Key Risk Indicators

Key Risk Indicators (KRIs) are crucial metrics that organizations use to monitor and measure their exposure to cyber threats. They provide early warning signals, helping to identify potential problems before they escalate into serious security incidents. Here's a detailed breakdown:  

Core Definition:

• KRIs are quantifiable metrics that indicate the level of cybersecurity risk an organization faces.  

• They are designed to provide forward-looking insights, helping to predict potential security issues.  

• Unlike Key Performance Indicators (KPIs), which measure past performance, KRIs focus on potential future risks.  

Key Functions:

• Risk Monitoring: KRIs enable continuous monitoring of an organization's security posture, allowing timely identification of vulnerabilities and threats.  

• Early Warning: They act as early warning systems, alerting security teams to potential risks before they materialize into incidents.  

• Decision Support: KRIs provide valuable data that supports informed decision-making regarding security investments and risk mitigation strategies.  

• Improved Security Posture: Organizations can proactively enhance their cybersecurity posture by tracking and addressing KRIs.

Examples of Cybersecurity KRIs:

KRIs can be categorized into various areas, including:

• Technical KRIs:

  • Number of unpatched systems.

  • Frequency of vulnerability scans and identified vulnerabilities.  

  • Rate of malware infections.  

  • Number of failed login attempts.  

  • Network intrusion attempts.  

  • Percentage of devices with out-of-date software.  

• Operational KRIs:

  • Time to detect and respond to security incidents (MTTD, MTTR).  

  • Employee security awareness training completion rates.  

  • Number of security policy violations.  

  • Backup and disaster recovery testing frequency and success rates.

• Strategic KRIs:

  • Compliance with industry regulations (e.g., GDPR, HIPAA, PCI-DSS).  

  • Third-party vendor security risks.  

  • Changes in threat intelligence.  

  • The scope of the organization’s attack surface.

Importance:

• KRIs are essential for effective cybersecurity risk management.  

• They enable organizations to prioritize security efforts and allocate resources efficiently.  

• By proactively addressing potential risks, organizations can minimize the impact of cyberattacks.  

In essence, KRIs are vital for organizations seeking to strengthen their cybersecurity defenses and mitigate potential threats.  

Here's how ThreatNG can help with Key Risk Indicators (KRIs):

1. External Discovery

ThreatNG performs external unauthenticated discovery without needing connectors. This is crucial for KRIs because it provides a baseline understanding of an organization's attack surface as seen from an attacker's perspective. For example, discovering exposed subdomains or open ports can be a KRI for potential vulnerabilities.

2. External Assessment

ThreatNG offers various assessment ratings that directly relate to KRIs:

• Web Application Hijack Susceptibility: By analyzing externally accessible parts of a web application, ThreatNG helps identify potential entry points for attackers. A high susceptibility score is a KRI for web application compromise.

• Subdomain Takeover Susceptibility: ThreatNG analyzes subdomains, DNS records, and SSL certificate statuses to evaluate the risk of subdomain takeovers. High susceptibility here is a KRI indicating potential for attackers to control subdomains.

• BEC & Phishing Susceptibility: ThreatNG assesses this risk using sentiment, financials, domain intelligence, and dark web presence. For example, many domain name permutations available for registration are a KRI for potential phishing attacks.

• Brand Damage Susceptibility: This assessment uses attack surface intelligence, digital risk intelligence, ESG violations, sentiment, financials, and domain intelligence. Mentions in negative news or the availability of brand-related domain permutations are KRIs for potential brand damage.

• Data Leak Susceptibility: ThreatNG derives this from cloud and SaaS exposure, dark web presence, domain intelligence, and sentiment and financials. The presence of compromised credentials on the dark web is a KRI for potential data leaks.

• Cyber Risk Exposure: ThreatNG considers domain intelligence parameters like certificates, subdomain headers, vulnerabilities, and sensitive ports. Exposed sensitive ports are a KRI for increased cyber risk.

• Code Secret Exposure: ThreatNG discovers code repositories and their exposure level and checks for sensitive data. Exposed API keys in code repositories are a critical KRI.

• Cloud and SaaS Exposure: ThreatNG evaluates cloud services and SaaS solutions. Unsanctioned cloud services are KRIs.

• ESG Exposure: ThreatNG assesses ESG risks using sentiment analysis, financial analysis, and public information. Negative sentiment in media coverage related to environmental offenses is a KRI for ESG risk.

• Supply Chain & Third-Party Exposure: ThreatNG uses domain intelligence, technology stack, and cloud and SaaS exposure. The discovery of a vendor using vulnerable technology is a KRI for supply chain risk.

• Breach & Ransomware Susceptibility: This is derived from attack surface intelligence, digital risk intelligence, domain intelligence, dark web presence, and sentiment and financials. Ransomware gang activity is mentioned as a KRI for potential ransomware attacks.

• Mobile App Exposure: ThreatNG discovers mobile apps and analyzes their contents for sensitive information. Exposed API keys within mobile apps are a KRI.

3. Reporting

ThreatNG provides various reports, including executive, technical, prioritized, and security ratings reports. These reports help visualize and understand KRIs, enabling better communication and decision-making. For example, a prioritized report can highlight the most critical KRIs that need immediate attention.

4. Continuous Monitoring

ThreatNG continuously monitors external attack surfaces, digital risks, and security ratings. This is essential for KRIs as it allows for tracking changes over time. An increase in a KRI, such as the number of exposed vulnerabilities, can trigger alerts and prompt action.

5. Investigation Modules

ThreatNG's investigation modules provide detailed insights:

• Domain Intelligence: This module offers a domain overview, DNS intelligence, email intelligence, WHOIS intelligence, and subdomain intelligence. For instance, the Subdomain Intelligence feature identifies potential vulnerabilities, exposed IoT/OT ports, and databases, all valuable KRIs.

• Sensitive Code Exposure: This module discovers exposed code repositories and uncovers digital risks like exposed credentials and cryptographic keys. The discovery of credentials in code repositories is a high-risk KRI.

• Mobile Application Discovery: This module discovers mobile apps’ contents, highlighting potential risks like exposed credentials. Exposed AWS Access Key IDs in mobile apps are a KRI.

• Search Engine Exploitation: ThreatNG helps investigate an organization’s susceptibility to information exposure via search engines. The discovery of sensitive information through search engines is a KRI.

• Cloud and SaaS Exposure: This module identifies sanctioned and unsanctioned cloud services and SaaS implementations. Exposed cloud buckets are a KRI for potential data breaches.

• Online Sharing Exposure: ThreatNG identifies organizational presence within online code-sharing platforms. Code shared on public platforms is a KRI for potential intellectual property exposure.

• Sentiment and Financials: This module provides insights into lawsuits, layoff chatter, SEC filings, and ESG violations. SEC filings indicating increased risk disclosures are a KRI.

• Archived Web Pages: ThreatNG analyzes archived web pages for sensitive information. Archived pages containing admin credentials would be a KRI.

• Dark Web Presence: This module tracks mentions of related people, places, or things, associated ransomware events, and compromised credentials on the dark web. Mentions of compromised credentials on the dark web are a critical KRI.

• Technology Stack: This module identifies an organization's technologies. Using outdated or vulnerable technologies is a KRI.

6. Intelligence Repositories

ThreatNG uses intelligence repositories, including:

• Dark web data.

• Compromised credentials.

• Ransomware events and groups.

• Known vulnerabilities.

• ESG violations.

• Bug bounty programs.

• SEC Form 8-Ks.

• Bank Identification Numbers.

• Mobile Apps.

These repositories provide valuable context for assessing KRIs. For example, knowing that compromised credentials have appeared in a dark web repository increases the severity of that KRI.

7. Working with Complementary Solutions

The document does not explicitly detail ThreatNG working with complementary solutions. However, its comprehensive data and reporting capabilities suggest it can enhance other security tools:

• SIEM: ThreatNG's KRIs can be fed into a SIEM to correlate external risks with internal events for a more holistic view.

• Vulnerability Management Tools: ThreatNG's external vulnerability data can complement internal vulnerability scans to prioritize remediation efforts.

• Incident Response Platforms: KRIs related to breach susceptibility can help incident response teams prepare for potential incidents.