Digital Identity Portfolio
A Digital Identity Portfolio in the context of cybersecurity refers to the complete collection, or catalog, of all digital representations and credentials associated with an individual or an organization across the entire digital ecosystem.
It is a comprehensive view of every digital asset that establishes and verifies who or what an entity is in the online world, and critically, how those identities are managed and secured.
Components of an Organizational Digital Identity Portfolio
For an enterprise, this portfolio extends far beyond simple employee usernames and includes every form of identity used to interact with the digital world:
Human Identities:
Employee Accounts: Usernames, passwords, multi-factor authentication (MFA) tokens, and role-based access controls (RBAC) across corporate networks, SaaS applications, cloud portals, and collaboration platforms.
External Partner Accounts: Identities granted to contractors, vendors, and business partners for temporary or limited access to specific systems.
Machine and Service Identities:
API Keys and Tokens: Non-human credentials used by applications to communicate with each other (Application Programming Interfaces). These represent an application's identity and permissions.
Service Accounts: Automated accounts used by background services, scripts, and IT systems (e.g., backup systems, monitoring tools) to operate without direct human oversight.
Cloud Credentials: Access keys, secret keys, and roles used to provision, manage, and access resources within cloud environments (e.g., AWS, Azure, GCP).
External Digital Presence Identities:
Domain Names and Certificates: The official domain names, subdomains, and the SSL/TLS certificates that vouch for the authenticity of the organization’s websites. These establish the brand's verified identity to the public.
Social Media Accounts: Official accounts on public platforms that represent the brand and are used for communication and marketing.
Mobile App Identities: The registration and publishing credentials associated with applications in marketplaces like the Apple App Store or Google Play.
Security Context
The management of the Digital Identity Portfolio is central to modern cybersecurity because every identity—human or machine—represents a potential attack vector. A compromise of any single component (e.g., a hardcoded API key or a phished employee password) can grant an attacker access to the entire portfolio's network of trust. Effective security requires continuous monitoring and enforcement of policies across all these identities to prevent fraud, data breaches, and Account Takeovers (ATO).
ThreatNG provides a comprehensive system for managing and securing the external aspects of an organization's Digital Identity Portfolio by continuously monitoring for exposed credentials, misconfigured assets, and brand impersonation.
How ThreatNG Secures the Digital Identity Portfolio
ThreatNG’s capabilities focus on the external risks that compromise digital identities, whether they are human (employees) or machine (API keys).
External Discovery and Continuous Monitoring
ThreatNG performs purely external unauthenticated discovery using no connectors , which is essential for identifying the entire digital identity portfolio as seen by an attacker. The continuous monitoring capability ensures that every external digital identity, from domains to cloud environments, is constantly checked for exposures , preventing a single point of failure from compromising the entire portfolio.
External Assessment for Identity Risks
Several security ratings directly address compromises within the Digital Identity Portfolio:
Data Leak Susceptibility Security Rating: This rating is derived from uncovering external digital risks including Compromised Credentials.
Identity Portfolio Example: Compromised Credentials found externally directly confirm that an attacker has gained unauthorized human identities (e.g., employee usernames and passwords) that are part of the organization's portfolio, allowing them to initiate Account Takeover (ATO) fraud.
Cyber Risk Exposure Security Rating: This rating addresses the security posture of machine identities.
Identity Portfolio Example: The rating includes Sensitive Code Discovery and Exposure (code secret exposure). A code secret exposure often involves a leaked API key or token—a machine identity—which an adversary can use to access resources without needing a human password.
BEC & Phishing Susceptibility Security Rating: This identifies how easily an attacker can target human identities.
Identity Portfolio Example: This rating is based on factors like Email Format Guessability and Compromised Credentials. Easy-to-guess email formats make the enumeration and targeting of employee identities simple for a phisher, allowing them to steal credentials and hijack the employee's digital identity.
Investigation Modules
ThreatNG's investigation modules actively map and expose various components of the digital identity portfolio:
Sensitive Code Exposure - Code Repository Exposure: This module is critical for identifying leaked machine identities.
Module Example: It discovers public code repositories that expose Access Credentials (like an AWS Access Key ID, Stripe API Key, or Slack Token) and Security Credentials (like a Private SSH key). These exposed credentials are high-value machine identities that an attacker can immediately use to gain privileged access.
Username Exposure: This module directly addresses the external visibility of human identities.
Module Example: It conducts a Passive Reconnaissance scan to determine if an individual's username is taken across a wide range of social media and high-risk forums. Flagging a taken username allows the security team to preemptively secure the individual’s identity or monitor it for social engineering attempts that aim to compromise their corporate identity.
Domain Intelligence - Certificate Intelligence: This module validates the authenticity of the brand's digital identity.
Module Example: It analyzes TLS Certificates and links them to Associated Organizations. Certificates serve as the public identity verification for the organization's domains and subdomains, and detecting an invalid certificate is a flag that the external identity is being undermined or compromised.
Intelligence Repositories (DarCache)
ThreatNG’s intelligence repositories are rich sources of compromised digital identity elements:
DarCache Rupture (Compromised Credentials): This repository is a constant feed of compromised human identities (usernames and passwords) that have been leaked outside the organization. This allows security teams to proactively force password resets for accounts whose identities have been compromised.
DarCache Mobile: This tracks the presence of Access Credentials and Security Credentials within mobile app binaries. These hardcoded items are machine identities that, if exposed, offer an attacker a direct path into the corporate network or cloud infrastructure.
Cooperation with Complementary Solutions
ThreatNG's contextualized intelligence on compromised identities is crucial for triggering automated defense in other tools.
Complementary Solutions Example 1 (Identity and Access Management - IAM): When ThreatNG identifies an exposed AWS Access Key ID (a machine identity) through its Sensitive Code Exposure module, this critical finding can be instantly sent to a complementary IAM solution. The IAM system can then use the intelligence to automatically revoke the exposed key and force a re-issuance, neutralizing the compromised identity before an attacker can exploit it.
Complementary Solutions Example 2 (Security Information and Event Management - SIEM): If ThreatNG flags a high volume of Compromised Credentials in its DarCache Rupture repository, this intelligence can be fed to a SIEM solution. The SIEM can then use the compromised usernames to automatically create high-priority watch lists and block any login attempts originating from unusual IP addresses using those specific credentials, preventing a high-risk ATO attempt on a human identity.
