Cyber Risk Intelligence (CRI)
In the context of cybersecurity, Cyber Risk Intelligence (CRI) is a comprehensive process that goes beyond simply identifying cyber threats. It involves systematically gathering, analyzing, and interpreting information related to potential cyber threats, vulnerabilities, and the broader risk landscape that could impact an organization's assets, operations, and reputation. The ultimate goal of CRI is to provide actionable insights that enable organizations to make informed decisions and adopt a proactive, rather than reactive, cybersecurity posture.
Here's a breakdown of CRI in detail:
Key Concepts and Distinctions
Beyond Cyber Threat Intelligence (CTI): While closely related, CRI expands upon CTI. CTI focuses primarily on the "who, what, and how" of cyberattacks—identifying threat actors, their tactics, techniques, and procedures (TTPs), and indicators of compromise (IoCs). CRI takes this threat information and contextualizes it within an organization's specific environment, assessing the likelihood of a threat exploiting a vulnerability and the potential impact of such an event on the organization's business objectives.
Focus on Risk, Not Just Threats: CRI shifts the emphasis from recognizing threats to understanding the risk they pose. This means considering the organization's unique assets, vulnerabilities, and business functions to determine the most relevant and impactful threats.
Proactive Security: CRI aims to help organizations anticipate future threats and vulnerabilities, allowing them to implement preventative measures and develop robust mitigation strategies before an attack occurs.
Components of Cyber Risk Intelligence
CRI draws from various sources and involves several key activities:
Data Collection:
External Sources: This includes open-source intelligence (OSINT) from public forums, news, blogs, cybersecurity reports, and dark web monitoring. It also encompasses closed-source threat intelligence feeds from vendors and industry-specific information sharing and analysis centers (ISACs).
Internal Sources: Data from an organization's own network logs, security devices (firewalls, intrusion detection systems), vulnerability scans, incident response data, and asset inventories.
Human Intelligence (HUMINT): Information from experts, interviews, and internal security teams.
Data Processing and Analysis:
Contextualization: Raw data is analyzed to find patterns, trends, and anomalies. This data is crucially put into context relevant to the specific organization, considering its industry, geographic location, digital infrastructure, compliance requirements, and third-party vendor relationships.
Threat Identification and Profiling: Understanding who might target the organization (threat actors), their motivations (financial gain, espionage, activism), capabilities, and TTPs.
Vulnerability Analysis: Identifying weaknesses in the organization's systems, applications, and networks that attackers could exploit. This involves vulnerability assessments, penetration testing, and continuous monitoring.
Risk Scoring and Prioritization: Risk scores are assigned to identified threats and vulnerabilities based on their potential impact and likelihood of exploitation. This helps organizations prioritize resources to address the most critical risks first.
Actionable Insights and Dissemination:
Predictive Analysis: Using historical data and emerging trends to anticipate future threats and attack vectors.
Mitigation Strategies: Developing and recommending specific security controls, policies, procedures, and training programs to reduce identified risks.
Reporting and Communication: Presenting intelligence in a clear, concise, and actionable manner to various stakeholders, from security teams to executive leadership and board members. The information must be tailored to the audience's understanding and focus on business impact.
Benefits of Cyber Risk Intelligence
Implementing a robust CRI program offers numerous advantages for organizations:
Proactive Defense: This shifts security from a reactive to a proactive one, allowing organizations to anticipate and prevent attacks.
Informed Decision-Making: Provides leaders with the necessary insights to make strategic decisions about cybersecurity investments, resource allocation, and risk mitigation efforts.
Enhanced Threat Detection and Response: Understanding the nature, intent, and likely impact of threats improves the ability of security teams to detect malicious activity faster and respond more effectively to incidents.
Optimized Resource Allocation: Helps organizations focus their limited security resources on the most critical risks, maximizing their return on investment in cybersecurity.
Reduced Business Impact: By anticipating and mitigating threats, CRI helps minimize the financial, reputational, and operational damage that could result from a cyberattack.
Improved Compliance and Governance: Supports adherence to regulatory requirements and industry standards by clearly understanding the organization's risk posture.
Better Vendor Risk Management: Provides visibility into the cybersecurity risks posed by third-party vendors, which are often a common attack vector.
Continuous Improvement: Fosters a culture of constant learning and adaptation within the security team, enabling them to evolve their defenses as the threat landscape changes.
Cyber Risk Intelligence empowers organizations to move beyond simply reacting to threats and instead build a resilient cybersecurity posture by deeply understanding and proactively managing their unique cyber risks.
ThreatNG, an all-in-one external attack surface management, digital risk protection, and security ratings solution, provides comprehensive capabilities that directly contribute to an organization's Cyber Risk Intelligence (CRI) efforts. It focuses on purely external, unauthenticated discovery, meaning it assesses an organization's digital footprint from an attacker's perspective without needing internal connectors.
Here's how ThreatNG helps with Cyber Risk Intelligence:
External Discovery
ThreatNG performs external unauthenticated discovery, which is foundational for CRI. Exploring an organization's digital presence from the outside identifies assets that an attacker could target, providing a realistic view of the external attack surface. This includes uncovering web applications, subdomains, mobile apps, and code repositories that might be publicly exposed.
External Assessment
ThreatNG's external assessment capabilities are extensive. These assessments provide detailed ratings that highlight specific areas of susceptibility and exposure, providing crucial insights into potential risks.
Here are some examples of ThreatNG's external assessment ratings and how they contribute to CRI:
Web Application Hijack Susceptibility: This rating analyzes external web application components to identify potential entry points for attackers. For CRI, this means understanding if an organization's public-facing web applications are vulnerable to hijacking, allowing for proactive measures like hardening configurations or implementing Web Application Firewalls (WAFs).
Subdomain Takeover Susceptibility: ThreatNG assesses a website's subdomains, DNS records, and SSL certificate statuses to determine susceptibility to subdomain takeovers. For example, if ThreatNG identifies a subdomain pointing to an expired cloud service, it signals a high risk of takeover, which an attacker could use for phishing or brand impersonation. This intelligence allows an organization to reclaim or reconfigure the subdomain.
BEC & Phishing Susceptibility: This is derived from analyzing domain intelligence (including domain name permutations and Web3 domains), email security presence, and compromised credentials found on the dark web. Suppose ThreatNG uncovers multiple similar-looking domain names that are available for registration or compromised employee credentials on the dark web. In that case, it indicates a higher susceptibility to Business Email Compromise (BEC) and phishing attacks. This helps an organization to register those look-alike domains and strengthen email security.
Brand Damage Susceptibility: ThreatNG assesses this by looking at attack surface intelligence, digital risk intelligence, ESG violations, sentiment and financials (like lawsuits and negative news), and domain intelligence. For instance, if negative news articles or public SEC filings about a lawsuit are detected, coupled with numerous domain name permutations that could be used for brand impersonation, ThreatNG would indicate a high brand damage susceptibility. This helps the organization address potential PR issues and protect its brand.
Data Leak Susceptibility: This rating is based on cloud and SaaS exposure, compromised credentials on the dark web, and domain intelligence. Suppose ThreatNG discovers an exposed AWS S3 bucket or compromised user credentials linked to an organization on the dark web. In that case, it points to a significant data leak susceptibility, prompting immediate action to secure exposed data.
Cyber Risk Exposure: This considers certificates, subdomain headers, vulnerabilities, and sensitive ports. ThreatNG might identify an organization with numerous unpatched vulnerabilities on its public-facing servers and exposed sensitive ports, leading to a high cyber risk exposure rating. This directs the organization to prioritize vulnerability patching and port security.
Code Secret Exposure: ThreatNG discovers code repositories and their exposure level, investigating their contents for sensitive data. If it finds an API key or an AWS access key ID within a public GitHub repository, it directly impacts the organization's cyber risk exposure score. This actionable insight allows developers to remove sensitive information from public repositories.
Cloud and SaaS Exposure: This evaluates an organization's cloud services and solutions. ThreatNG could identify an organization using several unsanctioned cloud services or an open, exposed cloud bucket, indicating a shadow IT risk and potential data exfiltration pathways. This helps the organization bring these services under control and secure exposed data.
ESG Exposure: ThreatNG rates an organization based on discovered environmental, social, and governance (ESG) violations through its external attack surface and digital risk intelligence findings. For example, if it identifies public records of environmental violations or significant negative news related to labor practices, it would highlight ESG exposure, which can impact reputation and investor relations.
Supply Chain & Third Party Exposure: This is derived from domain intelligence (enumeration of vendor technologies), technology stack, and cloud and SaaS exposure. Suppose ThreatNG discovers that a critical third-party vendor used by the organization has several exposed cloud services or outdated technologies. In that case, it signals a supply chain risk that the organization must address with that vendor.
Breach & Ransomware Susceptibility: This is calculated based on external attack surface and digital risk intelligence, including exposed sensitive ports, known vulnerabilities, compromised credentials, and ransomware events/gang activity on the dark web. If ThreatNG detects an organization's compromised credentials on the dark web alongside active ransomware gang discussions targeting similar industries, it would indicate a high susceptibility to breaches and ransomware, urging immediate protective measures.
Mobile App Exposure: ThreatNG discovers an organization’s mobile apps in marketplaces and examines their content for exposed access credentials (like API keys), security credentials (like private keys), and platform-specific identifiers. For instance, if a mobile app is found to contain an embedded AWS Access Key ID, ThreatNG will flag this as a critical exposure, requiring the developer to remove the hardcoded credential.
Reporting
ThreatNG offers various reporting capabilities, including Executive, Technical, Prioritized (High, Medium, Low, Informational), Security Ratings, Inventory, Ransomware Susceptibility, and U.S. SEC Filings. These reports are vital for CRI as they translate complex security data into understandable formats for stakeholders. For example, a prioritized report can highlight the most critical risks, enabling security teams to focus their remediation efforts effectively. Executive reports provide a high-level overview of the organization's security posture and its implications for business, aiding strategic decision-making.
Continuous Monitoring
ThreatNG monitors an organization's external attack surface, digital risk, and security ratings. This continuous feedback loop is crucial for CRI because the threat landscape constantly evolves. As new vulnerabilities emerge or an organization's digital footprint changes, ThreatNG will automatically detect and report these shifts, allowing for real-time risk adjustments and maintaining an up-to-date understanding of the risk posture.
Investigation Modules
ThreatNG's investigation modules enable deep dives into discovered assets and risks, providing detailed intelligence for effective risk mitigation.
Here are some examples of ThreatNG's investigation modules:
Domain Intelligence: This module comprehensively overviews an organization's digital presence.
DNS Intelligence: Analyzes domain records, identifies vendors and technologies, and uncovers domain name permutations (taken and available) and Web3 domains. For instance, if an attacker registers a typo-squatted domain name (e.g., "threat-ng.com" instead of "threatng.com"), ThreatNG's domain name permutation analysis would identify this, allowing the organization to secure the look-alike domain and prevent phishing.
Email Intelligence: Provides insights into email security presence (DMARC, SPF, DKIM records) and predicts email formats. This helps identify vulnerabilities in email configurations that could be exploited for spoofing or phishing.
Subdomain Intelligence: Explores HTTP responses, header analysis, server headers, cloud hosting, website builders, e-commerce platforms, content management systems, and sensitive content like admin pages, APIs, and development environments. It also identifies known vulnerabilities and exposed ports. For example, if ThreatNG identifies a subdomain with an exposed API endpoint that lacks proper authentication, it would be highlighted for immediate remediation.
Sensitive Code Exposure: This module discovers public code repositories and uncovers sensitive data like API keys, access tokens, cloud credentials, security credentials, and configuration files. If a developer accidentally pushes a hardcoded database password to a public GitHub repository, ThreatNG would detect this "database credential" exposure, enabling the organization to revoke and secure the database.
Mobile Application Discovery: ThreatNG finds an organization's mobile apps in marketplaces and identifies embedded access credentials, security credentials, and platform-specific identifiers within them. If a mobile app contains an unencrypted API key, ThreatNG would flag it, allowing the organization to update the app and remove the vulnerable credential.
Search Engine Exploitation: This helps users investigate an organization’s susceptibility to exposing information via search engines, including errors, sensitive information, public passwords, and user data. If an organization's internal admin page is inadvertently indexed by a search engine and discovered by ThreatNG, it highlights a critical misconfiguration.
Cloud and SaaS Exposure: Identifies sanctioned and unsanctioned cloud services, impersonations, and open exposed cloud buckets across AWS, Azure, and Google Cloud Platform. It also identifies various SaaS implementations. For example, if ThreatNG identifies an open AWS S3 bucket belonging to the organization, it flags a data leak risk, allowing it to secure the bucket.
Online Sharing Exposure: ThreatNG detects an organization's presence on online code-sharing platforms like Pastebin and GitHub Gist. If an employee passes sensitive company information or code snippets on Pastebin, ThreatNG detects this exposure, prompting the organization to investigate and mitigate the leak.
Dark Web Presence: Identifies organizational mentions of related people, places, or things, associated ransomware events, and compromised credentials. If ThreatNG finds compromised employee credentials being sold on dark web forums, it provides immediate intelligence for account resets and strengthens phishing defenses.
Intelligence Repositories (DarCache)
ThreatNG maintains continuously updated intelligence repositories, branded as DarCache, which are crucial for enriching CRI:
Dark Web (DarCache Dark Web): Provides intelligence on compromised credentials (DarCache Rupture) and ransomware groups and activities (DarCache Ransomware), tracking over 70 ransomware gangs. This feeds directly into understanding BEC & phishing susceptibility and breach & ransomware susceptibility.
Vulnerabilities (DarCache Vulnerability): Offers a holistic and proactive approach to managing external risks and vulnerabilities. It includes:
NVD (DarCache NVD): Provides detailed technical characteristics and potential impact of vulnerabilities.
EPSS (DarCache EPSS): Estimates the likelihood of a vulnerability being exploited shortly, allowing for forward-looking prioritization.
KEV (DarCache KEV): Identifies vulnerabilities actively exploited in the wild, enabling prioritization of immediate threats.
Verified Proof-of-Concept (PoC) Exploits (DarCache eXploit): Provides direct links to PoC exploits, accelerating understanding of how a vulnerability can be exploited and aiding reproduction and mitigation strategy development. This means if ThreatNG identifies a vulnerability on an organization's server with a verified PoC exploit in DarCache eXploit, it immediately highlights the urgency for remediation.
SEC Form 8-Ks (DarCache 8-K): Provides access to publicly filed SEC Form 8-Ks, which can contain crucial risk and oversight disclosures relevant to an organization's financial and reputational risk. This contributes to understanding brand damage and data leak susceptibility.
Complementary Solutions
While ThreatNG is a comprehensive solution, it can synergize with other cybersecurity tools to further enhance an organization's CRI.
Security Information and Event Management (SIEM) / Security Orchestration, Automation, and Response (SOAR) Platforms: ThreatNG's external discovery and assessment data, including identified vulnerabilities, exposed assets, and security ratings, can be fed into a SIEM for correlation with internal logs and events. For example, suppose ThreatNG reports a newly discovered critical vulnerability on a public-facing server. The SIEM can monitor for exploitation attempts targeting that specific vulnerability in that case. At the same time, a SOAR platform could automate the creation of a ticket for the security team to patch the vulnerability and block suspicious IP addresses.
Vulnerability Management Solutions: ThreatNG's detailed vulnerability intelligence from DarCache NVD, EPSS, and KEV can enrich a dedicated vulnerability management solution. For instance, a vulnerability management solution might identify many vulnerabilities. Still, ThreatNG's EPSS and KEV data can help prioritize which are most likely to be exploited in the wild, allowing for more efficient patching cycles.
Endpoint Detection and Response (EDR) Solutions: ThreatNG's intelligence on compromised credentials from the dark web can inform EDR solutions. Suppose ThreatNG identifies a set of compromised user credentials. In that case, the EDR can then proactively monitor endpoints associated with those users for suspicious activity, such as unusual login attempts or data exfiltration.
Incident Response Platforms: When ThreatNG identifies a ransomware event or a significant data leak susceptibility, this information can directly trigger or inform an incident response playbook within an incident response platform. For example, if ThreatNG detects compromised credentials for a specific executive and ransomware activity targeting similar organizations, the incident response platform can immediately initiate a targeted investigation and containment strategy.
Organizations can build a more robust, holistic, and proactive Cyber Risk Intelligence program by combining ThreatNG's external perspective and rich intelligence with the internal visibility and response capabilities of complementary solutions.
