Adversarial Exposure Validation

Adversarial Exposure Validation (AEV) is a cybersecurity framework that utilizes automated and continuous testing to assess whether an organization's security vulnerabilities are truly exploitable by real-world attackers. It goes beyond traditional, static vulnerability scanning by actively emulating the tactics, techniques, and procedures (TTPs) that cyber adversaries use. The goal is to provide evidence-based, actionable intelligence that helps security teams prioritize and fix the most critical security weaknesses.

Key Aspects of AEV

• Continuous and Automated: Unlike traditional penetration tests, which are often one-time, manual efforts, AEV is designed to run continuously and at scale. This enables organizations to stay ahead of the ever-evolving threat landscape and their own evolving IT environments.

• Focus on Exploitation: AEV is not about just finding a long list of potential vulnerabilities. Instead, it tests whether those vulnerabilities can be combined to form a successful attack path, providing concrete evidence of how a breach could occur. This helps filter out "noise" from low-risk issues and directs resources to the most significant threats.

• Emulates Real Adversaries: AEV uses threat intelligence to mimic the behaviors of known threat actors. By simulating realistic attack scenarios—from initial access to data exfiltration—it helps an organization understand if its security controls and defenses can withstand a genuine cyberattack.

• Integration with Other Methodologies: AEV brings together and automates several security testing methods, including Breach and Attack Simulation (BAS), automated penetration testing, and red teaming. It acts as a force multiplier, enabling security teams to expand their testing capabilities without a significant increase in staff or costs.

• Supports Continuous Threat Exposure Management (CTEM): AEV is a critical component of a CTEM program. It provides the essential validation step, proving that identified exposures are legitimate and warrant addressing, which enables a more proactive and efficient security posture.

AEV helps an organization shift from a reactive mindset of "what if we get attacked?" to a proactive one of "let's find out how we can be attacked and fix it before it happens."

ThreatNG facilitates Adversarial Exposure Validation (AEV) by providing a continuous, automated, and external view of an organization's security posture, aligning with how a real attacker would perceive and test it. ThreatNG's capabilities in external discovery, external assessment, continuous monitoring, reporting, investigation modules, and intelligence repositories work together to validate whether vulnerabilities are truly exploitable, which is the core goal of AEV.

External Discovery and Assessment

ThreatNG performs purely external, unauthenticated discovery, meaning it finds assets without needing any internal access or credentials. This provides a genuine "attacker's perspective" by mapping the organization's attack surface from the outside. It then performs a variety of assessments to determine an organization's susceptibility to different types of attacks.

• Web Application Hijack Susceptibility: This analysis identifies parts of a web application that are accessible from the internet, pinpointing potential entry points for attackers.

• Subdomain Takeover Susceptibility: The platform analyzes subdomains, DNS records, and SSL certificate statuses to evaluate the risk of a subdomain takeover.

• Breach & Ransomware Susceptibility: This score is based on external factors, including exposed sensitive ports, private IP addresses, and known vulnerabilities, as well as compromised credentials and ransomware gang activity on the dark web.

• Data Leak Susceptibility: ThreatNG assesses this by looking at cloud and SaaS exposure, compromised credentials on the dark web, and domain intelligence.

• Non-Human Identity (NHI) Exposure: This score identifies and assesses risks associated with non-human identities, including API keys, service accounts, and system accounts. It maps out the digital footprint by identifying DNS vendors, the technology stack, and exposed SaaS applications. It also searches for compromised NHIs and secrets in sensitive code repositories and mobile apps, exposed APIs, and NHI-specific email addresses. This is crucial for AEV as NHIs are a significant attack vector.

• Mobile App Exposure: It evaluates the exposure of an organization's mobile apps by discovering them in marketplaces and checking for sensitive data, such as access credentials, security credentials (e.g., PGP private keys, RSA private keys), and platform-specific identifiers.

• External GRC Assessment: This provides a continuous, outside-in evaluation of an organization's Governance, Risk, and Compliance (GRC) posture, mapping findings to frameworks like PCI DSS, HIPAA, GDPR, and POPIA.

Continuous Monitoring and Reporting

ThreatNG offers continuous monitoring of an organization's external attack surface, digital risk, and security ratings. This ensures that, as the IT environment changes, new exposures are quickly identified and assessed, a key aspect of AEV's continuous nature.

The platform offers various reports to help security teams take action on the findings.

• Prioritized reports categorize findings as High, Medium, Low, and Informational to help organizations focus on the most critical risks.

• The Knowledgebase within the reports provides reasoning, practical recommendations, and reference links to help security teams understand and mitigate risks.

• External GRC Assessment Mappings directly link external risks to compliance frameworks, simplifying the process of addressing security gaps.

Investigation Modules and Intelligence Repositories

ThreatNG's investigation modules use various data points to create a detailed picture of the organization's external risks.

• Domain Intelligence: This module analyzes domain records, subdomains, and DNS to find potential threats. For example, it can detect and group domain name permutations (e.g., typosquatting domains) to identify potential phishing sites.

• Sensitive Code Exposure: It discovers and investigates public code repositories and mobile apps for the presence of sensitive data. Examples include exposed access credentials, such as API keys (e.g., Stripe, Google, AWS), security credentials (e.g., private keys), and configuration files.

• Search Engine Exploitation: This module helps users investigate susceptibility to information exposure via search engines, including errors, sensitive information, and user data.

• Dark Web Presence: It finds organizational mentions on the dark web, as well as associated ransomware events and compromised credentials.

ThreatNG's Intelligence Repositories, branded as DarCache, provide the threat intelligence needed to perform AEV.

• DarCache Vulnerability combines data from multiple sources to provide a holistic approach to managing external risks.

  • NVD (DarCache NVD) provides technical details on vulnerabilities like Attack Complexity and CVSS scores.

  • EPSS (DarCache EPSS) offers a probabilistic estimate of the likelihood a vulnerability will be exploited in the near future, which helps with prioritizing.

  • KEV (DarCache KEV) identifies vulnerabilities that are actively being exploited in the wild, providing critical context for remediation.

  • Verified Proof-of-Concept (PoC) Exploits directly link to known vulnerabilities, which helps security teams reproduce the issue and assess its real-world impact.

Examples and Complementary Solutions

ThreatNG's AEV-like approach helps by simulating an attacker's steps. For instance, it can find an organization's public code repository with a hard-coded API key. It then validates this as a real exposure by checking if the API key is active and could lead to data exfiltration or access to a sensitive service. This is a real-world example of how a vulnerability (an exposed secret) can be directly validated as an exploitable exposure.

ThreatNG can also be used with complementary solutions to enhance an AEV program:

• Security Orchestration, Automation, and Response (SOAR) platforms can automatically ingest ThreatNG's findings and recommendations. For example, if ThreatNG identifies a critical exposed vulnerability, the SOAR platform could automatically create a remediation ticket in a ticketing system and notify the responsible team, accelerating the mitigation process.

• Security Information and Event Management (SIEM) systems can use ThreatNG's external intelligence to enrich their internal log data. Suppose ThreatNG flags a suspicious IP address or domain from a phishing campaign. In that case, the SIEM can search its logs for any communication with that IP, helping to identify a potential internal compromise.

• External Penetration Testing can complement ThreatNG by having human experts manually test complex or unique attack paths identified by ThreatNG's continuous automated assessments. ThreatNG's detailed findings, including an exposed VPN port and a related compromised non-human identity from the dark web, can serve as a starting point for a targeted penetration test, making the test more efficient and effective.