Out-of-Band Indicators

In cybersecurity, "out-of-band indicators" refer to security-relevant information or signals obtained or communicated through channels separate from a system or network's standard communication channels or data streams. These indicators exist outside the primary path of data exchange.

Here's a more detailed explanation:

• Separate Channels: Out-of-band indicators are distinct from the main communication flow. This separation can provide advantages in terms of security and reliability.

• Examples:

• Human Intelligence (HUMINT): Information obtained from individuals, such as suspicious activity reports or insider knowledge, is a classic example of out-of-band intelligence.

• Open Source Intelligence (OSINT): Data gathered from publicly available sources, such as news articles, social media, or online forums, can provide out-of-band context for security events.

• Threat Intelligence Feeds: Commercial or community-driven feeds that provide information about known threats, attacker tactics, and indicators of compromise (IOCs) are out-of-band security information sources.

• Physical Security: Observations from security cameras, access control logs, or on-site personnel are out-of-band indicators of physical security breaches.

• Benefits:

• Circumventing Compromise: Because out-of-band indicators come from separate channels, they can remain reliable even if an attacker compromises the primary communication channel.

• Adding Context: Out-of-band information often provides valuable context that can help security professionals better understand and respond to security events.

• Use Cases:

• Validating Alerts: Out-of-band information can be used to confirm or refute alerts generated by security systems.

• Threat Hunting: Security analysts proactively use out-of-band intelligence to search for signs of malicious activity.

• Incident Response: Out-of-band data can provide crucial information for investigating and responding to security incidents.

In simpler terms, out-of-band indicators are the security "clues" you gather from sources outside the system you're trying to protect.

ThreatNG effectively uses out-of-band indicators to enrich its understanding of an organization's security posture. While its core function is external assessment, it incorporates various out-of-band data sources to provide more comprehensive and accurate results.

External Discovery and Assessment: The Foundation

ThreatNG's external discovery and assessment capabilities lay the groundwork for using out-of-band indicators. They identify the organization's external-facing assets, which serve as the context for out-of-band analysis. For example, discovering a web server is the first step before using out-of-band threat intelligence to assess its risk.

Out-of-Band Indicators in ThreatNG

Here are the key ways ThreatNG incorporates out-of-band indicators:

• Intelligence Repositories: ThreatNG's intelligence repositories are a primary source of out-of-band information. They include:

• Dark Web Presence: Information about compromised credentials or ransomware events related to the organization, gathered from dark web sources, provides out-of-band context about potential threats.

• Known Vulnerabilities: Data on known vulnerabilities, separate from the organization's specific configuration, is an out-of-band indicator of potential weaknesses.

• ESG Violations: Information on environmental, social, and governance (ESG) violations provides out-of-band context for assessing an organization's overall risk profile.

• SEC Filings: SEC filings (especially 8-K forms) are out-of-band indicators of security incidents or risk disclosures for publicly traded companies.

• Sentiment and Financials: This module uses out-of-band data, such as lawsuits, layoff chatter, and news, to assess potential risks to the organization's brand and financial stability.

• Mobile App Discovery: Information about an organization's mobile app' presence in various app stores is an out-of-band source of information for assessing mobile app security.

How ThreatNG Uses Out-of-Band Indicators

ThreatNG uses out-of-band indicators to:

• Enrich Assessments: Out-of-band data adds context to ThreatNG's external assessments. For example, knowing that an organization's credentials have been compromised on the dark web increases the severity of any externally facing vulnerabilities.

• Validate Findings: Out-of-band information can validate or refute findings from external scans. For instance, if ThreatNG detects a potential vulnerability, threat intelligence feeds can confirm whether attackers are actively exploiting it.

• Identify Broader Risks: Out-of-band indicators, such as ESG violations or financial instability, can reveal risks that might not be apparent from technical scans alone.

Examples of ThreatNG Using Out-of-Band Indicators

• ThreatNG's "Breach & Ransomware Susceptibility" assessment uses out-of-band information from the dark web about ransomware events and gang activity to assess the likelihood of an attack.

• The "Sentiment and Financials" module uses SEC filings as an out-of-band indicator to assess the organization's risk disclosure practices and the potential financial impacts of security incidents.

Working with Complementary Solutions

ThreatNG's use of out-of-band indicators enhances its ability to work with other security solutions:

• SIEM: ThreatNG can feed its findings, including those enriched with out-of-band data, into a SIEM to provide a more comprehensive view of security threats.

• Threat Intelligence Platforms: ThreatNG's intelligence repositories can be integrated with external threat intelligence platforms to share and correlate out-of-band threat data.

ThreatNG effectively incorporates out-of-band indicators to provide a more comprehensive, contextualized, and accurate assessment of an organization's external security posture.