Attack Surface Triage

A
Written By Threat NG Staff

In the context of cybersecurity, Attack Surface Triage is the process of sorting and prioritizing an organization's digital assets based on their level of risk and the urgency of the security threat they pose. The term "triage" is borrowed from medicine, where it refers to prioritizing patients based on the severity of their condition. In cybersecurity, this principle is applied to the digital environment.

An organization's attack surface includes all of its internet-facing assets—from web servers and applications to exposed APIs, cloud services, and employee credentials on the dark web. It is often too large and complex to secure all at once. Attack surface triage provides a structured way to address this challenge by focusing resources where they will have the most significant impact.

The process of attack surface triage typically involves:

  1. Discovery: Identifying and mapping all external-facing assets. This includes subdomains, IP addresses, open ports, and cloud storage buckets.

  2. Assessment: Evaluating the security posture of each discovered asset. This could involve checking for known vulnerabilities, misconfigurations, or exposed sensitive data.

  3. Prioritization: Ranking the assets based on a combination of factors, such as:

    • Risk Level: The severity of any vulnerabilities found.

    • Urgency: The likelihood that a vulnerability will be exploited soon.

    • Business Impact: The potential damage to the organization if the asset is compromised.

By performing attack surface triage, a security team can move beyond simply reacting to threats and instead take a proactive, strategic approach. It allows them to quickly identify the most critical weaknesses, allocate limited resources effectively, and reduce the overall cyber risk to the organization.

ThreatNG helps with attack surface triage by providing a structured and data-driven approach to discover, assess, and prioritize external risks. It focuses on finding and ranking vulnerabilities and exposures from the perspective of an unauthenticated attacker, allowing organizations to focus their security efforts on the most critical threats.

External Discovery and Assessment

ThreatNG performs purely external, unauthenticated discovery to identify an organization's publicly visible assets. This includes everything from active subdomains to cloud services and mobile apps. Once an asset is found, ThreatNG's external assessment capabilities analyze it to determine its risk level. This is where the triage process begins, as each assessment helps to sort and prioritize assets.

Here are examples of how ThreatNG's assessments help with triage:

  • Subdomain Takeover Susceptibility: ThreatNG analyzes a website's subdomains, DNS records, and SSL certificate statuses to find if a subdomain can be taken over. A subdomain that is vulnerable to takeover would be considered a high-priority risk and move to the top of the triage list.

  • Cyber Risk Exposure: This score considers various factors from the Domain Intelligence module, such as certificates, subdomain headers, and vulnerabilities, to assess cyber risk. A subdomain with a known vulnerability or an exposed sensitive port would be flagged as a critical issue, requiring immediate attention.

  • Breach & Ransomware Susceptibility: This score is derived from exposed sensitive ports, exposed private IPs, known vulnerabilities, and dark web presence. If a discovered subdomain has exposed sensitive ports, it would be a top priority for remediation to reduce the risk of a breach or ransomware attack.

  • Data Leak Susceptibility: This assessment, based on Cloud and SaaS Exposure and compromised credentials from the dark web, helps identify assets that might be leaking sensitive data. An exposed cloud bucket with customer data, for example, would be a critical triage item.

Investigation Modules and Intelligence Repositories

ThreatNG's Investigation Modules and Intelligence Repositories provide the context needed to make triage decisions. They move beyond a simple discovery of assets to a deeper understanding of their risk.

  • Subdomain Intelligence: This module gives a detailed breakdown of each discovered subdomain's HTTP responses, headers, and the technologies it uses. This information helps you prioritize which subdomains to investigate first. For instance, a subdomain with a server header indicating an outdated or vulnerable technology would be a higher priority than one with a healthy, up-to-date configuration.

  • Sensitive Code Exposure: This module uncovers public code repositories and their exposure levels, checking for sensitive data like API keys, credentials, and configuration files. Finding a public GitHub repository with a hard-coded API key would be a top-priority triage item.

  • DarCache (Intelligence Repositories): These repositories provide the data needed for intelligent triage decisions.

    • DarCache Vulnerability: This repository provides a holistic view of external risks by understanding their exploitability and potential impact. This includes data from NVD, EPSS, and KEV, which tells you if a vulnerability is actively being exploited in the wild. When a discovered asset is found to have a vulnerability listed in the KEV catalog, it is immediately a high-priority item for remediation.

    • DarCache Compromised Credentials: If a newly discovered subdomain is associated with compromised credentials, it is a high-priority risk.

Reporting and Continuous Monitoring

ThreatNG provides various reports, including a Prioritized report that categorizes findings as high, medium, low, and informational. This report is essentially the output of the triage process, giving security teams a clear, actionable list of what to fix first.

Continuous monitoring ensures that as new assets are discovered or existing ones change, the triage process is ongoing and the prioritized list remains current.

Complementary Solutions

ThreatNG's data can be used with other cybersecurity solutions to enhance attack surface triage.

  • Vulnerability Scanners: ThreatNG's findings, such as an active subdomain with an exposed sensitive port, can be sent to a vulnerability scanner. This allows the scanner to run a targeted, in-depth scan on only the most critical assets, rather than wasting resources scanning the entire network.

  • Security Information and Event Management (SIEM) Platforms: The high-priority risks identified by ThreatNG can be ingested into a SIEM system as security events. This allows security analysts to correlate the external risk data with internal network logs and alerts, providing a more complete picture of a potential threat.

  • GRC Platforms: ThreatNG’s ability to map findings to GRC frameworks like PCI DSS helps with compliance triage. A critical finding on a public-facing server that is non-compliant with a framework can be automatically flagged for immediate action to avoid regulatory penalties.

Threat NG Staff
Previous

Attack Surface Mapping
Next

Attack Vector