External Risk Management

E
Written By Threat NG Staff

In cybersecurity, External Risk Management refers to an organization's processes and strategies to identify, assess, and mitigate cyber threats that originate outside of its direct control. This involves looking beyond the internal network and infrastructure to understand and address risks from the broader digital ecosystem.

Here's a breakdown of what that entails:

  • Focus on External Threats:

    • It shifts the focus from solely internal vulnerabilities to threats in the external environment. This includes things like:

      • Third-party vendor risks.

      • Supply chain vulnerabilities.

      • Threats on the open web, deep web, and dark web.

      • Risks associated with cloud services.

      • Impersonation attacks and brand reputation threats.

  • Key Activities:

    • Attack Surface Management: Monitoring and managing all internet-facing assets to identify potential entry points for attackers.

    • Third-Party Risk Management: Assessing the security posture of vendors and partners to minimize risks introduced through those relationships.

    • Threat Intelligence: Gathering and analyzing information about emerging threats and threat actors to defend against attacks proactively.

    • Brand Protection: Monitoring for and mitigating threats like phishing attacks and brand impersonation that can damage an organization's reputation.

    • Compliance: Ensuring external security practices align with relevant regulations and industry standards.

  • Importance:

    • In today's interconnected digital world, organizations increasingly rely on external services and partners, which creates a broader attack surface that needs to be managed.

    • Effective external risk management helps to prevent data breaches, protect sensitive information, and maintain business continuity.

External Risk Management extends cybersecurity defenses beyond an organization's traditional boundaries to address the complex and evolving threats in the broader digital landscape.

Here's how ThreatNG addresses external risk management:

  • External Discovery: ThreatNG excels in external discovery by performing purely external unauthenticated discovery without needing connectors. This means it can identify potential risks from an attacker's perspective, which is crucial for understanding your external attack surface.

  • External Assessment: ThreatNG provides comprehensive external assessment capabilities, offering various risk ratings:

    • Web Application Hijack Susceptibility: ThreatNG assesses this by analyzing externally accessible parts of a web application to find potential entry points for attackers. It uses external attack surface and digital risk intelligence, including Domain Intelligence, to substantiate this score.

    • Subdomain Takeover Susceptibility: ThreatNG evaluates a website's susceptibility using external attack surfaces and digital risk intelligence, including Domain Intelligence. This involves analyzing subdomains, DNS records, SSL certificate statuses, and other relevant factors.

    • BEC & Phishing Susceptibility: ThreatNG derives this from Sentiment and Financials Findings, Domain Intelligence (DNS Intelligence and Email Intelligence), and Dark Web Presence (Compromised Credentials).

    • Brand Damage Susceptibility: This is derived from attack surface intelligence, digital risk intelligence, ESG Violations, Sentiment and Financials (Lawsuits, SEC filings, SEC Form 8-Ks, and Negative News), and Domain Intelligence (Domain Name Permutations and Web3 Domains).

    • Data Leak Susceptibility: ThreatNG derives this from external attack surface and digital risk intelligence based on Cloud and SaaS Exposure, Dark Web Presence (Compromised Credentials), Domain Intelligence, and Sentiment and Financials (Lawsuits and SEC Form 8-Ks).

    • Cyber Risk Exposure: ThreatNG considers parameters from its Domain Intelligence module, like certificates, subdomain headers, vulnerabilities, and sensitive ports, to determine cyber risk exposure. It also factors in code secret exposure by discovering code repositories and their exposure level and checking for sensitive data. It evaluates cloud services and SaaS solutions and considers compromised credentials on the dark web.

    • ESG Exposure: ThreatNG evaluates an organization's vulnerability to ESG risks using external attack surface and digital risk intelligence, along with Sentiment and Financials findings. It analyzes Competition, Consumer, Employment, Environment, Financial, Government Contracting, Healthcare, and Safety-related offenses.

    • Supply Chain & Third-Party Exposure: ThreatNG derives this from Domain Intelligence (Enumeration of Vendor Technologies from DNS and Subdomains), Technology Stack, and Cloud and SaaS Exposure.

    • Breach & Ransomware Susceptibility: This is derived from external attack surface and digital risk intelligence, including domain intelligence (exposed sensitive ports, exposed private IPs, and known vulnerabilities), dark web presence (compromised credentials and ransomware events and gang activity), and sentiment and financials (SEC Form 8-Ks).

    • Mobile App Exposure: ThreatNG evaluates an organization’s mobile apps by discovering them in marketplaces and analyzing their contents for access credentials, security credentials, and platform-specific identifiers.

  • Reporting: ThreatNG provides various reports, including Executive, Technical, Prioritized, Security Ratings, Inventory, Ransomware Susceptibility, and U.S. SEC Filings.

  • Continuous Monitoring: ThreatNG monitors organizations' external attack surfaces, digital risks, and security ratings.

  • Investigation Modules: ThreatNG includes investigation modules, such as:

    • Domain Intelligence: This module provides a domain overview (Digital Presence Word Cloud, Microsoft Entra Identification and Domain Enumeration, Bug Bounty Programs), DNS Intelligence (Domain Record Analysis, Domain Name Permutations, and Web3 Domains), Email Intelligence (Security Presence, Format Predictions, and Harvested Emails), WHOIS Intelligence (WHOIS Analysis and Other Domains Owned), and Subdomain Intelligence. Subdomain Intelligence includes HTTP Responses, Header Analysis, Server Headers, Cloud Hosting, Website Builders, E-commerce Platforms, Content Management Systems, and more. It also covers Subdomain Takeover Susceptibility, Content Identification, Ports (IoT/OT, Industrial Control Systems, Databases, Remote Access Services), Known Vulnerabilities, Web Application Firewall Discovery, and Vendor Types.

    • IP Intelligence: This module provides information on IPs, Shared IPs, ASNs, Country Locations, and Private IPs.

    • Certificate Intelligence: This module provides information on TLS Certificates (Status, Issuers, Active, Certs without Subdomains, Subdomains without Certificates) and Associated Organizations (Domains, Certificates, and Emails).

    • Social Media: This module provides posts from the organization under investigation, including content copy, hashtags, links, and tags.

    • Sensitive Code Exposure: This module discovers public code repositories and uncovers digital risks, including access credentials, access tokens, cloud credentials, security credentials, other secrets, configuration files, system configurations, and network configurations. It also covers database exposures, application data exposures, activity records, communication platform configurations, development environment configurations, security testing tools, cloud service configurations, remote access credentials, system utilities, personal data, and user activity.

    • Mobile Application Discovery: This module discovers mobile apps related to the organization in marketplaces and analyzes their contents for access credentials, security credentials, and platform-specific identifiers.

    • Search Engine Exploitation: This module helps users investigate an organization’s susceptibility to exposing information via search engines. It discovers website control files like robots.txt and security.txt and analyzes search engine attack surfaces.

    • Cloud and SaaS Exposure: This module identifies sanctioned and unsanctioned cloud services, impersonations, and open exposed cloud buckets. It also covers SaaS implementations associated with the organization, including various business intelligence, collaboration, CRM, communication, and other platforms.

    • Online Sharing Exposure: This module identifies organizational entities within online code-sharing platforms.

    • Sentiment and Financials: This module covers organization-related lawsuits, layoff chatter, SEC filings, SEC Form 8-Ks, and ESG violations.

    • Archived Web Pages: This module provides access to archived web pages, including file types, directories, subdomains, user names, and admin pages.

    • Dark Web Presence: This module covers organizational mentions of related people, places, or things, associated ransomware events, and compromised credentials.

    • Technology Stack: This module identifies the technologies used by the organization, including accounting tools, analytics, API management, and various other categories.

  • Intelligence Repositories: ThreatNG uses intelligence repositories, including data on the dark web, compromised credentials, ransomware events and groups, known vulnerabilities, ESG violations, bug bounty programs, SEC Form 8-Ks, Bank Identification Numbers, and Mobile Apps.

  • Work with Complementary Solutions: The document does not explicitly detail ThreatNG working with complementary solutions. However, its comprehensive external risk management capabilities suggest it can integrate with various security tools like SIEMs, SOAR platforms, and vulnerability management systems to enhance overall security posture.

Threat NG Staff
Previous

External Risk Management Platform
Next

Metadata Exposure