IVRE

I
Written By Threat NG Staff

IVRE (Instrument de veille sur les réseaux extérieurs) is an open-source network reconnaissance framework used in cybersecurity for analyzing data collected from various network scanning tools like Nmap, Masscan, ZGrab2, and Zeek/Bro.

Here's a breakdown of what it does and why it's important:

Key Features and Functionalities:

  • Data Consolidation and Analysis: IVRE collects and stores data from different network scanners, providing a centralized platform for analysis. This helps security professionals comprehensively view their network and potential vulnerabilities.

  • Web Interface: IVRE offers a user-friendly web interface that allows easy interaction with the collected data. This allows analysts to search, filter, and visualize the information efficiently.

  • Correlation and Contextualization: IVRE can correlate data from multiple sources, providing context and insights into potential threats. This helps identify patterns and anomalies that might be missed when analyzing data from individual tools.

  • Reporting and Exporting: IVRE allows for the generation of reports and export of data in various formats, facilitating sharing and collaboration among security teams.

  • Automation: IVRE supports automation through its command-line interface and Python API, enabling efficient integration with other security tools and workflows.

Benefits in Cybersecurity:

  • Improved Network Visibility: IVRE provides a comprehensive network view, including active devices, services, and potential vulnerabilities.

  • Enhanced Threat Detection: IVRE helps identify potential threats and anomalies that might go unnoticed by correlating data from various sources.

  • Efficient Incident Response: IVRE facilitates faster incident response by providing quick access to relevant data and context.

  • Proactive Security Posture: IVRE enables proactive security measures by identifying vulnerabilities and weaknesses in the network before they can be exploited.

IVRE is a valuable tool for security professionals involved in network reconnaissance, vulnerability assessment, and threat intelligence. It helps organizations strengthen cybersecurity by providing the necessary insights and tools to identify and mitigate potential risks.

ThreatNG and IVRE can work together synergistically to enhance an organization's cybersecurity posture significantly. Here's how they complement each other, with specific examples related to ThreatNG's modules and capabilities:

ThreatNG's Strengths:

  • External Attack Surface Management (EASM): ThreatNG excels at discovering and assessing an organization's external-facing assets, including those that may be unknown or overlooked. This comprehensive view provides a strong foundation for understanding the attack surface and prioritizing vulnerabilities.

  • Digital Risk Protection (DRP): ThreatNG provides Digital Risk Protection by monitoring the open, deep, and dark web for threats relevant to the organization. This includes brand impersonation, data leaks, and phishing campaigns.

  • Security Ratings: ThreatNG offers quantitative security ratings based on various factors. These ratings enable organizations to benchmark their security posture against industry standards and track improvements.

IVRE's Strengths:

  • Network Reconnaissance: IVRE collects and analyzes network data from various sources, providing detailed insights into active devices, services, and vulnerabilities.

  • Data Correlation: IVRE is designed to correlate data from multiple tools. This helps identify patterns and anomalies that might be missed when analyzing data in isolation.

  • Open Source and Customizable: IVRE's open-source nature allows for customization and integration with other security tools, providing a flexible solution for diverse security environments.

How They Work Together:

  • Domain Intelligence:

    • ThreatNG: Identifies all domains and subdomains associated with an organization. This is achieved through capabilities like "DNS Intelligence (Domain Record Analysis (IP Identification, Vendors and Technology Identification), Domain Name Permutations (Taken and Available), and Web3 Domains (Taken and Available).” ThreatNG also analyzes DNS records, certificates, and exposed services to pinpoint weaknesses.

    • IVRE: Can perform deeper network scans on the domains and subdomains identified by ThreatNG. For example, IVRE can conduct Nmap scripting engine scans to detect specific vulnerabilities in web applications hosted on those domains, complementing ThreatNG's initial findings.

  • Sensitive Code Exposure:

    • ThreatNG: Discovers exposed code repositories and analyzes them for sensitive data. This includes "Access Credentials (API Keys: Stripe API key, Google OAuth Key...), Access Tokens (Facebook access token); Generic Credentials (Username and password in URI...)" and "Security Credentials (Cryptographic Keys...)".

    • IVRE Can further investigate the code repositories identified by ThreatNG. For example, if ThreatNG finds an exposed GitHub repository, IVRE can clone it and use tools like TruffleHog to scan for secrets within the codebase, providing a more granular analysis.

  • Cloud and SaaS Exposure:

    • ThreatNG: Identifies sanctioned and unsanctioned cloud services, cloud service impersonations, and open exposed cloud buckets. Specifically, it discovers "Sanctioned Cloud Services, Unsanctioned Cloud Services, Cloud Service Impersonations, and Open Exposed Cloud Buckets of AWS, Microsoft Azure, and Google Cloud Platform.”

    • IVRE: Can perform targeted scans against the cloud assets identified by ThreatNG. For example, if ThreatNG discovers an open AWS S3 bucket, IVRE can enumerate the bucket's contents and identify potentially sensitive data.

  • Dark Web Presence:

    • ThreatNG: Monitors the dark web for mentions of an organization, associated ransomware events, and compromised credentials. This includes "Organizational mentions of Related or Defined People, Places, or Things, Associated Ransomware Events, Associated Compromised Credentials.”

    • IVRE: Can enrich the dark web intelligence gathered by ThreatNG. For example, suppose ThreatNG identifies a leaked credential associated with an organization's domain. In that case, IVRE can attempt to authenticate to exposed services and assess the potential impact of the leak, providing a more active validation of the threat.

  • Continuous Monitoring and Reporting:

    • ThreatNG: Provides continuous monitoring of the external attack surface and generates various reports. These reports include "Executive, Technical, Prioritized, Security Ratings, Inventory, Ransomware Susceptibility, and U.S. SEC Filings”

    • IVRE: Can be integrated into security workflows to provide real-time network insights based on ThreatNG's continuous monitoring. For example, IVRE can automatically scan newly discovered assets identified by ThreatNG and alert security teams to any critical vulnerabilities detected.

Example Scenario:

ThreatNG discovers an unknown subdomain that hosts a web application associated with an organization. Due to outdated server software and missing security headers, ThreatNG flags this subdomain as having a high "Web Application Hijack Susceptibility" score.

Security teams can then use IVRE to perform a more in-depth scan of this subdomain using Nmap and its scripting engine. IVRE may identify a vulnerability in the web application code that allows for remote code execution.

This combination of ThreatNG's broad visibility and risk assessment with IVRE's detailed network reconnaissance and analysis enables a robust security program. This program proactively identifies and mitigates threats across the entire external attack surface.

Threat NG Staff
Previous

IT Service Management (ITSM) Platform
Next

JAMF