Digital Identity Unification
Digital Identity Unification in cybersecurity collects, links, and consolidates all disparate digital attributes and identifiers that refer to the same real-world entity into a single, cohesive, and accurate profile. In essence, it's about solving the "who is who" and "what is what" problem in a complex digital landscape to gain a complete and consistent view of users, devices, applications, and other assets that operate within or interact with an organization's systems.
The Challenge it Addresses:
Modern organizations operate with a vast and fragmented digital footprint. Information about a single user, device, or application can be spread across numerous systems, each using different identifiers or formats:
User Identities: A single employee might have a corporate email address, a network username, a VPN account, a Salesforce login, an HR system ID, a physical access badge number, and potentially personal accounts found in data breaches. Without unification, these appear as separate entities, making tracking their overall activity or risk difficult.
Device Identities: A laptop might have a hostname, an IP address (which changes), a MAC address, a device ID from an endpoint detection and response (EDR) solution, and a serial number from an asset management system.
Application Identities: A web application might be identified by multiple domain names, IP addresses, internal hostnames, and specific service IDs.
Threat Actors: A malicious actor might use various aliases, IP addresses, toolsets, and compromised credentials across attack campaigns.
This fragmentation leads to:
Siloed Data: Security teams have data spread across SIEMs, EDRs, identity management systems, threat intelligence platforms, and vulnerability scanners, making comprehensive analysis difficult.
Incomplete Context: Alerts or events related to a single entity are often viewed in isolation, lacking the full context of that entity's other activities or associated risks.
False Positives/Negatives: Inability to accurately link data can lead to missed threats (false negatives) or overwhelming noise (false positives).
Inefficient Incident Response: Security analysts waste critical time manually correlating information from various sources during an incident.
How Digital Identity Unification Works:
Digital Identity Unification typically involves several key steps and underlying techniques:
Data Ingestion and Normalization: Data is collected from all relevant sources (e.g., directory services, HR databases, security logs, asset inventories, cloud provider APIs, threat intelligence feeds). This data is then normalized into a standard format, handling variations, aliases, and inconsistencies.
Feature Extraction: Key attributes and identifiers are extracted from each data record. These serve as potential matching points (e.g., email addresses, phone numbers, IP addresses, unique device IDs, physical addresses, timestamps, login patterns).
Matching and Linking Algorithms: This is the core of unification, where algorithms determine if different records refer to the same entity. This goes beyond simple exact matches and often involves:
Deterministic Matching: This is rule-based matching in which exact matches on critical, unique identifiers (e.g., a specific employee ID, a unique MAC address for a device) definitively link records.
Probabilistic Matching (Fuzzy Matching): Statistical algorithms that calculate the probability that two records refer to the same entity even if some attributes differ slightly (e.g., "John Doe" vs. "J. Doe," or slightly different spellings, or near-matching IP addresses over time). Machine learning is often employed here to learn matching patterns.
Graph-based Analysis: This is a powerful technique where all collected attributes and relationships are modeled as a graph (nodes for identifiers/attributes, edges for relationships). Algorithms then traverse the graph to identify clusters of interconnected nodes that likely represent the same real-world entity. For example, if multiple accounts consistently log in from the same unique device ID and IP address range, a graph can infer they all belong to the same user or group of users.
Consolidation and Golden Records: Once records are identified as belonging to the same entity, they are linked or merged to create a "golden record" or a unified entity profile. This profile aggregates each entity's known attributes, activities, and risks.
Continuous Enrichment: The unified identities are continuously updated as new data streams in. This ensures that the profiles remain accurate and reflect an entity's current state.
Benefits in Cybersecurity:
Comprehensive Situational Awareness: Provides a 360-degree view of users, devices, and other assets, enabling security teams to understand their overall behavior and risk profile.
Enhanced Threat Detection: By linking all activity to a single identity, subtle patterns of malicious behavior (e.g., an attacker using multiple temporary accounts or IP addresses) become visible, improving the detection of advanced persistent threats (APTs) and insider threats.
Faster Incident Response: Security analysts can quickly access all relevant information about a compromised entity (user, device, application), accelerating investigation, containment, and remediation efforts.
Accurate Risk Assessment: This enables a more precise calculation of risk by aggregating all known vulnerabilities, exposures, and threat intelligence associated with a unified identity.
Improved Compliance and Auditing: Provides a clear, auditable trail of an entity's actions and access across various systems.
Better Asset Management: Ensures an accurate inventory of all digital assets by resolving duplicates and linking related components.
Reduced Alert Fatigue: Richer context helps differentiate between legitimate activity and actual threats, leading to fewer false positives.
ThreatNG, through its extensive external data collection and analysis, implicitly performs Digital Identity Unification by resolving disparate external digital attributes into coherent entities. ThreatNG's capabilities—from discovering various digital footprints to correlating them with vulnerabilities and threat intelligence—demonstrate a robust process of building unified profiles for organizations, their assets, and even associated individuals, all from an outside-in perspective.
ThreatNG’s External Discovery: Gathering Fragmented Digital Identities
ThreatNG's purely external, unauthenticated discovery without connectors is the initial phase for collecting fragmented digital identities. It identifies numerous public-facing attributes that, in isolation, might seem unrelated but collectively belong to a single entity.
Domains and Subdomains: ThreatNG discovers example.com and then enumerates subdomains like mail.example.com, vpn.example.com, and dev.example.com. These are initially separate findings, but ThreatNG unifies them under the umbrella of the example.com organizational identity.
IP Addresses and ASNs: ThreatNG identifies various public IP addresses and their associated Autonomous System Numbers (ASNs). It links these IP addresses to the domains they host and the organizations they belong to, unifying them as part of a network infrastructure identity.
Mobile Apps and Marketplaces: ThreatNG discovers an organization's mobile applications across numerous marketplaces (e.g., Google Play, Apple App Store). Even if found on different platforms, these are unified to represent the same mobile app entity owned by the organization.
Code Repositories: ThreatNG discovers public code repositories. Different repositories (e.g., on GitHub, GitLab) related to the same organization are unified under that organization's development identity.
Email and WHOIS Information: It collects domain email addresses and WHOIS data. These disparate pieces of contact and registration information are unified to form a more complete digital identity of the domain owner.
External Assessment: Unifying Identities through Risk Correlation
ThreatNG's external assessment capabilities heavily rely on unifying these discovered identities to build a comprehensive risk profile. They connect vulnerabilities and risks to specific, resolved entities.
BEC & Phishing Susceptibility: This score is derived from Domain Intelligence (including Domain Name Permutations and Web3 Domains available/taken, and Email Intelligence providing email security presence and format prediction) and Dark Web Presence (Compromised Credentials). ThreatNG effectively unifies domain identities with email security configurations and compromised credentials. For example, if ThreatNG identifies that example.com has weak SPF records (an attribute of the domain identity) and finds john.doe@example.com (a user identity derived from email intelligence) in a dark web compromise (a compromised credential identity), it unifies these findings. This creates a more robust understanding of the example.com organization's susceptibility to BEC and phishing attacks, showing that its email defenses are weak and specific employee credentials are at risk.
Data Leak Susceptibility: This involves Cloud and SaaS Exposure, Dark Web Presence (Compromised Credentials), Domain Intelligence, and Sentiment and Financials. ThreatNG unifies exposed cloud buckets or SaaS instances (asset identities) with compromised credentials (user identities) linked to the same organization. For example, suppose an exposed AWS S3 bucket for example.com is discovered, and an associated AWS Access Key ID is found in a code repository (both are asset identities). In that case, ThreatNG unifies these to highlight a high-risk data leak potential for the example.com organization, showing how multiple exposed assets converge to a single critical vulnerability.
Mobile App Exposure: ThreatNG discovers mobile apps and their contents, including access and security credentials. It unifies the mobile app identity with any sensitive credentials found within it. For instance, if the "Example Bank" mobile app is found in a marketplace, and ThreatNG discovers a hardcoded "Stripe API Key" within its code, it unifies the "Example Bank Mobile App" identity with the exposed "Stripe API Key" identity, linking a direct attack vector to the application itself and, by extension, to the bank.
Reporting and Continuous Monitoring: Leveraging Unified Identities for Insight
The unified digital identities form the basis of ThreatNG's actionable reporting and continuous monitoring.
Reporting: Reports like "Ransomware Susceptibility" and "Inventory" leverage these unified identities. Instead of simply listing compromised credentials, ThreatNG links them to the organizational entity, providing a consolidated view of how many unique employees or systems are affected. The "Inventory" report likely unifies all discovered assets, presenting a precise, de-duplicated count and status of an organization's digital footprint.
Continuous Monitoring: ThreatNG continuously updates these unified identities as new information emerges. If a new subdomain is registered under example.com or a new IP address is assigned to a known server, ThreatNG automatically integrates this into the existing, unified organizational identity. This ensures that the organization understands its digital footprint and associated risks is always current and accurate.
Investigation Modules: Deep Diving into Unified Identities
ThreatNG's investigation modules allow users to explore these unified digital identities in granular detail.
Domain Intelligence: This module provides a comprehensive view of a domain's digital identity. It unifies DNS records, email security presence (DMARC, SPF, DKIM), WHOIS information, and subdomain details (including HTTP responses, headers, technologies, and exposed ports). An analyst investigating example.com can see its unified identity, including all associated subdomains, the IP addresses hosting them, the specific technologies running on those IPs, and any vulnerabilities found on exposed ports, all linked together. For example, suppose dev.example.com (a subdomain identity) is found to be hosted on an IP with an exposed MySQL database port (a service identity) and outdated software (a vulnerability identity). In that case, ThreatNG unifies these to show the holistic risk associated with the dev.example.com environment within the overall example.com entity.
Sensitive Code Exposure: This module discovers public code repositories and their contents. It unifies the identity of a code repository with any discovered sensitive credentials (e.g., API keys, private keys, cloud credentials) or configuration files found within it. If ThreatNG finds a public GitHub repository linked to "Example Company" and discovers an "AWS Secret Access Key" within it, it unifies these two identities. The system now understands that the "Example Company GitHub Repository" identity contains a "Sensitive AWS Credential" identity, flagging a critical direct exposure.
Intelligence Repositories: Enriching Unified Identities with Global Context
ThreatNG's DarCache intelligence repositories provide global threat context, further enriching and validating the unified digital identities it builds.
DarCache Rupture (Compromised Credentials): This repository contains many compromised credentials. When ThreatNG discovers and identifies email addresses or usernames associated with an organization, it cross-references them with DarCache Rupture. Suppose jdoe@example.com is discovered as an employee email (part of the organization's user identity), and it matches a credential in DarCache Rupture. In that case, ThreatNG unifies this "jdoe@example.com" identity with the "compromised credential" identity, instantly highlighting a direct personal and organizational risk.
DarCache Ransomware: This tracks over 70 ransomware gangs and their activities. Suppose ThreatNG unifies an organization's exposed servers (device identities) with specific vulnerabilities or exposed ports known to be exploited by a particular ransomware gang. In that case, it enhances the organization's "Breach & Ransomware Susceptibility" identity, providing a more precise risk profile.
DarCache Vulnerability (NVD, EPSS, KEV): This repository contains comprehensive information. When ThreatNG identifies a specific software version (an asset attribute) on a server (a device identity) within an organization's attack surface, it unifies this information with relevant CVEs from DarCache NVD. Suppose CVE is also in DarCache KEV (actively exploited) or has a high EPSS score (likelihood of exploitation). In that case, ThreatNG further unifies these pieces of intelligence, creating a richer, context-aware identity for that vulnerable asset.
Synergies with Complementary Solutions
ThreatNG's robust digital identity unification capabilities enable seamless integration and enhanced security outcomes when paired with other cybersecurity solutions.
Security Information and Event Management (SIEM) / Security Orchestration, Automation, and Response (SOAR) Platforms: ThreatNG's unified entity profiles can provide invaluable context to SIEM/SOAR platforms. Suppose ThreatNG unifies a set of observed behaviors to a specific "attacker infrastructure" identity (e.g., multiple C2 domains linked to a known threat actor). In that case, this enriched context can be fed into a SIEM. A SOAR playbook can then use this unified identity to trigger automated blocking rules for all associated indicators or to enhance internal alerts. For example, if a SIEM detects unusual login attempts from an IP address, ThreatNG, having unified that IP to a "compromised user identity" found on the dark web, can provide immediate context, allowing the SIEM to prioritize and the SOAR to initiate a password reset and MFA challenge for that unified user identity.
Identity and Access Management (IAM) Solutions: ThreatNG's ability to unify employee or user identities with compromised credentials found on the dark web or exposed via public code repositories directly informs IAM systems. Suppose ThreatNG's unification process reveals that user@example.com (a unified user identity) has their password exposed in a public code repository. In that case, this information can be transmitted to the IAM system, which can then automatically force a password reset for that specific user identity, thereby preventing account compromise.
Vulnerability Management Platforms: ThreatNG's unified asset identities, enriched with external attack surface context and vulnerability intelligence, significantly enhance vulnerability management. Suppose ThreatNG unifies a server's identity with multiple high-risk CVEs (from DarCache NVD) and identifies that this server is publicly exposed (an attribute of its unified asset identity). In that case, this comprehensive context can be fed into a vulnerability management platform. The platform can then prioritize remediation efforts for this unified server identity over others, focusing on vulnerabilities that pose an immediate and external threat.
Endpoint Detection and Response (EDR) Tools: ThreatNG can provide external context for EDR tools by unifying external digital identities with potential internal counterparts. Suppose ThreatNG identifies a new, externally exposed subdomain (a unified asset identity) used for phishing attempts and discovers it's communicating with an internal device (an endpoint identity detected by EDR). In that case, the EDR tool can use ThreatNG's external unification to understand that this internal communication is part of a broader external attack campaign targeting that specific, unified subdomain identity.
By performing Digital Identity Unification, ThreatNG moves beyond mere data collection to provide a consolidated, contextualized, and actionable understanding of an organization's complex external digital footprint and associated risks.
