to exposing information via search engines.

• Cloud and SaaS Exposure: This module identifies sanctioned and unsanctioned cloud services and SaaS implementations.

• Online Sharing Exposure: This module identifies the organizational entity's presence within online Code-Sharing Platforms like Pastebin, GitHub Gist, Scribd, Slideshare, Prezi, and GitHub Code.

• Sentiment and Financials: This module gathers information on organizational lawsuits, layoff chatter, SEC filings, and ESG violations.

• Archived Web Pages: This module identifies information that has been archived on the organization’s online presence.

• Dark Web Presence: This module monitors the dark web for mentions of the organization, ransomware events, and compromised credentials.

• Technology Stack: This module identifies the technologies used by the organization.

6. Intelligence Repositories

ThreatNG gathers and maintains a wealth of intelligence data to enhance its analysis. These repositories include:

• Dark web data

• Compromised credentials

• Ransomware events and groups

• Known vulnerabilities

• ESG violations

• Bug bounty programs

• SEC filings

• Bank Identification Numbers

• Mobile app data

How ThreatNG Works with Complementary Solutions

While ThreatNG is a comprehensive platform, it can also complement and enhance the effectiveness of other security solutions. Here are some examples:

• SIEM (Security Information and Event Management): ThreatNG's external attack surface data can be fed into a SIEM to provide a broader context for security events. For instance, if a SIEM detects an intrusion attempt, ThreatNG data can reveal the attacker's potential entry points and the organization's external vulnerabilities.

• Vulnerability Management Tools: ThreatNG's external vulnerability assessments can complement internal vulnerability scans. While internal scans provide detailed information about vulnerabilities within the network, ThreatNG focuses on externally exposed vulnerabilities that are visible to attackers.

• SOAR (Security Orchestration, Automation and Response): ThreatNG can trigger automated responses in SOAR platforms. For example, if ThreatNG detects a high-risk vulnerability on a critical web application, it could automatically trigger a patching workflow in the SOAR platform.

• Threat Intelligence Platforms: ThreatNG's threat intelligence, such as dark web monitoring and ransomware tracking, can be integrated with other threat intelligence platforms to provide a more comprehensive threat landscape.