Identity Intelligence (I2)

I
Written By Threat NG Staff

In the context of cybersecurity, Identity Intelligence (I2) is a proactive, data-driven approach that collects, analyzes, and responds to information related to digital identities to prevent and mitigate cyber threats. It goes beyond traditional identity and access management (IAM) by focusing on external threats and behaviors, rather than just internal policies.

Identity Intelligence works by gathering a wide range of data from various sources to build a comprehensive risk profile for each user identity.

Key Components of Identity Intelligence

1. Data Collection and Monitoring

I2 systems constantly monitor for compromised credentials and other identity-related data on the dark web, underground forums, and various data breach repositories. This is a critical step because stolen credentials are a primary entry point for cyberattacks. The data collected can include:

  • Compromised credentials: Stolen usernames, passwords, and security questions.

  • Malware logs: Information harvested from infected devices, such as session cookies and other login data.

  • Personal information (PII): Data that can be used for phishing or social engineering attacks.

2. Behavioral and Anomaly Analysis

This component focuses on analyzing user behavior to detect deviations from the norm. By learning a user's typical login times, locations, and resource access patterns, I2 can flag suspicious activities. For instance, a login attempt from an unusual geographic area or a sudden download of an excessive amount of data would be flagged as a potential threat.

3. Risk Scoring and Prioritization

I2 assigns a risk score to each identity based on the analyzed data. Factors that increase a user's risk score include:

  • Their credentials appear in a new data breach.

  • Unusual login attempts.

  • A specific threat actor is targeting their identity.

This scoring helps security teams prioritize which threats to address first, focusing on the highest-risk accounts and activities.

Identity Intelligence vs. Identity and Access Management (IAM)

While closely related, I2 and IAM serve different purposes.

  • Identity and Access Management (IAM) is a framework of policies and technologies that manage internal identities and their associated access rights within an organization. It focuses on processes like user authentication, authorization, and provisioning. It answers the question, "Who has access to what?"

  • Identity Intelligence (I2) extends beyond this by providing an external, threat-centric view. It answers the question, "Are any of my organization's identities at risk from external threats, and how can I proactively defend against them?"

I2 enhances and informs IAM. For example, suppose I2 detects that an employee's password has been leaked on the dark web. In that case, it can automatically trigger a password reset and multi-factor authentication (MFA) enforcement within the IAM system, thereby preventing a potential account takeover.

ThreatNG is an all-in-one solution for external attack surface management, digital risk protection, and security ratings that helps with Identity Intelligence by proactively discovering and assessing risks related to digital identities from an attacker's perspective. It focuses on external, unauthenticated discovery, meaning it doesn't need internal network access or connectors to find and evaluate an organization's exposed assets and data.

External Discovery

ThreatNG performs external discovery by acting like a threat actor to map an organization's digital footprint. It identifies publicly exposed subdomains, cloud services, mobile apps, and code repositories. This unauthenticated approach enables organizations to see what a potential attacker sees, including "shadow IT" or previously overlooked assets that fall outside the scope of traditional internal security scans. An example of this is its ability to identify publicly exposed APIs and development environments that are not adequately documented internally.

External Assessment

ThreatNG provides detailed assessments and assigns scores to evaluate an organization's susceptibility to various cyberattacks, with many of these assessments directly related to identity and credential theft.

  • Subdomain Takeover Susceptibility: This assessment uses Domain Intelligence to analyze a website's subdomains, DNS records, and SSL certificate statuses to identify if an attacker could take over a subdomain. This is critical for Identity Intelligence because a compromised subdomain can be used for phishing attacks to steal user credentials.

  • BEC & Phishing Susceptibility: This score is based on several factors, including Domain Intelligence, which looks for domain name permutations (typosquatting) and checks for email security presence and format predictions. It also takes into account compromised credentials from the dark web. For example, if ThreatNG finds a domain like mycompany-pay.com That's similar to mycompany.com, it flags it as a potential phishing risk.

  • Data Leak Susceptibility: This is derived from external attack surface and digital risk intelligence, including Cloud and SaaS Exposure, Domain Intelligence (such as DNS and email intelligence), and Dark Web Presence, particularly compromised credentials. An example is ThreatNG finding a company's sensitive data, like emails and credentials, exposed in a public cloud bucket or on the dark web.

  • Cyber Risk Exposure: This score assesses factors such as certificates, subdomain headers, vulnerabilities, and sensitive ports. It also considers Code Secret Exposure, which finds sensitive data like API keys and credentials in public code repositories, and Cloud and SaaS Exposure, which evaluates cloud services and their compromised credentials on the dark web. For instance, ThreatNG might find an AWS Access Key ID exposed in a public GitHub repository, which significantly increases the Cyber Risk Exposure score.

  • Non-Human Identity (NHI) Exposure: This score is unique and directly addresses the risks associated with non-human identities, such as API keys and service accounts, which often outnumber human identities and serve as a significant attack vector. ThreatNG assesses this by identifying DNS vendors and the technology stack, looking for compromised NHI credentials and secrets in sensitive code and mobile apps, and discovering exposed APIs and non-human email addresses. For example, ThreatNG can identify an exposed API key hardcoded in a mobile app, which poses a significant NHI risk.

Reporting

ThreatNG provides various reports to help organizations understand and act on their findings. The Prioritized Report categorizes risks as High, Medium, Low, and Informational, giving context, reasoning, and practical recommendations for mitigation. For example, a report might flag a specific vulnerability with a high priority because it has an associated Proof-of-Concept exploit in the DarCache eXploit repository, making it an immediate and proven threat.

Continuous Monitoring

ThreatNG continuously monitors the external attack surface, digital risk, and security ratings of all organizations. This ensures that as new threats emerge or as an organization's digital footprint changes, the platform provides updated assessments and alerts in real-time. This is crucial for Identity Intelligence because it enables the immediate detection of new credential leaks or exposed non-human identities, allowing for a rapid response before an attacker can exploit them.

Investigation Modules

ThreatNG has several investigation modules that allow for a deeper dive into discovered risks.

  • Domain Intelligence: This module provides a comprehensive view of domain-related assets. It includes DNS Intelligence to analyze domain records and identify Domain Name Permutations (typosquatting) that could be used for phishing. An example is detecting a fake website mycompany-login.com that uses a different top-level domain to trick users.

  • Sensitive Code Exposure: This module discovers public code repositories and investigates them for sensitive data. For example, it can find exposed API keys, cloud credentials like an AWS Access Key ID, or even user names and passwords left in a public Git configuration file.

  • Dark Web Presence: This module monitors for mentions of the organization, associated ransomware events, and compromised credentials. It provides critical intelligence on whether an organization's identities are for sale or have been breached.

Intelligence Repositories

ThreatNG uses proprietary intelligence repositories, collectively branded as DarCache, to enrich its assessments.

  • DarCache Rupture (Compromised Credentials): This continuously updated repository contains compromised credentials, which directly supports the Dark Web Presence and other related assessments. If a new data breach occurs and ThreatNG identifies credentials from a monitored organization, it can immediately raise a risk flag.

  • DarCache Ransomware: This tracks over 70 ransomware gangs and their activities, which directly informs the Breach & Ransomware Susceptibility score.

  • DarCache Vulnerability: This provides a proactive approach to managing risks by understanding the real-world exploitability of vulnerabilities in a practical context. It includes data from the National Vulnerability Database (NVD), Exploit Prediction Scoring System (EPSS), and the Known Exploited Vulnerabilities (KEV) catalog. It also includes direct links to verified Proof-of-Concept (PoC) exploits, which helps security teams assess a vulnerability's real-world impact.

Examples of ThreatNG Helping with Identity Intelligence

  • A security team uses ThreatNG and discovers that an employee's corporate email and password have been found on a dark web forum, which is part of the DarCache Rupture repository. ThreatNG's continuous monitoring detects this new risk and automatically raises the employee's risk score. The team is alerted immediately and can force a password reset and enable MFA for that account before it's compromised.

  • ThreatNG's Domain Intelligence module identifies several look-alike domains like mycompany-login.io and mycompany-support.com. The BEC & Phishing Susceptibility assessment flags these as high-risk, and a report is generated with recommendations. This allows the security team to block these domains proactively and prevent a future phishing attack that could steal credentials.

Complementary Solutions

ThreatNG's capabilities can be used with other cybersecurity solutions to create a more robust defense.

  • Security Information and Event Management (SIEM) Solutions: ThreatNG can feed its external threat intelligence, such as compromised credentials and newly discovered risky assets, into a SIEM. This enables the SIEM to correlate external risks with internal events, providing a more comprehensive view of potential attacks. For example, suppose ThreatNG detects an employee's credentials on the dark web. In that case, the SIEM can be configured to trigger an alert if a login attempt is made with those credentials, even if it's from a seemingly legitimate source.

  • Identity and Access Management (IAM) Platforms: ThreatNG's findings can inform and automate actions within an IAM platform. For instance, if ThreatNG identifies a user account with a compromised password, it can automatically trigger a password reset and require step-up authentication within the IAM system, strengthening the organization's overall identity security posture. ThreatNG's NHI Exposure score can also help IAM teams manage non-human identities more effectively, as the solution can expose API keys that are left in public code repositories and are likely not being handled by the IAM platform.

Threat NG Staff
Previous

Hyphenations
Next

Human Capital Management (SEC 10-K)