Tradecraft

In the context of cybersecurity, "tradecraft" refers to the techniques, tactics, and procedures (TTPs) used by both cyber attackers (adversaries) and cyber defenders. It encompasses the skills and methods employed to achieve specific objectives in the digital realm. Here's a breakdown:

For Cyber Adversaries:

• Offensive Tradecraft:

• This involves the methods used by threat actors to compromise systems, steal data, and disrupt operations.

• Examples include:

• Malware development and deployment.

• Social engineering and phishing.

• Exploiting software vulnerabilities.

• Credential theft and lateral movement.

• Evasion techniques to bypass security controls.

• Data exfiltration.

• It is the ongoing development and adaption of techniques to bypass security measures.

For Cyber Defenders:

• Defensive Tradecraft:

• This involves the methods used by cybersecurity professionals to protect systems and data from attacks.

• Examples include:

• Threat intelligence gathering and analysis.

• Vulnerability management and patching.

• Incident response and forensics.

• Security monitoring and intrusion detection.

• Developing and implementing security policies.

• Using tools to detect and stop malicious activity.

• The continual learning and improvement of defensive techniques help us stay ahead of malicious actors.

Cybersecurity tradecraft is about the "how" of cyber operations, whether offensive or defensive. It's the practical application of knowledge and skills in the ever-evolving landscape of cyber threats.

Here's how ThreatNG helps with cybersecurity tradecraft:

External Discovery

ThreatNG excels at external discovery. It can perform purely external unauthenticated discovery, meaning it doesn't need internal connectors to find information about an organization's attack surface. This is crucial for understanding an organization's security posture from an attacker's perspective.

External Assessment

ThreatNG provides a wide range of external assessment capabilities, offering various security ratings:

• Web Application Hijack Susceptibility: ThreatNG analyzes externally accessible parts of web applications to find potential entry points for attackers. It uses domain intelligence to support this assessment.

• Subdomain Takeover Susceptibility: ThreatNG assesses the risk of subdomain takeovers by analyzing subdomains, DNS records, SSL certificate statuses, and other domain intelligence factors.

• BEC & Phishing Susceptibility: ThreatNG derives this from sentiment and financial findings, domain intelligence (domain name permutations, available Web3 domains, and email intelligence), and dark web presence (compromised credentials).

• Brand Damage Susceptibility: This is derived from attack surface intelligence, digital risk intelligence, ESG violations, sentiment and financials (lawsuits, SEC filings, SEC Form 8-Ks, and negative news), and domain intelligence (domain name permutations and available Web3 domains).

• Data Leak Susceptibility: ThreatNG derives this from external attack surface and digital risk intelligence based on cloud and SaaS exposure, dark web presence (compromised credentials), domain intelligence, and sentiment and financials (lawsuits and SEC Form 8-Ks). For example, it discovers code repositories and their exposure level and checks for sensitive data. It also evaluates cloud services and SaaS solutions. The assessment also considers compromised credentials found on the dark web.

• Cyber Risk Exposure: ThreatNG considers parameters from its Domain Intelligence module, such as certificates, subdomain headers, vulnerabilities, and sensitive ports.

• ESG Exposure: ThreatNG evaluates an organization's vulnerability to ESG risks using external attack surface and digital risk intelligence, sentiment, and financial findings. It analyzes media coverage, economic data, and public information to highlight competition, consumer issues, employment, environmental concerns, and more.

• Supply Chain & Third-Party Exposure: This is derived from domain intelligence (enumeration of vendor technologies), technology stack analysis, and cloud and SaaS exposure.

• Breach & Ransomware Susceptibility: ThreatNG calculates this based on external attack surface and digital risk intelligence, including domain intelligence (exposed sensitive ports, exposed private IPs, and known vulnerabilities), dark web presence (compromised credentials and ransomware events and gang activity), and sentiment and financials (SEC Form 8-Ks).

• Mobile App Exposure: ThreatNG discovers an organization’s mobile apps in marketplaces and analyzes them for access credentials, security credentials, and platform-specific identifiers. For example, it checks for the presence of API keys, passwords in URLs, and private keys within the apps.

Reporting

ThreatNG provides various reports, including executive, technical, prioritized, security ratings, inventory, ransomware susceptibility, and U.S. SEC filings.

Continuous Monitoring

ThreatNG continuously monitors external attack surface, digital risk, and security ratings.

Investigation Modules

ThreatNG includes investigation modules, such as Domain Intelligence, to provide in-depth information:

• Domain Intelligence:

• Domain Overview: Provides a digital presence word cloud, Microsoft Entra Identification and Domain Enumeration, and Bug Bounty Programs.

• DNS Intelligence: Includes domain record analysis (IP identification, vendors, and technology identification), domain name permutations (taken and available), and Web3 domains (taken and available).

• Email Intelligence: Provides security presence (DMARC, SPF, and DKIM records), format predictions, and harvested emails.

• WHOIS Intelligence: Includes WHOIS analysis and identification of other domains owned.

• Subdomain Intelligence: Offers HTTP responses, header analysis (security and deprecated headers), server headers (technologies), cloud hosting information, website builders, e-commerce platforms, content management systems, and more. It also assesses subdomain takeover susceptibility, content identification (admin pages, APIs, development environments, etc.), ports (IoT/OT, industrial control systems, databases, remote access services), known vulnerabilities, and web application firewall discovery. For example, it can identify exposed webcams, database servers, and remote access services.

• IP Intelligence: Provides IPs, shared IPs, ASNs, country locations, and private IPs.

• Certificate Intelligence: Includes TLS certificates (status, issuers, active, certs without subdomains, subdomains without certificates) and associated organizations (domains, certificates, and emails).

• Social Media: Shows posts from the organization, including content copy, hashtags, links, and tags.

• Sensitive Code Exposure: ThreatNG discovers public code repositories and uncovers digital risks, including exposed credentials, tokens, keys, and configuration files. For example, it can find AWS credentials, private SSH keys, database configuration files, and API keys within code repositories.

• Mobile Application Discovery: ThreatNG discovers mobile apps in marketplaces and analyzes their contents for access credentials, security credentials, and platform-specific identifiers.

• Search Engine Exploitation: ThreatNG helps investigate an organization’s susceptibility to exposing sensitive information via search engines. It discovers website control files like robots.txt and security.txt, and it assesses the search engine attack surface for potential vulnerabilities. For example, it can identify exposed admin directories, potentially sensitive information, and susceptible files.

• Cloud and SaaS Exposure: ThreatNG identifies sanctioned and unsanctioned cloud services, cloud service impersonations, and open exposed cloud buckets. It also identifies SaaS implementations associated with the organization, such as business intelligence tools, collaboration platforms, CRM systems, and more. For example, it can find exposed AWS S3 buckets and identify the use of Salesforce and Slack.

• Online Sharing Exposure: ThreatNG identifies an organization's presence within online code-sharing platforms like Pastebin and GitHub Gist.

• Sentiment and Financials: ThreatNG provides information on organizational lawsuits, layoff chatter, SEC filings, and ESG violations.

• Archived Web Pages: ThreatNG retrieves archived web pages, including various file types, directories, subdomains, and usernames.

• Dark Web Presence: ThreatNG monitors for organizational mentions, associated ransomware events, and compromised credentials on the dark web.

• Technology Stack: ThreatNG identifies an organization's technologies, such as accounting tools, analytics platforms, CMS, CRM systems, databases, etc.

Intelligence Repositories

ThreatNG uses various intelligence repositories, including:

• Dark web data.

• Compromised credentials.

• Ransomware events and groups.

• Known vulnerabilities.

• ESG violations.

• Bug bounty programs.

• SEC Form 8-Ks.

• Bank Identification Numbers.

• Mobile Apps data.

Working with Complementary Solutions

The document does not explicitly detail ThreatNG's direct integrations with specific complementary solutions. However, its capabilities suggest it can work alongside various security tools:

• SIEM Systems: ThreatNG's reporting and continuous monitoring can feed data into SIEM systems for centralized security management and analysis.

• Vulnerability Management Tools: ThreatNG's vulnerability findings can complement vulnerability management tools by providing context for external attack surfaces.

• Incident Response Platforms: ThreatNG's intelligence on dark web activity, compromised credentials, and ransomware events can aid incident response teams in investigations.

By providing comprehensive external attack surface management, digital risk protection, and security ratings, ThreatNG significantly enhances an organization's cybersecurity tradecraft.