Context-Driven Attack Surface Management

Context-Driven Attack Surface Management (CDASM) is a sophisticated, proactive approach to cybersecurity that goes beyond simply inventorying an organization's digital assets. It focuses on continuously discovering, classifying, prioritizing, and mitigating risks across the entire attack surface by integrating contextual information about assets and the threat landscape.

Core Components of Context-Driven Attack Surface Management

CDASM is defined by the depth of information it gathers and uses to inform risk decisions:

1. Continuous Discovery and Inventory

This foundational step involves constantly mapping all assets accessible to an attacker, including known, unknown (shadow IT), and third-party assets. The attack surface extends beyond public-facing servers; it includes cloud services, code repositories, internet-facing IoT devices, and digital supply chain components.

2. Context Integration

This is the "context-driven" element. Raw vulnerability data is enriched with critical information to understand the accurate risk profile. Key contextual factors include:

• Business Impact/Criticality: How vital is the asset to core business operations? A vulnerability on a customer database server is more critical than on an internal HR portal.

• Asset Type and Configuration: Details about the operating system, installed software, patch level, network placement, and security controls in place.

• Exposure: Is the asset directly exposed to the internet, or do multiple layers of security protect it?

• Threat Intelligence: Information about current, real-world threats. Is a specific vulnerability being actively exploited by threat actors (known as "in the wild" exploitation)? This moves a risk from theoretical to imminent.

• User Access and Permissions: Who can access the asset, and with what level of privilege? Misconfigured access controls are a significant source of risk.

3. Risk Prioritization and Quantification

Traditional vulnerability management often yields massive lists of vulnerabilities, which is impractical for security teams to address. CDASM uses the integrated context to quantify and prioritize risk mathematically.

Instead of prioritizing a vulnerability solely by its Common Vulnerability Scoring System (CVSS) score, CDASM focuses on the effective risk. For example, a high-CVSS-score vulnerability that is not actively exploited and resides on a non-critical internal test server would be deprioritized in favor of a moderate-CVSS-score vulnerability that is currently being exploited and sits on a highly critical, internet-facing production server. This approach allows security teams to use their limited resources on the threats that pose the greatest danger to the business.

4. Proactive Remediation and Mitigation

CDASM supports the entire risk lifecycle, from discovery to resolution. It provides security teams with actionable insights for remediation, such as:

• Patching: Directing immediate attention to high-priority assets.

• Misconfiguration Correction: Identifying and fixing security gaps in cloud settings, access controls, or application settings.

• Policy Enforcement: Ensuring security policies are consistently applied across the entire expanding attack surface.

The Value Proposition

CDASM offers a significant improvement over legacy security models by shifting from a periodic, reactive assessment to a continuous, proactive security posture. It provides a unified view of risk across an organization's entire digital footprint, including owned assets and third-party dependencies. This enables security decisions aligned with business objectives and current threat realities, thereby reducing the likelihood and potential impact of a successful cyberattack.

ThreatNG, an all-in-one external attack surface management (EASM), digital risk protection, and security ratings solution, is designed to provide a comprehensive, context-driven approach to attack surface management. It achieves this by continuously operating across discovery, assessment, prioritization, reporting, and intelligence gathering, all from the perspective of an unauthenticated external adversary.

External Discovery and Continuous Monitoring

ThreatNG begins by performing purely external, unauthenticated discovery with no connectors, continuously mapping all assets accessible to an attacker. This foundation is critical for maintaining an accurate inventory of the ever-changing digital footprint.

• Example of Discovery: ThreatNG identifies all associated subdomains for an organization and continuously monitors them for changes. This process is foundational to other assessments, such as Subdomain Takeover Susceptibility.

External Assessment Capabilities

ThreatNG’s external assessment capabilities provide granular, actionable insight into various risk vectors.

• Subdomain Takeover Susceptibility: This assessment involves identifying all subdomains via external discovery, enumerating CNAME records pointing to third-party services, and cross-referencing these services against a comprehensive Vendor List.

  • Example: ThreatNG finds a CNAME record pointing to a specific service like mycorp.heroku.com. It then performs a specific validation check to determine whether this resource is inactive or unclaimed on the Heroku platform, thereby confirming a "dangling DNS" state and prioritizing the risk.

• BEC & Phishing Susceptibility: This security rating (A-F) is derived from findings across Compromised Credentials (Dark Web Presence), various Domain Name Permutations (available and taken, with mail records), and Domain Name Record Analysis (e.g., missing DMARC and SPF records).

  • Example: If ThreatNG detects a domain permutation like mycornpany.com (a subtle transposition) Suppose both are available but lack proper DMARC records. In that case, the BEC & Phishing Susceptibility rating will reflect a higher risk, advising the organization to register the domain and implement security measures.

• Cyber Risk Exposure: This rating is based on findings such as invalid certificates, exposed cloud buckets (Cloud Exposure), and Sensitive Code Discovery (code secret exposure).

  • Example: ThreatNG discovers an exposed S3 bucket (Cloud Exposure) belonging to the organization, or identifies an invalid SSL certificate on a critical subdomain. The rating is lowered, and the finding is flagged for immediate remediation.

• Mobile App Exposure: This evaluates an organization’s mobile apps discovered in marketplaces for the presence of highly sensitive content.

  • Example: ThreatNG scans a mobile app and finds a hardcoded AWS Access Key ID or a Stripe API Key within its contents, indicating a severe leak of Access Credentials.

Investigation Modules

The Investigation Modules, such as the Reconnaissance Hub and Advanced Search, transform raw data into decisive security insight, enabling detailed threat validation and prioritization.

• Domain Intelligence: This module is crucial for understanding an organization's digital presence. Its Domain Name Permutations feature detects and groups domain manipulations (e.g., bit squatting, hyphenation, TLD swaps) to uncover potential typosquatting and phishing risks.

  • Example: An attacker registers myc0mpany.com (using a homoglyph for 'o'). Domain Intelligence detects this permutation and notes its registration status, allowing the security team to take legal or protective action against this brand threat.

• Sensitive Code Exposure: This involves Code Repository Exposure and Mobile Application Discovery to find leaked secrets.

  • Example: This module scans a public GitHub repository and flags a file containing a PostgreSQL password file or a Private SSH key, which are classified as Database Credentials and Security Credentials, respectively, within the code.

• Social Media: This module addresses "Narrative Risk" and "Human Attack Surface" by monitoring platforms such as Reddit and LinkedIn.

  • Example: LinkedIn Discovery identifies employees most susceptible to social engineering attacks. Concurrently, Username Exposure conducts a passive reconnaissance scan to determine if an employee's username is taken across high-risk forums, providing insight into potential compromised accounts for targeted attacks.

Intelligence Repositories (DarCache)

ThreatNG maintains continuously updated intelligence repositories (DarCache) that provide the context needed for risk prioritization.

• Vulnerabilities (DarCache Vulnerability): This repository is a central source for risk-based vulnerability management. It integrates:

  • NVD (DarCache NVD): Provides foundational technical characteristics, CVSS score, and severity.

  • EPSS (DarCache EPSS): Provides a probabilistic estimate of the likelihood that a vulnerability will be exploited in the near future, enabling forward-looking prioritization.

  • KEV (DarCache KEV): Flags vulnerabilities that are actively being exploited in the wild, providing critical context for immediate remediation.

  • Verified Proof-of-Concept (PoC) Exploits (DarCache eXploit): Direct links to PoC exploits accelerate understanding of exploitability and help security teams reproduce the vulnerability.

• Example: A moderate CVSS-score vulnerability (from NVD) is found on a production asset. ThreatNG checks DarCache KEV and finds the vulnerability is being actively exploited, instantly elevating the finding to critical risk for the security team, a context a traditional scanner would miss.

Reporting and Prioritization

ThreatNG provides diverse reporting, including Executive, Technical, and Prioritized (High, Medium, Low) reports, as well as External GRC Assessment Mappings to frameworks such as PCI DSS and NIST CSF. The risk level, reasoning, and practical recommendations are embedded in the reports via the Knowledgebase. Furthermore, the Overwatch system performs instant impact assessments across an entire portfolio, prioritizing the organization's exposure to critical CVEs by integrating vendor and technology use intelligence. The External Adversary View and MITRE ATT&CK Mapping automatically translate raw findings into a strategic narrative of adversary behavior, correlating exposed assets and vulnerabilities (like leaked credentials or open ports) with specific ATT&CK techniques.

Complementary Solutions

ThreatNG's unauthenticated, external EASM data is highly valuable for other security solutions, acting as a crucial context provider to enrich internal data.

• Security Information and Event Management (SIEM) / Security Orchestration, Automation, and Response (SOAR): ThreatNG's Compromised Credentials findings (from Dark Web Presence) or KEV-confirmed actively exploited vulnerabilities can be automatically ingested by a SIEM/SOAR platform.

  • Example of Cooperation: If ThreatNG identifies a critical vulnerability with active exploitation (KEV) on a public web server, the SOAR platform can automatically generate a high-priority ticket and notify the appropriate asset owner, accelerating the response beyond simply waiting for an internal scan.

• Vulnerability Management (VM) Solutions: While ThreatNG is an EASM solution, its Technology Stack module and Vulnerability intelligence repositories (NVD, EPSS, KEV, PoC Exploits) provide a powerful external context that can significantly refine internal VM processes.

  • Example of Cooperation: ThreatNG discovers an unpatched application version on a public subdomain via the Technology Stack module. This external finding, prioritized with an EPSS likelihood score, is fed into the internal VM tool, which instructs it to immediately perform an authenticated scan only for that specific technology on that asset, saving time and focusing effort.

• Brand Protection Services: The Domain Name Permutations feature and Brand Damage Susceptibility findings (including negative news and lawsuits) can be used to augment dedicated brand protection efforts.

  • Example of Cooperation: ThreatNG's continuous monitoring of Domain Name Permutations alerts a complementary Brand Protection service to the registration of a new, malicious-looking domain permutation (myc0mpany-login.com), allowing the service to initiate a faster takedown process.