Contextual Intelligence
Contextual intelligence in cybersecurity is the ability to analyze and interpret raw data within its specific environment to provide meaningful, actionable insights. Unlike traditional security measures that might only flag a threat based on a single indicator (like a known malicious IP address), contextual intelligence adds layers of information to determine the genuine risk and urgency of the threat. This approach enables security teams to prioritize and effectively respond to the most critical threats.
Key Components of Contextual Intelligence
The power of contextual intelligence comes from combining and analyzing various data points to create a comprehensive picture. Here are the main components:
User and Entity Behavior: This involves understanding the typical actions of users, devices, and applications on a network. For example, a user who suddenly tries to access sensitive files from an unusual location or at an odd hour would be flagged as a potential threat because it deviates from their normal behavior.
Threat Intelligence Feeds: Contextual intelligence enriches data from external threat intelligence feeds (like known malware signatures, IP addresses, and attacker tactics) by correlating it with internal network data. This helps security teams understand if a general threat is specifically relevant to their organization.
Network and System Data: By analyzing network traffic patterns, system logs, and communication protocols, contextual intelligence can identify anomalies that might indicate a breach. This involves examining the relationships and interactions between various systems and devices to identify any unusual activity.
Business and Environmental Factors: A key aspect of contextual intelligence is understanding the broader context within which an organization operates. This includes factors like the industry, geographic location, and specific business assets. For instance, a threat actor group known for targeting the financial sector would be a higher priority for a bank than a threat group that primarily targets the healthcare industry.
How It Works and Why It's Important
Contextual intelligence operates by transforming raw data into a narrative. Instead of simply seeing a list of alerts, a security team can see a story: "A known threat group is discussing a new vulnerability in a system we use, and one of our employees just had their credentials exposed on the dark web. The same employee is now trying to access sensitive data from an unfamiliar country." This level of detail allows teams to move from a reactive to a proactive defense posture.
The main benefits include:
Reduced Alert Fatigue: By filtering out false positives and prioritizing genuine threats, it prevents security teams from being overwhelmed by a flood of alerts.
Faster and More Informed Responses: With a clear understanding of the threat's origin, motive, and potential impact, security teams can respond more quickly and effectively.
Proactive Defense: It helps organizations anticipate and mitigate threats before they can cause significant damage, rather than just cleaning up after an attack.
ThreatNG enhances contextual intelligence by transforming raw, external data into actionable insights tailored to a specific organization's digital footprint. It goes beyond simply identifying vulnerabilities; it provides a comprehensive view of an organization's external attack surface and digital risk posture as an attacker would see it. This is achieved through its all-in-one approach, which includes discovery, assessment, monitoring, and robust intelligence repositories.
ThreatNG's external discovery is the foundational element that establishes the context for all subsequent assessments. It performs unauthenticated, purely external discovery, meaning it operates without needing any internal connectors or credentials. This process identifies all of an organization's public-facing assets, including domains, subdomains, cloud services, and mobile apps.
For example, ThreatNG can identify a subdomain like dev.yourcompany.com that was forgotten but is still publicly accessible. It can also identify unsanctioned cloud services or code repositories used by employees that are inadvertently exposed to the internet, providing a comprehensive view of the external attack surface.
The external assessment capabilities of ThreatNG use the discovered assets and intelligence to generate a variety of susceptibility scores and risk ratings. This is where raw data is contextualized into a meaningful security posture.
Examples of these detailed assessments include:
Subdomain Takeover Susceptibility: This score is derived from analyzing a website's subdomains, DNS records, and SSL certificate statuses. For instance, if an organization has a subdomain with a DNS CNAME record pointing to a non-existent third-party service, ThreatNG would flag it as susceptible to takeover by an attacker who could then claim the service and host a malicious page.
Breach & Ransomware Susceptibility: This score is calculated based on exposed sensitive ports, private IPs, known vulnerabilities, compromised credentials on the dark web, and ransomware gang activity. For example, if ThreatNG identifies an open Remote Desktop Protocol (RDP) port on a publicly facing server, and its intelligence repositories indicate a specific ransomware group actively targets RDP for initial access, the system would rate the organization's susceptibility to a ransomware attack as high.
BEC & Phishing Susceptibility: This assessment considers factors like domain name permutations, email security presence (DMARC, SPF, and DKIM records), and compromised credentials. ThreatNG can identify look-alike domains such as mycomany-pay.com or mycompany-login.net that could be used in phishing campaigns, directly informing the organization of a specific threat to its brand.
Mobile App Exposure: This score evaluates an organization’s mobile apps by discovering them in various app marketplaces and analyzing their contents for exposed credentials and security keys. ThreatNG could identify a publicly available mobile app that contains hardcoded AWS or Google API keys, which would be a critical vulnerability that an attacker could exploit to access backend systems.
ThreatNG offers diverse reporting to make contextualized intelligence accessible to various audiences.
Executive Reports offer a high-level summary for decision-makers.
Technical Reports provide in-depth details, including risk levels, reasoning, and recommendations, helping security teams understand and mitigate threats.
Prioritized Reports categorize findings into high, medium, low, and informational risk levels, allowing teams to focus on the most critical issues first. For example, a report might prioritize an exposed admin page found in an archived web page as a high-risk finding that needs immediate attention.
ThreatNG provides continuous monitoring of an organization's external attack surface, digital risk, and security ratings. This ensures that as the external environment changes, the contextual intelligence remains current. If a new vulnerability affecting a specific technology used by the organization is added to the DarCache Vulnerability repository, ThreatNG will automatically update the relevant risk scores and alerts. This provides real-time awareness, enabling proactive defense.
The investigation modules are a core component of contextual intelligence, enabling security teams to delve deeper into findings.
Domain Intelligence: This module provides a comprehensive view of an organization's domain presence. It includes DNS Intelligence, which analyzes domain records and identifies available or taken domain permutations that could be used for phishing attacks. For example, it could reveal that a malicious actor has registered your-company-support.com and has associated it with a mail record, indicating a potential phishing attempt.
Sensitive Code Exposure: This module discovers public code repositories and their content for exposed sensitive data. For example, it can find a public GitHub repository maintained by an employee that inadvertently contains hardcoded API keys, providing an attacker with a direct path to a critical internal service.
Dark Web Presence: This module monitors for organizational mentions, compromised credentials, and associated ransomware events on the dark web. If ThreatNG discovers that an employee's credentials have been compromised and are for sale, this information provides critical context to a potential breach or targeted attack.
ThreatNG's continuously updated intelligence repositories, known as DarCache, provide the raw data that is then contextualized by the platform.
DarCache Vulnerability: This repository provides a holistic and proactive approach to managing external risks and vulnerabilities. It contains data from the National Vulnerability Database (NVD), Exploit Prediction Scoring System (EPSS), and Known Exploited Vulnerabilities (KEV). This combination allows ThreatNG to determine not only the severity of a vulnerability but also the likelihood and proven real-world exploitability, which is vital for prioritizing remediation efforts.
DarCache Ransomware: This repository tracks over 70 ransomware gangs and their activities. When combined with the discovery and assessment data, it helps determine an organization's Breach & Ransomware Susceptibility by looking for a correlation between a discovered vulnerability and a known ransomware gang’s tactics.
Complementary Solutions
ThreatNG's contextual intelligence can be enhanced by working with other cybersecurity solutions to provide a more holistic defense.
Security Information and Event Management (SIEM) systems: ThreatNG's contextualized findings can be fed into a SIEM system, which aggregates and analyzes logs from various internal and external sources. For example, suppose ThreatNG flags an exposed port and a compromised credential. In that case, the SIEM system can correlate this with internal network logs to see if there have been any unauthorized login attempts from that port or with those credentials.
Endpoint Detection and Response (EDR) solutions: If ThreatNG identifies a user's compromised credentials on the dark web, the EDR solution can be used to monitor that user's endpoint for any suspicious activity, such as unusual file access or connections to malicious domains. This allows for a targeted response based on the external intelligence provided by ThreatNG.
Firewalls and Intrusion Prevention Systems (IPS): The findings from ThreatNG's assessments, such as exposed sensitive ports or vulnerable applications, can be used to configure firewall rules or IPS signatures. For example, if ThreatNG identifies an open port that should be closed, the firewall can be updated to block all traffic to that port.
