Cyber Threat Intelligence (CTI) is a critical cybersecurity use case that involves collecting, processing, and analyzing information about potential and current threats to an organization's assets. The goal of CTI is to understand the adversary's motives, capabilities, and plans, enabling organizations to make informed decisions about their security posture and proactively defend against attacks. CTI provides context to security incidents, helps prioritize vulnerabilities, and supports strategic security planning.
ThreatNG, as an all-in-one external attack surface management, digital risk protection, and security ratings solution, can significantly contribute to an organization's CTI efforts through its various capabilities.
ThreatNG's Role in Cyber Threat Intelligence:
1. External Discovery: ThreatNG's ability to perform purely external, unauthenticated discovery is foundational for CTI. It identifies an organization's digital footprint from an attacker's perspective, without requiring any internal connectors. This external view is crucial for understanding what information an adversary can gather about a target, providing valuable intelligence on potential attack vectors. For example, ThreatNG can discover previously unknown or forgotten assets, shadow IT, or misconfigured public-facing systems that an attacker could leverage for initial access.
2. External Assessment:
ThreatNG's comprehensive external assessments provide detailed intelligence on various susceptibility points, directly contributing to CTI by highlighting exploitable weaknesses.
Web Application Hijack Susceptibility: This assessment provides intelligence on parts of a web application accessible from the outside, helping to identify potential entry points for attackers. For instance, ThreatNG might identify an exposed administrative interface or a vulnerable API endpoint on a web application, providing CTI analysts with specific information on how an attacker could gain unauthorized access.
Subdomain Takeover Susceptibility: ThreatNG assesses a website's susceptibility to subdomain takeovers by examining its subdomains, DNS records, and SSL certificate statuses. CTI teams can use this to identify abandoned subdomains that attackers could hijack to host malicious content, conduct phishing campaigns, or further compromise an organization's brand.
BEC & Phishing Susceptibility: ThreatNG derives this susceptibility from sentiment and financials, domain intelligence (including DNS intelligence capabilities such as domain name permutations and Web3 domains), and email intelligence for security presence and format prediction, as well as dark web presence (including compromised credentials). This helps CTI identify an organization's vulnerability to business email compromise (BEC) and phishing attacks by revealing exposed email formats, available domain name permutations for spoofing, or if employee credentials are found on the dark web, all of which are critical indicators of potential social engineering targets.
Brand Damage Susceptibility: This is derived from attack surface intelligence, digital risk intelligence, ESG violations, sentiment and financials (lawsuits, SEC filings, 8-Ks, negative news), and domain intelligence (domain name permutations and Web3 domains). CTI analysts can use this to understand how hostile adversaries might utilize news or exposed domain permutations for brand impersonation or to spread disinformation, potentially leading to reputational damage.
Data Leak Susceptibility: ThreatNG assesses this based on cloud and SaaS exposure, dark web presence (including compromised credentials), domain intelligence (DNS and email intelligence), and sentiment and financials (including lawsuits and SEC Form 8-Ks). For CTI, this means identifying areas where sensitive data might be exposed, such as misconfigured cloud storage buckets, leaked credentials, or mentions in legal documents, and providing intelligence on potential data exfiltration points.
Cyber Risk Exposure: This considers certificates, subdomain headers, vulnerabilities, and sensitive ports. It also factors in code secret exposure (discovering code repositories and sensitive data within them), cloud and SaaS exposure, and compromised credentials on the dark web. CTI professionals can use this to pinpoint specific technical vulnerabilities that attackers are likely to exploit, such as open ports, unpatched software, or hardcoded credentials in public code repositories. For instance, if ThreatNG identifies an exposed SSH port with weak authentication, CTI can flag this as a high-priority risk.
ESG Exposure: ThreatNG rates an organization based on discovered environmental, social, and governance (ESG) violations, analyzing areas like competition, consumer, employment, environment, financial, government contracting, healthcare, and safety-related offenses. While seemingly indirect, this can provide CTI insights into potential motivations for hacktivist groups or politically motivated attacks, or identify areas of public discontent that could be leveraged in social engineering campaigns.
Supply Chain & Third Party Exposure: This is derived from domain intelligence (enumeration of vendor technologies from DNS and subdomains), technology stack, and cloud and SaaS exposure. CTI can use this to understand the risks posed by an organization's supply chain, identifying vulnerable third-party vendors or shared technologies that could serve as an indirect attack vector. For example, if a key supplier uses a known vulnerable version of a standard web server, ThreatNG would flag it, providing intelligence on potential supply chain attacks.
Breach & Ransomware Susceptibility: This is calculated based on external attack surface and digital risk intelligence, including domain intelligence (exposed sensitive ports, exposed private IPs, and known vulnerabilities), dark web presence (compromised credentials, ransomware events, and gang activity), and sentiment and financials (SEC Form 8-Ks). This directly informs CTI about an organization's susceptibility to breaches and ransomware, providing intelligence on whether their credentials are compromised, if they have exposed critical services, or if there's activity by ransomware gangs mentioning them.
Mobile App Exposure: ThreatNG assesses the exposure of an organization’s mobile apps through market discovery and by verifying their content for access credentials, security credentials, and platform-specific identifiers. CTI can use this to identify mobile applications that might contain hardcoded API keys, exposed private keys, or other sensitive information, which attackers could use to compromise backend systems or user accounts.
Positive Security Indicators: This feature identifies and highlights security strengths, such as Web Application Firewalls or multi-factor authentication, validating their effectiveness from an external attacker's perspective. For CTI, this provides a more comprehensive view of an organization's security posture, helping to understand not only weaknesses but also existing controls that may deter or mitigate specific threats.
3. Reporting:
ThreatNG offers various reports (Executive, Technical, Prioritized, Security Ratings, Inventory, Ransomware Susceptibility, U.S. SEC Filings, and External GRC Assessment Mappings). These reports are crucial for CTI, as they consolidate discovery and assessment findings into actionable intelligence, enabling CTI analysts to quickly identify the most critical risks and communicate them effectively to stakeholders. For instance, a Prioritized report would highlight high-risk vulnerabilities, enabling the CTI team to focus on the most impactful threats first.
4. Continuous Monitoring:
The continuous monitoring of an organization's external attack surface, digital risk, and security ratings provided by ThreatNG ensures that CTI is always up-to-date with emerging threats and changes in the attack surface. This continuous stream of information enables CTI teams to detect new exposures or vulnerabilities as soon as they appear, allowing for a proactive defense strategy. For example, if a new subdomain is deployed without proper security configurations, continuous monitoring would alert the CTI team, enabling them to address the issue before an attacker exploits it.
5. Investigation Modules: ThreatNG's investigation modules offer deep-dive capabilities essential for granular CTI analysis.
Domain Intelligence: This module provides a comprehensive view of an organization's digital presence.
Domain Overview: This includes a digital presence word cloud, Microsoft Entra identification, domain enumeration, bug bounty programs, and related SwaggerHub instances. CTI can use this to understand the breadth of an organization's online presence, identify potential misconfigurations in Entra ID, or find exposed API documentation that could reveal attack paths.
DNS Intelligence: Offers domain record analysis (IP identification, vendors, and technology), domain name permutations (taken and available), and Web3 domains (taken and available). This helps CTI identify potential spoofing domains, understand the underlying infrastructure, and uncover instances of shadow IT. For example, if a lookalike domain is registered that could be used for phishing, DNS intelligence would reveal it.
Email Intelligence: Provides security presence (DMARC, SPF, DKIM records), format predictions, and harvested emails. CTI can leverage this to assess an organization's susceptibility to email-based attacks by checking the strength of its email security protocols and identifying any exposed employee email addresses.
WHOIS Intelligence: Includes WHOIS analysis and other domains owned by the same entity. This allows CTI to uncover potentially related infrastructure that might not be directly linked to the leading organization but could be part of a broader attack surface.
Subdomain Intelligence: Covers HTTP responses, header analysis, server headers (technologies), cloud hosting, website builders, e-commerce platforms, CMS, CRM, email marketing, communication and marketing, landing page builders, sales enablement, online course platforms, help desk software, knowledge base software, customer feedback platforms, code repositories, API management, developer tools, documentation platforms, product management, video hosting, blogging platforms, podcast hosting, digital publishing, photo sharing, content experience, translation management, brand management, website monitoring, status communication, survey platforms, project management, shipment tracking. It also covers subdomain takeover susceptibility, content identification (admin pages, APIs, development environments, VPNs, errors, applications, JavaScript, emails, and phone numbers), ports (IoT/OT, industrial control systems, databases, and remote access services), known vulnerabilities, and WAF discovery. This is a treasure trove for CTI, enabling them to map out the entire subdomain landscape, identify technologies in use (which can indicate known vulnerabilities), pinpoint exposed sensitive pages (like admin logins), and discover open ports that attackers might target. For example, if a subdomain hosts an outdated version of WordPress, ThreatNG would highlight it, and CTI could then research known vulnerabilities for that specific version.
IP Intelligence: Provides information on IPs, shared IPs, ASNs, country locations, and private IPs. This helps CTI map an organization's network infrastructure, identify shared hosting environments that might pose a risk, or discover unintentionally exposed private IP addresses.
Certificate Intelligence: Focuses on TLS certificates (status, issuers, active, and certificates without subdomains) and associated organizations (domains, certificates, and emails). CTI can use this to identify expired or misconfigured certificates, which could lead to man-in-the-middle attacks or a breakdown of trust.
Social Media: This module provides posts from the organization under investigation, breaking out content copy, hashtags, links, and tags. While not strictly technical, social media intelligence helps CTI understand public sentiment, identify potential disinformation campaigns, or detect exposed information through an organization's social presence.
Sensitive Code Exposure:
Code Repository Exposure: Discovers public code repositories and uncovers digital risks like access credentials (API keys, access tokens, generic credentials, cloud credentials), security credentials (cryptographic keys), other secrets, configuration files (application, system, network), database exposures (files, credentials), application data exposures (remote access, encryption keys, encrypted data, Java keystores, code repository data), activity records (command history, logs, network traffic), communication platform configurations (chat clients, email clients), development environment configurations, security testing tools, cloud service configurations, remote access credentials, system utilities, personal data, and user activity. This is highly valuable for CTI to identify unintentionally exposed sensitive data, such as API keys in public GitHub repositories, which could grant attackers direct access to critical systems.
Mobile Application Discovery: Discovers mobile apps in marketplaces and identifies access credentials, security credentials, and platform-specific identifiers within them. This helps CTI pinpoint mobile applications that could be compromised due to exposed sensitive information within their code.
Search Engine Exploitation:
Website Control Files: Discovers
robots.txt(secure directories, user directories, shopping cart directories, email directories, ticket systems, emails, admin directories, development resources directories, API directories) andsecurity.txt(emails, policy, contact info, hiring info, acknowledgements, PGP key, bug bounty program). CTI can use this to understand what information is intentionally or unintentionally exposed to search engines, potentially revealing sensitive areas or contact points that security researchers could exploit.Search Engine Attack Surface: Helps investigate an organization’s susceptibility to exposing errors, general advisories, IoT entities, persistent exploitation, potential sensitive information, privileged folders, public passwords, susceptible files, susceptible servers, user data, and web servers via search engines. This is a direct CTI feed, showing what an attacker can find about an organization using standard search engine techniques, highlighting easily discoverable vulnerabilities or sensitive data.
Cloud and SaaS Exposure: Covers sanctioned and unsanctioned cloud services, cloud service impersonations, open exposed cloud buckets (AWS, Azure, GCP), and various SaaS implementations (BI, collaboration, content management, CRM, customer service, communication, data analytics, endpoint management, ERP, HR, IAM, incident management, IT service management, project management, video conferencing, work operating system). This provides CTI with a clear picture of an organization's cloud and SaaS footprint, enabling them to identify misconfigurations, unapproved services, or exposed data in cloud storage.
Online Sharing Exposure: Identifies the presence of an organizational entity on online code-sharing platforms, including Pastebin, GitHub Gist, Scribd, Slideshare, Prezi, and GitHub Code. CTI can use this to discover if sensitive internal information or code snippets have been inadvertently shared publicly.
Sentiment and Financials: Includes organizational-related lawsuits, layoff chatter, SEC filings (especially risk and oversight disclosures), SEC Form 8-Ks, and ESG violations. This provides CTI with insights into an organization's financial health, legal issues, and internal turmoil, which could indicate motivations for insider threats or make them a more attractive target for certain attackers.
Archived Web Pages: Provides archived online presence of APIs, BAK files, CSS, demo pages, document files, emails, Excel files, HTML files, image files, JavaScript files, JSON files, JSP files, login pages, PDF files, PHP files, potential redirects, Python files, TXT files, XML files, directories, subdomains, usernames, and admin pages. CTI can use this to uncover historical exposures, forgotten sensitive pages, or outdated credentials that might still be valid.
Dark Web Presence: Mentions organizational references to related or defined individuals, locations, or entities, as well as associated ransomware incidents and compromised credentials. This is direct CTI on the dark web, informing analysts if their organization or employees are being discussed in illicit forums, if they are victims of ransomware, or if their credentials have been compromised.
Technology Stack: Identifies technologies used by the organization, including accounting tools, analytics, API management, blogging, booking, CDNs, CMS, CRM, databases, developer platforms, digital content publishing, ecommerce, email, helpdesk, incident management, JavaScript libraries/frameworks/graphics, marketing automation, media, operating systems, POS, privacy, project management, security, shipping, utilities, web servers, and website development. This helps CTI understand the target's technology landscape, allowing them to cross-reference known vulnerabilities with the identified technologies.
6. Intelligence Repositories (DarCache): ThreatNG's continuously updated intelligence repositories (DarCache) are invaluable for enriching CTI efforts.
Dark Web (DarCache Dark Web): Provides direct access to dark web intelligence.
Compromised Credentials (DarCache Rupture): Contains information on compromised credentials. CTI can use this to proactively identify if employee credentials have been leaked, enabling immediate password resets and preventing account takeovers.
Ransomware Groups and Activities (DarCache Ransomware): Tracks over 70 ransomware gangs. This allows CTI to stay informed about the latest tactics, techniques, and procedures (TTPs) of ransomware groups, enabling them to better prepare for and respond to potential ransomware attacks.
Vulnerabilities (DarCache Vulnerability): Provides a holistic and proactive approach to managing external risks and vulnerabilities.
NVD (DarCache NVD): Includes Attack Complexity, Attack Interaction, Attack Vector, Impact scores (Availability, Confidentiality, Integrity), CVSS Score, and Severity. This provides CTI analysts with the technical details of vulnerabilities, enabling them to understand their potential impact.
EPSS (DarCache EPSS): Provides a probabilistic estimate of the likelihood of a vulnerability being exploited shortly. Combining EPSS with other vulnerability data enables a more forward-looking approach to prioritization, addressing not only severe vulnerabilities but also those that are likely to be weaponized. This helps CTI prioritize patching efforts based on the real-world exploitability of vulnerabilities.
KEV (DarCache KEV): Lists vulnerabilities actively being exploited in the wild, providing critical context for prioritizing remediation efforts. This is crucial for CTI to focus on immediate and proven threats.
Verified Proof-of-Concept (PoC) Exploits (DarCache eXploit): Directly links to PoC exploits on platforms like GitHub, referenced by CVE, accelerating the understanding of how a vulnerability can be exploited. This information is invaluable for security teams to reproduce vulnerabilities, assess real-world impact, and develop effective mitigation strategies. CTI can use this to understand how an attacker might weaponize a vulnerability.
ESG Violations (DarCache ESG): Covers competition, consumer, employment, environment, financial, government contracting, healthcare, and safety-related offenses.
Bug Bounty Programs (DarCach Bug Bounty): Provides details on in-scope and out-of-scope issues. This helps CTI understand what an organization is actively seeking to secure and what areas might be less mature.
SEC Form 8-Ks (DarCache 8-K): Contains relevant SEC filings. CTI can monitor these for public disclosures of security incidents or other risk factors.
Bank Identification Numbers (DarCache BIN): This could be used for financial fraud intelligence.
Mobile Apps (DarCache Mobile): Indicates the presence of access credentials, security credentials, and platform-specific identifiers within mobile apps. This directly feeds into CTI for mobile threat analysis.
Complementary Solutions and Synergies:
ThreatNG's comprehensive CTI capabilities can be further enhanced when used in conjunction with other cybersecurity solutions, creating powerful synergies for a holistic security posture.
Security Information and Event Management (SIEM) Systems: ThreatNG's external assessment and continuous monitoring data can be fed into a SIEM. For example, if ThreatNG identifies a newly exposed sensitive port or a critical vulnerability with a high EPSS score, this information can trigger alerts in the SIEM. The SIEM can then correlate this external intelligence with internal log data, such as firewall logs showing connection attempts to that port or vulnerability scanner results, to gain a complete picture of the threat and its potential impact.
Security Orchestration, Automation, and Response (SOAR) Platforms: When ThreatNG identifies a high-severity vulnerability (e.g., a KEV vulnerability ) or a compromised credential on the dark web (DarCache Rupture), a SOAR platform can automate the response. For instance, the SOAR platform could automatically initiate a patching process for the identified vulnerability, trigger a password reset for the compromised account, or block suspicious IP addresses identified by ThreatNG's IP intelligence.
Vulnerability Management (VM) Solutions: While ThreatNG identifies external vulnerabilities, a dedicated VM solution can perform deeper, authenticated scans of internal systems. The intelligence from ThreatNG, particularly the EPSS and KEV data, can help the VM solution prioritize its internal scanning efforts, focusing on the most exploitable and actively exploited vulnerabilities. For example, if ThreatNG reveals an actively exploited vulnerability in a public-facing web server, the VM solution can immediately prioritize an authenticated scan of that server.
Endpoint Detection and Response (EDR) Solutions: If ThreatNG detects a data leak susceptibility derived from compromised credentials or specific ransomware gang activity, such as DarCache Ransomware, this intelligence can inform an EDR solution. The EDR can then heighten its monitoring for specific TTPs associated with that ransomware gang or for any unusual activity from accounts with compromised credentials.
Threat Intelligence Platforms (TIPs): ThreatNG's DarCache intelligence repositories (Dark Web, Compromised Credentials, Ransomware Groups, Vulnerabilities, ESG Violations, Bug Bounty Programs, SEC Form 8-Ks, Bank Identification Numbers, Mobile Apps) can feed into a broader TIP. A TIP can then aggregate ThreatNG's external threat intelligence with other sources (e.g., industry-specific threat feeds, government advisories) to provide a more holistic view of the threat landscape, allowing for richer correlation and analysis. For example, ThreatNG's identification of a specific mobile app vulnerability could be enriched by a TIP with information about active exploits targeting that vulnerability from other intelligence sources.
Governance, Risk, and Compliance (GRC) Platforms: ThreatNG's External GRC Assessment and its detailed reporting, including External GRC Assessment Mappings (e.g., PCI DSS), directly provide inputs to GRC platforms. This allows organizations to continuously monitor their external compliance posture and automatically map identified risks to relevant regulatory frameworks. For instance, if ThreatNG identifies exposed sensitive data that violates GDPR, this information can be directly ingested by a GRC platform, facilitating faster remediation and compliance reporting.
By combining ThreatNG's deep external visibility and rich intelligence with the capabilities of complementary security solutions, organizations can build a robust CTI program that is proactive, comprehensive, and highly effective in defending against modern cyber threats.
