Adversarial Empathy
Adversarial Empathy, in the context of cybersecurity, is a strategic mindset and methodology that involves adopting the cognitive and emotional perspective of an adversary (like a threat actor or hacker) to anticipate their actions, motivations, and technical methods.
Strategic Components
Adversarial empathy is not about sympathizing with the attacker; it's a practical, cognitive tool used by security teams to enhance defense and threat hunting. It has two main components:
Understanding Motivation (Why): This involves understanding the driving force behind the attack. Is the adversary motivated by financial gain (e.g., ransomware, data theft for sale), geopolitical objectives (e.g., state-sponsored espionage), ideological reasons (e.g., hacktivism), or simple notoriety? Understanding the why helps security teams predict the likely targets and type of data the attacker will seek.
Understanding Process (How): This involves anticipating the adversary's technical steps and resource constraints. It requires knowing:
Tactics and Techniques: Which specific tools, malware, exploits, and methodologies will the attacker use? This aligns with frameworks like MITRE ATT&CK.
Victim Selection: What criteria do they use to choose targets? (e.g., financial size, political relevance, known system vulnerabilities).
The Path of Least Resistance: Attackers are fundamentally efficient. Empathy helps determine the easiest, quietest, and most cost-effective path an attacker will use to achieve their goal, bypassing the most obvious, heavily defended entry points.
Application in Cybersecurity
Proactive Defense (Red Teaming/Threat Modeling): Security professionals use adversarial empathy when building a threat model or running a red team exercise. By thinking like the adversary, they can identify critical, yet overlooked, security gaps that an internal security view might miss. This shifts the focus from checking compliance boxes to addressing real-world attack chains.
Threat Intelligence and Hunting: It informs the search for indicators of compromise (IOCs). Knowing an attacker's habits—like which systems they target first or the commands they typically run—allows threat hunters to focus on subtle, anomalous behaviors rather than just signature-based alerts.
Incident Response: During an active breach, understanding the attacker's next move—Are they looking to escalate privileges? Are they preparing to exfiltrate data? Are they setting up persistence?—allows the incident response team to stay ahead of the adversary and contain the damage faster.
Adversarial Empathy is a strategic approach, and ThreatNG supports this mindset by providing the external, unauthenticated view an attacker would use, enabling security teams to anticipate and preempt threats.
How ThreatNG Facilitates Adversarial Empathy
ThreatNG's capabilities are specifically designed to perform an External Adversary View of an organization's security posture, aligning findings with attacker techniques. This directly translates the mindset of adversarial empathy into actionable security insights.
External Discovery and Continuous Monitoring
ThreatNG performs purely external unauthenticated discovery and offers continuous monitoring of the external attack surface and digital risk. This is the foundational step for adversarial empathy, as it identifies the same attack surface and exposed assets that an unauthenticated threat actor would see. By continuously tracking these exposures, ThreatNG helps security teams maintain a constantly updated "attacker's map" of their environment, anticipating new points of entry as soon as they emerge.
External Assessment and MITRE ATT&CK Mapping
ThreatNG provides security ratings derived from various assessments that highlight potential attack paths, which can be mapped directly to adversarial tactics.
Cyber Risk Exposure Security Rating: This rating is based on findings like Sensitive Code Discovery and Exposure (code secret exposure) and Subdomains intelligence (exposed ports, private IPs, and vulnerabilities).
Cyber Risk Exposure Example: An attacker uses exposed ports and sensitive code to achieve initial access and establish persistence. By flagging exposed open cloud buckets, ThreatNG forces the organization to empathize with an attacker who could use that exposure for data exfiltration or to compromise the system further.
Mobile App Exposure Security Rating: This identifies sensitive information exposed within mobile apps.
Mobile App Example: ThreatNG highlights the presence of exposed Access Credentials (like AWS API Keys, Facebook Secret Key, or Stripe API Keys) or Security Credentials (like RSA Private Keys) within the mobile app. An attacker would specifically target these secrets to escalate privileges or access cloud resources, enabling the defense team to anticipate and preempt these moves.
MITRE ATT&CK Mapping: ThreatNG automatically translates raw findings into a strategic narrative of adversary behavior by correlating them with specific MITRE ATT&CK techniques.
MITRE ATT&CK Example: The unauthenticated discovery of a leaked credential or an open port on the external attack surface is directly mapped to a MITRE ATT&CK technique, allowing security leaders to prioritize threats based on likely exploitation and justify security investments.
Investigation Modules and Intelligence Repositories
These components provide the detailed data needed to understand the "how" and "what" of an attack, reinforcing the empathetic perspective.
Investigation Modules (Examples in Detail):
Sensitive Code Exposure - Code Repository Exposure: This module discovers public code repositories and highlights the exposure of secrets like AWS Secret Access Key, Private SSH key, or a PostgreSQL password file. An attacker views this as a direct bypass to security controls; ThreatNG shows the security team exactly what the attacker sees, enabling them to preempt a breach by removing the exposure.
Search Engine Attack Surface: This facility helps users investigate the organization’s susceptibility to exposing information via search engines, such as Public Passwords, Susceptible Files, or Privileged Folders. An attacker uses search engine exploitation (often called "dorking") to find these low-hanging fruits, and ThreatNG provides the exact query results the attacker would see.
NHI Email Exposure: This groups easily guessable, high-value non-human-interface emails like
admin,support, orsecurity. An attacker often targets these emails for initial access or phishing, assuming they have elevated privileges. ThreatNG identifies the risk of exposure across sources like Compromised Credentials and Archived Web Pages.
Intelligence Repositories (DarCache):
DarCache Vulnerability: This is a crucial component for adversarial empathy. It integrates NVD (technical characteristics), KEV (vulnerabilities actively exploited in the wild), EPSS (probabilistic estimate of likelihood of future exploitation), and Verified Proof-of-Concept (PoC) Exploits. By combining the severity of a vulnerability with its real-world exploitability and likelihood, ThreatNG allows the security team to think like an attacker who prioritizes flaws that are both easy and effective to use.
DarCache Ransomware: By tracking over 70 ransomware gangs, this repository informs the security team about the specific threats targeting their sector or technologies, allowing them to anticipate the attacker's motive (financial gain) and likely TTPs (Tactics, Techniques, and Procedures).
Reporting and Complementary Solutions
ThreatNG's Executive and Prioritized Reports transform the raw adversarial intelligence into business context, allowing security leaders to prioritize threats based on likely exploitation.
Complementary Solutions Example 1 (Vulnerability Management): When ThreatNG uses its intelligence repositories to find a known vulnerability (CVE) on a discovered asset, it provides the NVD score, KEV status, and EPSS score. This highly prioritized data can be seamlessly fed into a dedicated Vulnerability and Risk Management solution. The external context from ThreatNG (the attacker's view) enriches the internal data in the complementary solution, ensuring the internal teams fix the vulnerabilities an attacker is most likely to use.
Complementary Solutions Example 2 (Managed Security): If a threat hunter uses the Reconnaissance Hub to validate a threat—like exposed cloud credentials—the findings can be immediately sent to a Managed Detection and Response (MDR) provider. The MDR team can then use that specific external risk intelligence from ThreatNG to quickly focus their internal logs and network monitoring, performing a more effective, targeted defense against the anticipated attack path.
