External Exposure Management

External Exposure Management (EEM) is the practice of identifying, assessing, monitoring, and mitigating security risks that arise from an organization's assets and presence that are accessible from the internet or otherwise outside its direct control.

Here's a breakdown of what that involves:

• Identifying External Assets: This is the first step and involves discovering an organization's digital assets that are visible or accessible from the outside. This can include:

  • Websites and web applications

  • Domains and subdomains

  • IP addresses and network ranges

  • Cloud services and storage

  • APIs (Application Programming Interfaces)

  • Email servers and related infrastructure

  • DNS records

  • IoT devices

  • Code repositories

  • Social media presence

• Assessing External Risks: Once the external assets are identified, the next step is to evaluate the security risks associated with them. This involves:

  • Vulnerability Scanning: Checking for known weaknesses in web applications, servers, and other external-facing systems.

  • Configuration Review: Assessing if systems are configured securely (e.g., proper security headers, secure protocols).

  • Data Leak Detection: Identifying if sensitive data is exposed through external assets (e.g., credentials in code repositories, data in cloud storage).

  • Attack Surface Analysis: Evaluating potential entry points that attackers could use to compromise the organization.

  • Compliance Assessment: Checking if external assets comply with relevant security standards and regulations.

• Monitoring External Assets: EEM is not a one-time activity; it requires continuous monitoring to detect changes and new risks. This involves:

  • Change Detection: Tracking changes to external assets (e.g., new subdomains, software updates) that could introduce new security risks.

  • Threat Intelligence: Staying informed about emerging threats and attack trends that could target the organization's external assets.

  • Security Alerts: Receiving notifications about critical security issues or suspicious activity.

• Mitigating External Risks: The final step is to take action to reduce or eliminate the identified external risks. This can involve:

  • Patching vulnerabilities: Applying security updates to software and systems.

  • Improving configurations: Implementing secure configurations for servers, applications, and network devices.

  • Removing exposed data: Securing or removing any sensitive data that is publicly accessible.

  • Strengthening access controls: Implementing strong authentication and authorization mechanisms.

  • Incident response: Having a plan in place to respond to security incidents that involve external assets.

Effective External Exposure Management helps organizations reduce their attack surface, prevent data breaches, and improve their overall security posture.

Here’s how ThreatNG addresses External Exposure Management (EEM):

ThreatNG's Capabilities and How They Support EEM

• External Discovery:

  • ThreatNG excels at external discovery. It can perform purely external unauthenticated discovery without needing any connectors. This is the foundation of EEM, as it allows organizations to identify all their internet-facing assets.

  • This capability is crucial for discovering often-overlooked assets that increase external exposure, such as:

    • Shadow IT resources

    • Forgotten subdomains

    • Exposed cloud storage

• External Assessment: ThreatNG provides a wide range of assessment capabilities that directly address EEM concerns:

  • Web Application Hijack Susceptibility: Assesses the risk of attackers hijacking web applications, a key component of an organization's external presence.

  • Subdomain Takeover Susceptibility: Evaluates the risk of attackers taking control of subdomains, a common external exposure vulnerability.

  • Data Leak Susceptibility: Identifies potential sources of data leaks, including cloud and SaaS exposure and dark web presence, which contribute to external exposure.

    • For example, ThreatNG can discover exposed cloud storage buckets or code repositories containing sensitive data.

  • Cyber Risk Exposure: This measure considers various factors, such as domain intelligence, certificates, and vulnerabilities, to determine the overall cyber risk exposure of an organization's external assets.

    • For example, ThreatNG assesses exposed sensitive ports and known vulnerabilities in external systems.

  • Code Secret Exposure: Specifically focuses on discovering exposed code repositories and sensitive data within them, a critical aspect of EEM.

    • For example, ThreatNG can identify repositories containing API keys, passwords, or cryptographic keys.

  • Cloud and SaaS Exposure: Evaluates the security of cloud services and SaaS solutions, which are increasingly part of an organization's external footprint.

    • For example, ThreatNG can identify misconfigurations or vulnerabilities in cloud storage or SaaS applications.

  • Mobile App Exposure: Assesses the security of mobile apps, which can be an entry point for attackers or a source of data leaks.

    • For example, ThreatNG can discover exposed credentials within mobile apps.

• Reporting: ThreatNG provides various reports (executive, technical, etc.) that help organizations understand their external exposure and prioritize remediation efforts.

• Continuous Monitoring: ThreatNG continuously monitors the external attack surface, digital risk, and security ratings, enabling organizations to stay on top of changes in their external exposure.

• Investigation Modules: ThreatNG offers modules to investigate specific aspects of external exposure:

  • Domain Intelligence: Provides detailed information about domains, DNS records, and subdomains, helping to identify potential attack vectors.

  • IP Intelligence: Provides information about IP addresses and related network infrastructure.

  • Certificate Intelligence: Analyzes TLS certificates, which are crucial for the security of external communications.

  • Sensitive Code Exposure: Enables in-depth investigation of exposed code repositories and the secrets they contain.

  • Mobile Application Discovery: Facilitates the discovery and analysis of mobile apps to identify security risks.

  • Search Engine Exploitation: Helps identify information exposed by search engines.

  • Cloud and SaaS Exposure: Aids in investigating the security of cloud services and SaaS applications.

  • Online Sharing Exposure: Monitors online platforms where sensitive information might be shared.

  • Archived Web Pages: Discovers sensitive data in older versions of web pages.

• Intelligence Repositories: ThreatNG maintains repositories of information relevant to EEM:

  • Dark web presence (for compromised credentials).

  • Known vulnerabilities.

  • Mobile app data (for exposed secrets).

• Working with Complementary Solutions: The document doesn't explicitly detail integrations, but ThreatNG's capabilities suggest it can enhance other security tools:

  • SIEM: ThreatNG can feed external exposure data into a SIEM to provide context for security events.

  • Vulnerability Management: ThreatNG's external vulnerability assessments can complement internal vulnerability scans.

  • SOAR: ThreatNG can trigger automated responses in a SOAR platform to mitigate identified external exposures.

ThreatNG provides a comprehensive platform for External Exposure Management by combining external discovery, assessment, reporting, continuous monitoring, and investigation capabilities.