Digital Risk Intelligence (DRI)
In the context of cybersecurity, Digital Risk Intelligence (DRI) refers to the process of gathering, analyzing, and interpreting data from various digital sources to identify, assess, and mitigate potential cyber threats. Here's a breakdown:
Core Focus:
DRI centers on understanding and managing risks that exist outside of an organization's traditional network perimeter. This includes monitoring the open web, deep web, and dark web.
It involves looking for potential threats that could impact an organization's digital assets, reputation, and overall security.
Key Activities:
Threat Intelligence Gathering:
Monitoring for emerging threats, cybercriminal activity, and new attack techniques.
Tracking threat actors and their tactics.
Data Leak Detection:
Searching for exposed sensitive data, such as credentials, intellectual property, and customer information.
Brand Protection:
Monitoring for brand impersonation, phishing campaigns, and other fraudulent activities.
Fraud Prevention:
identifying fraudulent domains, and malicious online activity.
Monitoring of digital footprints:
Analyzing online exposures, potential attack vectors, and targeted risks to key personnel.
Purpose:
To provide organizations with proactive insights into potential cyber risks.
To enable them to take timely action to prevent or mitigate attacks.
To protect brand reputation.
DRI helps organizations understand their external threat landscape and take proactive steps to safeguard their digital assets.
Here's how ThreatNG addresses Digital Risk Intelligence:
ThreatNG excels at external discovery. It can perform purely external unauthenticated discovery without needing connectors. This means it can identify an organization's digital footprint from an attacker's perspective, which is crucial for understanding potential vulnerabilities.
ThreatNG provides various external assessment capabilities, offering in-depth insights into an organization's risk posture. Examples include:
Web Application Hijack Susceptibility: ThreatNG analyzes externally accessible parts of web applications to find potential entry points for attackers. This helps organizations understand how susceptible their web applications are to being hijacked.
Subdomain Takeover Susceptibility: ThreatNG assesses the risk of subdomain takeovers by analyzing subdomains, DNS records, and SSL certificate statuses. For instance, if a subdomain's DNS record points to a service no longer in use, an attacker could take control of that subdomain.
BEC & Phishing Susceptibility: ThreatNG derives this from various intelligence sources, including domain (domain name permutations and email intelligence) and dark web presence (compromised credentials). For example, ThreatNG can identify lookalike domains that could be used for phishing attacks and detect compromised credentials that could be used to facilitate Business Email Compromise (BEC).
Brand Damage Susceptibility: ThreatNG uses attack surface intelligence, digital risk intelligence, ESG violations, sentiment and financials (like lawsuits and negative news), and domain intelligence to assess brand damage susceptibility. For instance, it can detect the availability of domain name permutations that could be used to impersonate a brand or negative sentiment in the news that could damage a brand's reputation.
Data Leak Susceptibility: ThreatNG assesses data leak susceptibility based on cloud and SaaS exposure, dark web presence (compromised credentials), domain intelligence, and sentiment and financials (lawsuits and SEC Form 8-Ks). An example would be the discovery of compromised credentials on the dark web, which indicates a higher risk of data leaks.
Cyber Risk Exposure: ThreatNG considers domain intelligence parameters like certificates, subdomain headers, vulnerabilities, and sensitive ports to determine cyber risk exposure. For example, exposed sensitive ports can increase an organization's cyber risk.
Code Secret Exposure: ThreatNG discovers code repositories and their exposure level and investigates the contents for sensitive data. This helps organizations identify and remediate potential leaks of sensitive information, such as API keys or passwords, found in code repositories.
Cloud and SaaS Exposure: ThreatNG evaluates cloud services and Software-as-a-Service (SaaS) solutions. This provides visibility into an organization's cloud footprint and potential risks associated with cloud services.
Compromised Credentials: ThreatNG factors in compromised credentials on the dark web, which increases the risk of successful attacks.
ESG Exposure: ThreatNG evaluates an organization's vulnerability to environmental, social, and governance (ESG) risks using external attack surface and digital risk intelligence, as well as sentiment and financials findings. It examines factors like sentiment analysis of media coverage, financial analysis, and publicly available information to highlight competition, consumer, employment, and safety-related offenses.
Supply Chain & Third-Party Exposure: ThreatNG derives this from domain intelligence (enumeration of vendor technologies), technology stack, and cloud and SaaS exposure. For example, it can identify the technologies used by an organization's vendors, which can help assess supply chain risks.
Breach & Ransomware Susceptibility: ThreatNG calculates this based on external attack surface and digital risk intelligence, including domain intelligence (exposed sensitive ports, exposed private IPs, and known vulnerabilities), dark web presence (compromised credentials and ransomware events and gang activity), and sentiment and financials (SEC Form 8-Ks). For instance, the presence of compromised credentials and exposed sensitive ports would increase an organization's susceptibility.
Mobile App Exposure: ThreatNG discovers an organization’s mobile apps in marketplaces and analyzes them for access credentials, security credentials, and platform-specific identifiers. For example, it can detect whether mobile apps contain hardcoded API keys or other sensitive information.
ThreatNG offers various reporting options, including executive, technical, prioritized, security ratings, inventory, ransomware susceptibility, and U.S. SEC filings. These reports provide valuable insights into an organization's security posture and risks.
ThreatNG continuously monitors external attack surface, digital risk, and security ratings. This enables organizations to stay informed about their evolving risk landscape and detect emerging threats.
ThreatNG includes investigation modules that provide detailed information for deeper analysis. Examples include:
Domain Intelligence: This module offers a domain overview (digital presence word cloud, Microsoft Entra Identification and Domain Enumeration, bug bounty programs), DNS intelligence (domain record analysis, domain name permutations, and Web3 domains), email intelligence (security presence, format predictions, and harvested emails), WHOIS intelligence (WHOIS analysis and other domains owned), and subdomain intelligence.
Subdomain Intelligence provides HTTP responses, header analysis (security and deprecated headers), server headers (technologies), cloud hosting, website builders, e-commerce platforms, content management systems, and more. It also includes subdomain takeover susceptibility, content identification (admin pages, APIs, development environments, VPNs, errors, applications, etc.), ports (IoT/OT, industrial control systems, databases, remote access services), known vulnerabilities, web application firewall discovery and vendor types. For example, identifying exposed admin pages or databases can be critical for security investigations.
IP Intelligence: This module provides information on IPs, shared IPs, ASNs, country locations, and private IPs.
Certificate Intelligence: This module offers TLS certificates (status, issuers, active, certs without subdomains, subdomains without certificates) and associated organizations (domains, certificates, and emails).
Social Media: This module provides posts from the organization under investigation, including content copy, hashtags, links, and tags.
Sensitive Code Exposure: This module discovers public code repositories and uncovers digital risks, including access credentials, access tokens, generic credentials, cloud credentials, security credentials, other secrets, configuration files, system configuration, and network configuration.
For example, it can identify exposed API keys, passwords, or cryptographic keys in code repositories. It also detects database exposures (database files and database credentials), application data exposures (remote access, encryption keys, encrypted data, Java keystores, and code repository data), activity records (command history, logs, and network traffic), communication platform configurations (chat clients and email clients), development environment configurations, security testing tools, cloud service configurations, remote access credentials, system utilities (authentication and database management), personal data (journaling), and user activity (social media).
Mobile Application Discovery: This module discovers mobile apps related to the organization under investigation in marketplaces and analyzes their contents for access credentials, security credentials, and platform-specific identifiers.
Search Engine Exploitation: This module helps users investigate an organization’s susceptibility to exposing information via search engines.
It discovers website control files like robots.txt and security.txt, and it helps identify an organization’s susceptibility to exposing various data via search engines, such as errors, potential sensitive information, user data, and web servers.
Cloud and SaaS Exposure: This module identifies sanctioned and unsanctioned cloud services, cloud service impersonations, open exposed cloud buckets, and SaaS implementations associated with the organization.
For example, it can identify exposed cloud buckets in AWS, Microsoft Azure, and Google Cloud Platform, and it can detect the use of various SaaS applications like Salesforce, Slack, and Zoom.
Online Sharing Exposure: This module identifies organizational entities within online code-sharing platforms.
Sentiment and Financials: This module provides organizational-related lawsuits, layoff chatter, SEC filings, SEC Form 8-Ks, and ESG violations.
Archived Web Pages: This module discovers various archived web pages, including API, BAK, CSS, and other files.
Dark Web Presence: This module identifies organizational mentions, associated ransomware events, and compromised credentials.
Technology Stack: This module identifies the technologies used by the organization, such as accounting tools, analytics, CMS, and databases.
ThreatNG uses intelligence repositories, including data on the dark web, compromised credentials, ransomware events and groups, known vulnerabilities, ESG violations, bug bounty programs, SEC Form 8-Ks, Bank Identification Numbers, and mobile apps. These repositories provide valuable context and enhance ThreatNG's ability to identify and assess risks.
Work with Complementary Solutions
The document does not explicitly detail ThreatNG's integrations with specific complementary solutions. However, its comprehensive external attack surface management, digital risk protection, and security ratings capabilities suggest that it can complement various security tools, such as:
SIEM (Security Information and Event Management) systems: ThreatNG's external threat intelligence can be fed into a SIEM to provide a more complete view of an organization's security posture.
Vulnerability management tools: ThreatNG's external vulnerability data can be combined with internal vulnerability scans to prioritize remediation efforts.
Incident response platforms: ThreatNG's insights into external threats can help incident response teams understand the context of an attack and respond more effectively.
