Attack Surface Graph
An Attack Surface Graph (ASG) in cybersecurity is a dynamic, interconnected visual representation of an organization's digital attack surface. It models all potential entry points and pathways an attacker could use to compromise systems, data, or operations. Unlike a simple inventory list of assets, an ASG focuses on the relationships and dependencies between these assets, their attributes, and associated vulnerabilities, providing a holistic and contextual understanding of an organization's exposure.
Here's a detailed breakdown:
Core Components of an Attack Surface Graph:
Nodes (Entities):
Assets: These are the fundamental building blocks. Examples include:
Domains and Subdomains: example.com, blog.example.com
IP Addresses: Publicly accessible IPs, ranges, and associated autonomous systems (ASNs).
Cloud Resources: Cloud accounts, virtual machines, storage buckets (e.g., AWS S3, Azure Blob storage), serverless functions.
SaaS Applications: Instances of third-party Software-as-a-Service solutions the organization uses (e.g., Salesforce, Slack, Workday).
Code Repositories: Public or exposed private repositories on platforms like GitHub, GitLab, Bitbucket.
Mobile Applications: Apps published in public marketplaces are linked to the organization.
Network Ports and Services: Open ports, the services running on them (e.g., HTTP, SSH, RDP), and their configurations.
Certificates: SSL/TLS certificates and their metadata.
Employee Digital Identities: Usernames, email addresses, and associated credentials (mainly if found exposed).
Third-Party Dependencies: Technologies, vendors, and services used by the organization's external assets.
Attributes: Information directly associated with an asset node, such as:
Operating System versions
Software versions
Geographic locations
Configuration details
Associated organizations
Owner information (e.g., WHOIS data)
Vulnerabilities/Weaknesses: Specific security flaws identified (e.g., CVEs, misconfigurations, exposed sensitive data, weak security headers).
Threat Intelligence: Known malicious IPs, domains, file hashes, ransomware groups, or attack techniques (TTPs).
Edges (Relationships): These are the connections between nodes, representing how different entities interact or relate to each other. Edges are crucial for understanding the attack surface:
"Hosts": An IP address hosting a domain or subdomain.
"Uses": A web application using a specific JavaScript library or a database.
"Exposes": A code repository exposing an API key.
"Is Vulnerable To": A server vulnerable to a specific CVE.
"Belongs To": A subdomain belonging to a primary domain.
"Communicates With": A mobile app that communicates with a cloud service endpoint.
"Has Credential On": A user identity with a compromised credential found on the dark web.
"Is Affected By": A specific vulnerability affecting a software component.
"Associated With": An organization associated with a specific certificate or an ESG violation.
How an Attack Surface Graph is Constructed and Used:
External Discovery: The process begins with passive, unauthenticated scanning and enumerating an organization's public-facing assets. This involves DNS enumeration, port scanning, web crawling, code repository monitoring, and mobile app store analysis.
Entity Resolution: As data is collected from diverse sources, graph-based entity resolution techniques are employed. This is critical for identifying when different pieces of data refer to the same real-world asset or entity, despite variations or inconsistencies. For example, resolving that www.example.com, example.com, and an IP address 192.0.2.1 all represent the same website entity.
Graph Population: The discovered assets (nodes) and their relationships (edges) are mapped into the graph database.
Continuous Monitoring: The ASG is not static. It is continuously updated as new assets are discovered, configurations change, new vulnerabilities emerge, or threat intelligence is updated. This ensures a near real-time understanding of the evolving attack surface.
Risk Analysis and Prioritization: By traversing the graph, security teams can:
Identify Attack Paths: Trace potential routes an attacker could take, from an initial entry point through connected assets to critical targets. For instance, an exposed admin page on a subdomain could lead to a compromised server with a known vulnerability, which then leads to sensitive data in an exposed cloud bucket.
Contextualize Vulnerabilities: Understand the severity of a vulnerability not just in isolation but in the context of its surrounding connections and the criticality of the affected asset. A low-severity vulnerability in a deeply interconnected, critical asset might be more impactful than a high-severity one in an isolated, non-critical asset.
Pinpoint Hidden Risks: Uncover misconfigurations, shadow IT, or forgotten assets exposed to the internet but not part of the known asset inventory.
Correlate Intelligence: Map external threat intelligence (e.g., actively exploited vulnerabilities, compromised credentials) directly onto the organization's assets, highlighting immediate and relevant threats.
Assess Impact: Determine the potential blast radius of a successful attack by understanding asset interdependencies.
Benefits of an Attack Surface Graph:
Holistic Visibility: Unlike fragmented spreadsheets or siloed tools, it provides a complete and interconnected view of the external attack surface.
Contextual Understanding: Enables security teams to understand how different components relate and why specific vulnerabilities are more critical than others.
Proactive Threat Detection: Identifies complex attack paths and hidden exposures that might be missed by traditional scanning.
Prioritized Remediation: Directs remediation efforts towards the most impactful risks by revealing the critical relationships.
Improved Incident Response: A clear map of affected systems and potential origins during an incident is offered.
Continuous Risk Assessment: Maintains an up-to-date picture of the organization's external security posture.
An Attack Surface Graph transforms raw, disparate external security data into actionable intelligence by revealing the intricate web of relationships and dependencies attackers seek to exploit.
ThreatNG inherently provides an Attack Surface Graph (ASG) through its comprehensive functionalities. Its core purpose is building and managing an organization's external attack surface, directly translating into constructing and maintaining such a graph. The various modules and capabilities described in the document contribute to populating this ASG with nodes (assets, vulnerabilities, intelligence) and edges (relationships between them).
ThreatNG’s External Discovery: Populating the ASG's Nodes
ThreatNG's ability to perform purely external unauthenticated discovery without connectors is the foundational step in constructing the ASG. Each piece of information it uncovers becomes a node in the graph. For instance:
Domains and Subdomains: ThreatNG identifies an organization's primary domains and then rigorously enumerates all associated subdomains, including those across different platforms and services. Each unique domain and subdomain becomes a distinct node in the ASG. The link between example.com and its subdomains like blog.example.com or dev.example.com forms an edge, representing a "parent-child" or "belongs to" relationship.
IP Addresses and Network Elements: The discovery process identifies public IP addresses, associated ASNs, and their geographic locations. These are added as nodes, with edges connecting them to the domains they host or the organizations they belong to. Similarly, discovered open sensitive ports (e.g., FTP, Telnet, SMTP, RDP) and services running on them become nodes, linked by edges to the specific IP addresses and devices.
Cloud and SaaS Exposure: ThreatNG's discovery extends to sanctioned and unsanctioned cloud services (AWS, Azure, GCP) and SaaS implementations (Salesforce, Slack, Zoom). Each discovered cloud bucket or SaaS instance becomes a node, linked by an edge to the organization using it.
Code Repositories and Mobile Apps: ThreatNG discovers public code repositories and mobile apps in various marketplaces. Each repository or mobile app is a node, with edges connecting them to the organization and any sensitive data (e.g., API keys, private keys) discovered within their contents.
External Assessment: Enriching the ASG with Risk-Based Edges
ThreatNG's assessment capabilities make the graph come alive with risk-related edges. It analyzes the discovered nodes and their attributes to identify vulnerabilities and derive various susceptibility scores, linking these risks directly to the relevant entities.
Web Application Hijack Susceptibility & Subdomain Takeover Susceptibility: ThreatNG analyzes web application and subdomain entities, examining their DNS records, SSL certificate statuses, and external attack surface for potential entry points. Suppose a dangling DNS record is found for legacy.example.com (a subdomain node). In that case, an edge is created linking this subdomain node to a "subdomain takeover susceptibility" risk node, which then links to the central example.com organization node. This illustrates a direct attack path.
BEC & Phishing Susceptibility: This score is derived from Domain Intelligence (like DNS intelligence, domain name permutations) and Dark Web Presence (Compromised Credentials). If ThreatNG discovers that example.com has poor DMARC/SPF records (attributes of the example.com node) and finds employee credentials for john.doe@example.com (a user identity node) in DarCache Rupture, edges are established. These edges link the example.com domain node to the "poor email security configuration" node and the john.doe@example.com user node to the "compromised credential" node. These all contribute to a "BEC & Phishing Susceptibility" risk node linked to the overall organization node.
Data Leak Susceptibility: This score is based on Cloud and SaaS Exposure, Dark Web Presence, Domain Intelligence, and Sentiment and Financials. If an open AWS S3 bucket named customer-data-example (a cloud asset node) belonging to "Example Corp" is discovered, an edge links this bucket to the "open exposure" vulnerability node, which then links to a "Data Leak Susceptibility" risk node associated with the "Example Corp" organization node.
Mobile App Exposure: ThreatNG discovers mobile apps and analyzes their contents. If a mobile app node linked to "Example Retail" is found to contain a hardcoded "Amazon AWS Access Key ID" (a sensitive credential node), an edge is created between the mobile app node and the "exposed access credential" vulnerability node. This vulnerability node then links to the "Mobile App Exposure" risk node, which ultimately links to the "Example Retail" organization node.
Reporting and Continuous Monitoring: Presenting and Evolving the ASG
The ASG is the backbone of ThreatNG's reporting and continuous monitoring capabilities.
Reporting: Reports like "Prioritized (High, Medium, Low, and Informational)" or "Ransomware Susceptibility" are not just lists; they are interpretations of the ASG. The "Risk levels" and "Reasoning" in the Knowledgebase directly use the relationships mapped in the ASG to explain why a risk is critical (e.g., this exposed port on a critical server is directly linked to a known ransomware gang's TTP).
Continuous Monitoring: ThreatNG continuously monitors organizations' external attack surface, digital risk, and security ratings. This means the ASG is constantly being updated. If a new subdomain appears, a port opens, or a vulnerability status changes, new nodes and edges are added or existing ones are modified in real time, reflecting the evolving attack surface.
Investigation Modules: Traversing and Querying the ASG
ThreatNG's investigation modules allow users to interact with and extract specific insights from the underlying ASG.
Domain Intelligence: This module allows users to explore specific domain nodes in detail. An analyst can select example.com and instantly see all connected subdomains (nodes linked by "has subdomain" edges), their associated IP addresses (nodes linked by "hosts" edges), DNS records (attributes of domain/subdomain nodes), email security presence (attributes of domain nodes), and any known vulnerabilities on specific ports of their hosts (vulnerability nodes linked by "is vulnerable to" edges). If an analyst investigates blog.example.com and ThreatNG shows an exposed SSH port on its hosting IP address, this means the ASG has nodes for blog.example.com, its IP, and the SSH port, with edges linking them, and further connecting the SSH port to a "vulnerability" node if misconfigured.
Sensitive Code Exposure: This module directly identifies "exposed" edges. ThreatNG discovers public code repositories (nodes) and then probes their contents for sensitive data like API keys, cloud credentials, and private keys. Suppose a GitHub repository node (owned by "Example Devs") is found to contain an "AWS Secret Access Key" node. An edge is established, representing an "exposed" relationship between the repository and the sensitive key. This relationship contributes to the "Code Secret Exposure" score.
Mobile Application Discovery: This module reveals mobile app nodes' internal exposures. ThreatNG discovers an organization's mobile apps in marketplaces. Suppose the app contains an "Authorization Bearer" token. In that case, this token becomes a sensitive data node, linked by an "contains" edge to the mobile app node, which is then connected to the organization's overall "Mobile App Exposure" risk node.
Intelligence Repositories (DarCache): Enriching the ASG with Global Threat Context
ThreatNG's DarCache repositories act as pre-built, constantly updated sub-graphs of global threat intelligence. These intelligence graphs are then overlaid and correlated with an organization's specific ASG, adding critical contextual edges.
DarCache Vulnerability (NVD, EPSS, KEV, Verified PoC Exploits): This repository is a vast graph of known vulnerabilities. Each CVE is a node, with attributes like CVSS score, impact, and associated edges to EPSS scores (likelihood of exploitation) and KEV status (actively exploited). When ThreatNG discovers a vulnerability on an organization's asset (e.g., an outdated web server software node), it forms an edge between that asset node and the corresponding CVE node from DarCache Vulnerability. If that CVE node also has an edge to a "KEV" node (meaning it's actively exploited), this critical context is instantly transferred to the organization's ASG, prioritizing remediation efforts.
DarCache Rupture (Compromised Credentials): This is a graph of known compromised credentials. When ThreatNG identifies employee email addresses or usernames (user identity nodes) associated with an organization, it creates edges linking these to any matching compromised credential nodes from DarCache Rupture. This direct link instantly informs the organization's "Dark Web Presence" and associated susceptibility scores.
DarCache Ransomware: This tracks ransomware gangs and their activities. Suppose ThreatNG detects an exposed sensitive port on an organization's network (an asset node) that is a common target for a specific ransomware gang tracked in DarCache Ransomware. In that case, an edge is formed linking the asset node to the ransomware gang node, thereby increasing the organization's "Breach & Ransomware Susceptibility" score.
Synergies with Complementary Solutions
ThreatNG's ASG approach enables powerful synergies with other cybersecurity tools, allowing for a more integrated and effective security posture.
Security Information and Event Management (SIEM) / Security Orchestration, Automation, and Response (SOAR) Platforms: ThreatNG's resolved entity information and risk scores, derived from its ASG, can be fed into SIEM/SOAR platforms. For example, suppose ThreatNG identifies a public-facing server node with an exposed RDP port with a strong edge to a "critical vulnerability" node from DarCache Vulnerability. In that case, this high-fidelity risk context can trigger an alert in a SIEM. A SOAR playbook could then use this information to automatically initiate actions like blocking the RDP port at the firewall or triggering an internal vulnerability scan on that specific server, leveraging ThreatNG's clear entity resolution.
Vulnerability Management Platforms: ThreatNG's deep vulnerability intelligence, particularly its use of EPSS and KEV data, greatly enhances vulnerability management. Suppose ThreatNG's ASG reveals that a web server node belonging to "Finance Department" (a critical asset node) is exposed to a CVE that is actively exploited (an edge to a KEV node from DarCache Vulnerability). In that case, this critical context can be ingested by a vulnerability management platform. This allows the platform to automatically reprioritize the remediation of this specific vulnerability above others, focusing resources on the most immediate external threats.
Identity and Access Management (IAM) Solutions: ThreatNG's discovery of compromised credentials via DarCache Rupture and Email Intelligence can directly inform IAM systems. If the ASG links a user's email address node to a "compromised credential" node, this information can be pushed to an IAM solution. This can trigger an immediate password reset for that user or prompt for mandatory multi-factor authentication enrollment, strengthening the identity perimeter.
Endpoint Detection and Response (EDR) Tools: ThreatNG's external view can provide crucial context for internal EDR tools. Suppose ThreatNG's ASG identifies an exposed network device (router node) with a known vulnerability (from DarCache Vulnerability) with a high EPSS score, and an EDR tool subsequently detects suspicious internal network activity originating from that device. In that case, the correlation between the external vulnerability and internal anomalous behavior becomes much clearer. The EDR can then use ThreatNG's external context to prioritize investigating that specific device.
By building and continuously updating its Attack Surface Graph, ThreatNG provides a clear, interconnected, and actionable view of an organization's external digital risk, helping security teams move from reactive firefighting to proactive, intelligence-driven defense.
