Observable Security Characteristics
Observable Security Characteristics are the attributes and behaviors of a system, network, or organization that can be perceived or measured and provide insights into its security posture. These characteristics can be used to assess the presence and effectiveness of security controls.
Here's a detailed explanation:
Attributes of Systems and Networks: This includes configurations, protocols, software versions, open ports, encryption methods, and access control settings. For example, whether a server uses HTTPS, or if a network has open ports that should be closed.
Behaviors: This refers to actions and responses, such as how a system responds to an unauthorized access attempt, patterns of network traffic, user authentication processes, and the speed of patching vulnerabilities. For instance, if a system locks out an account after several failed login attempts or if network traffic shows unusual data transfers.
Organizational Practices: This involves policies, procedures, and actions an organization takes, like how often they conduct security audits, employee security awareness training programs, and incident response plans, and how quickly they address reported vulnerabilities. For example, if a company has a policy that requires multi-factor authentication for remote access,
Detection and Assessment: Security professionals detect and assess observable security characteristics to understand the security level of a system, network, or organization.
Indicators: They indicate either strong security practices or potential weaknesses.
External vs. Internal: These characteristics can be observed externally (from the internet) and internally (within the organization's network), providing different perspectives on security.
ThreatNG excels at identifying and presenting an organization's Observable Security Characteristics, providing valuable insights into its security posture.
External Discovery: Revealing the Basics
ThreatNG's external discovery process is the first step in observing security characteristics. By performing unauthenticated discovery, it reveals fundamental attributes of the organization's external presence:
Websites and Applications: ThreatNG identifies the presence of these and the technologies they use, which are observable characteristics.
Network Services: It detects open ports and exposed services (e.g., FTP, SSH), which are crucial observable security characteristics.
DNS Records: ThreatNG analyzes DNS records, revealing information about mail servers, subdomains, and other infrastructure.
External Assessment: Deep Dive into Observable Characteristics
ThreatNG's external assessment capabilities provide a much deeper look at observable security characteristics:
Web Application Characteristics: Assessments like "Web Application Hijack Susceptibility" analyze characteristics such as:
Security headers (e.g., Content Security Policy, HTTP Strict Transport Security) indicate the presence of security controls.
Presence of outdated software or vulnerable configurations.
Domain and Email Characteristics:
"Subdomain Takeover Susceptibility" reveals characteristics of subdomain configuration and DNS management.
"BEC & Phishing Susceptibility" assesses email security characteristics like SPF, DMARC, and DKIM records.
Network Characteristics:
ThreatNG observes what ports are open (e.g., only 80 and 443, or others), indicating network security practices.
It detects the presence of Web Application Firewalls (WAFs), a key security characteristic.
Code and Data Security Characteristics:
"Code Secret Exposure" reveals if code repositories contain exposed credentials or sensitive data.
"Cloud and SaaS Exposure" shows how cloud services and SaaS solutions are configured (e.g., exposed storage buckets).
Mobile App Characteristics:
The "Mobile App Exposure" assessment identifies sensitive data (e.g., API keys) within mobile apps.
Positive Security Indicators: ThreatNG identifies and highlights positive observable security characteristics, such as MFA or strong encryption.
Reporting: Communicating the Observations
ThreatNG's reporting capabilities are crucial for presenting the observed security characteristics in a clear and actionable format. Reports use these observations to assess risk and prioritize remediation.
Continuous Monitoring: Tracking Changes
ThreatNG's continuous monitoring ensures that changes in observable security characteristics are detected promptly. This is vital because an organization's security posture can change rapidly.
Investigation Modules: Detailed Analysis
ThreatNG's investigation modules allow for in-depth analysis of observed security characteristics:
Domain Intelligence: This module provides detailed information about domain-related characteristics, such as DNS records, subdomains, and email configuration.
Code Intelligence: The "Sensitive Code Exposure" module allows for deep dives into the characteristics of code repositories.
Cloud and SaaS Intelligence: The "Cloud and SaaS Exposure" module provides detailed information about the organization's use of cloud services.
Intelligence Repositories: Contextualizing Observations
ThreatNG's intelligence repositories provide context for the observed security characteristics. For example, vulnerability data helps assess the risk associated with outdated software.
Working with Complementary Solutions
ThreatNG's observations can be integrated with other security tools to enhance their effectiveness:
SIEM: ThreatNG's data can enrich SIEM alerts with external context.
Vulnerability Management: ThreatNG's external view complements internal vulnerability scanning.
ThreatNG is a powerful tool for identifying, analyzing, and using observable security characteristics to improve an organization's security posture.
