Extended Threat Intelligence (XTI)
In cybersecurity, Extended Threat Intelligence (XTI) is a comprehensive and proactive approach that significantly broadens the scope of traditional cyber threat intelligence (CTI). While traditional CTI primarily focuses on internal network data and known threats, XTI expands its reach to provide a more holistic view of an organization's overall risk posture by incorporating a wider range of external data sources and analytical capabilities.
Here's a detailed breakdown of XTI:
Core Concept and Evolution from Traditional CTI
Traditional CTI centers on collecting, analyzing, and disseminating information about cyber threats to help organizations understand and defend against attacks. This often includes:
Strategic CTI: High-level information about threat actors, motivations, and overall attack trends (e.g., a report on a new ransomware group's activities).
Tactical CTI: Details about the tactics, techniques, and procedures (TTPs) used by attackers (e.g., how a specific phishing campaign works).
Operational CTI: Information about specific ongoing attacks or campaigns, including indicators of compromise (IOCs) like malicious IP addresses or phishing domains.
Technical CTI: Specific, often machine-readable, data points like file hashes, URLs, or IP addresses associated with threats.
XTI extends these foundational elements by integrating additional crucial components to provide a more complete and actionable picture of the threat landscape. The key distinction is XTI's focus on proactively identifying and mitigating risks beyond the traditional perimeter, understanding how an organization appears to attackers, and protecting its digital footprint across the Internet.
Key Components of Extended Threat Intelligence
XTI typically incorporates several key components:
External Attack Surface Management (EASM):
What it is: Continuously discovering, identifying, and assessing an organization's internet-facing assets from an attacker's perspective. This includes known assets (websites, servers, applications) and often unknown or forgotten assets (shadow IT, misconfigured cloud instances, exposed APIs).
Why it's extended: Traditional CTI might inform you about vulnerabilities, but EASM actively maps your specific vulnerabilities that are externally exposed. It helps answer the question: "How do attackers see us?"
Digital Risk Protection (DRP):
What it is: Monitoring various external sources – including the surface web, deep web, and dark web, as well as social media, forums, and code repositories – for mentions of an organization, its employees, brand impersonations, exposed data, intellectual property leaks, and other potential digital risks.
Why it's extended: This goes beyond technical threat data to include brand reputation, fraud prevention, and monitoring illicit marketplaces where organizational data or credentials might be traded.
Enhanced Cyber Threat Intelligence (CTI):
What it is: While foundational, XTI enhances CTI by leveraging advanced analytics, machine learning (ML), and artificial intelligence (AI) to process vast amounts of data from diverse sources. This includes tracking emerging TTPs, identifying new malware families, and profiling threat actors more precisely.
Why it's extended: The use of AI/ML allows for more sophisticated behavioral analysis, anomaly detection, and predictive capabilities, moving beyond just signature-based or IOC-driven threat detection.
Vulnerability Management with Context:
What it is: Identifying and prioritizing vulnerabilities not just based on their severity (e.g., CVSS score), but also on whether they are actively exploited in the wild or relevant to specific threat actors targeting the organization.
Why it's extended: XTI provides the crucial context to determine which vulnerabilities pose the most immediate and significant risk, allowing for more efficient patch prioritization and resource allocation.
Third-Party Risk Management:
What it is: Assessing and monitoring the cybersecurity risks associated with an organization's supply chain partners, vendors, and other third-party entities.
Why it's extended: Recognizing that many breaches originate through third-party connections, XTI extends threat intelligence to cover this often-overlooked attack vector.
Benefits of Extended Threat Intelligence
Proactive Defense: XTI shifts security from a reactive stance to a proactive one, allowing organizations to anticipate attacks, understand adversary motives, and implement countermeasures before threats materialize.
Comprehensive Visibility: It eliminates blind spots by providing a complete view of an organization's digital footprint and external risks.
Improved Decision-Making: Security teams and executives receive actionable intelligence, enabling them to make more informed decisions about security investments, policies, and strategic planning.
Reduced Attack Surface: XTI helps shrink the overall attack surface by continuously identifying and mitigating external vulnerabilities and exposed assets.
Faster Incident Response: With richer context and early warnings, organizations can quickly detect and respond to incidents, minimizing potential damage and downtime.
Enhanced Brand Protection: Monitoring for brand impersonation, data leaks, and other online abuses helps protect an organization's reputation and intellectual property.
Extended Threat Intelligence is about moving beyond simply knowing what threats exist to understanding how those threats specifically apply to an organization, where its vulnerabilities lie externally, and what an attacker's perspective of its digital presence truly is. This holistic approach empowers organizations to build a more resilient and adaptive cybersecurity posture in the face of an ever-evolving threat landscape.
ThreatNG, an all-in-one external attack surface management, digital risk protection, and security ratings solution, significantly aids in Extended Threat Intelligence (XTI) by providing comprehensive external visibility and actionable insights.
ThreatNG's Contribution to Extended Threat Intelligence
1. External Discovery: ThreatNG excels at external discovery by performing unauthenticated discovery without requiring connectors. This means it can map an organization's internet-facing assets from an attacker's perspective, proactively identifying unknown or forgotten assets that could be vulnerable. This capability is crucial for XTI as it broadens the scope of threat intelligence beyond the internal network to encompass the entire digital footprint.
2. External Assessment: ThreatNG provides a detailed external assessment by generating various security ratings, central to understanding an organization's susceptibility to different attack vectors. These assessments leverage external attack surface and digital risk intelligence to provide a holistic view of potential threats.
Web Application Hijack Susceptibility: This score is substantiated by analyzing the external parts of a web application to identify potential entry points for attackers, using external attack surface and digital risk intelligence, including Domain Intelligence. For instance, if ThreatNG identifies an outdated web server banner or an exposed administrative interface on a publicly accessible web application, it contributes to this susceptibility rating, indicating a higher risk of hijacking.
Subdomain Takeover Susceptibility: ThreatNG evaluates this by examining a website's subdomains, DNS records, SSL certificate statuses, and other relevant factors. If ThreatNG discovers a CNAME record pointing to an expired or unprovisioned service, it would flag a high subdomain takeover susceptibility.
BEC & Phishing Susceptibility: This rating is derived from Sentiment and Financials Findings, Domain Intelligence (including DNS Intelligence capabilities like Domain Name Permutations and Web3 Domains, and Email Intelligence for security presence and format prediction), and Dark Web Presence (Compromised Credentials). For example, ThreatNG might find that an organization has numerous look-alike domains available for registration (domain name permutations) or that employee credentials have been compromised and are on the dark web, increasing the likelihood of successful business email compromise (BEC) or phishing attacks.
Brand Damage Susceptibility: This is calculated from attack surface intelligence, digital risk intelligence, ESG Violations, Sentiment and Financials (Lawsuits, SEC filings, SEC Form 8-Ks, and Negative News), and Domain Intelligence (Domain Name Permutations and Web3 Domains). ThreatNG could identify negative news articles or pending lawsuits related to the organization, or discover that its brand name is being impersonated on newly registered web3 domains, all contributing to a higher brand damage susceptibility.
Data Leak Susceptibility: This score uses external attack surface and digital risk intelligence based on Cloud and SaaS Exposure, Dark Web Presence (Compromised Credentials), Domain Intelligence (DNS Intelligence and Email Intelligence), and Sentiment and Financials (Lawsuits and SEC Form 8-Ks). An example would be ThreatNG detecting exposed cloud storage buckets with sensitive data or finding organizational credentials on the dark web, both of which indicate a high risk of data leaks.
Cyber Risk Exposure: This considers parameters covered by the Domain Intelligence module, such as certificates, subdomain headers, vulnerabilities, and sensitive ports. It also incorporates Code Secret Exposure, which discovers code repositories and their exposure levels, and investigates their contents for sensitive data. ThreatNG might identify an exposed sensitive port like RDP (Remote Desktop Protocol) on an external IP, or discover API keys inadvertently committed to a public code repository, raising the cyber risk exposure.
Cloud and SaaS Exposure: This evaluates cloud services and Software-as-a-Service (SaaS) solutions. The score also factors in an organization's compromised credentials on the dark web, which increases the risk of successful attacks. ThreatNG could detect unsanctioned cloud services employees use or publicly exposed AWS S3 buckets, directly impacting the cloud and SaaS exposure rating.
ESG Exposure: This rates the organization based on discovered environmental, social, and governance (ESG) violations through its external attack surface and digital risk intelligence findings. It analyzes Competition, Consumer, Employment, Environment, Financial, Government Contracting, Healthcare, and Safety-related offenses. ThreatNG might identify a public record of an environmental violation or a lawsuit related to employee practices, impacting the ESG exposure score.
Supply Chain & Third Party Exposure: This is derived from Domain Intelligence (Enumeration of Vendor Technologies from DNS and Subdomains), Technology Stack, and Cloud and SaaS Exposure. ThreatNG could identify a critical third-party vendor with many exposed cloud assets or a known vulnerability in a shared technology stack, highlighting supply chain risk.
Breach & Ransomware Susceptibility: This is calculated based on external attack surface and digital risk intelligence, including domain intelligence (exposed sensitive ports, exposed private IPs, and known vulnerabilities), dark web presence (compromised credentials and ransomware events and gang activity), and sentiment and financials (SEC Form 8-Ks). If ThreatNG detects an organization's credentials on a ransomware gang's leak site or identifies publicly accessible sensitive ports commonly exploited by ransomware, this susceptibility rating would significantly increase.
Mobile App Exposure: This evaluates how exposed an organization’s mobile apps are through their discovery in marketplaces and for specific contents like Access Credentials, Security Credentials, and Platform Specific Identifiers within them. ThreatNG might discover a mobile app in an unofficial market containing hardcoded API keys or other sensitive access credentials, indicating high exposure to mobile apps.
3. Reporting: ThreatNG provides various reports, including Executive, Technical, Prioritized (High, Medium, Low, and Informational), Security Ratings, Inventory, Ransomware Susceptibility, and U.S. SEC Filings. These reports are essential for XTI, translating complex assessment data into digestible formats for different stakeholders, from technical teams needing detailed vulnerability lists to executives requiring high-level risk overviews. The embedded knowledge base in reports provides risk levels, reasoning, recommendations, and reference links to help organizations prioritize security efforts and make informed decisions.
4. Continuous Monitoring: ThreatNG offers continuous monitoring of all organizations' external attack surface, digital risk, and security ratings. This ongoing vigilance is critical for XTI, as the external threat landscape is dynamic. Continuous monitoring ensures that newly exposed assets, vulnerabilities, or digital risks are identified and addressed promptly, maintaining an up-to-date understanding of the organization's real-time risk posture.
5. Investigation Modules: ThreatNG's investigation modules enable detailed exploration of discovery and assessment results, facilitating deeper intelligence extraction and risk identification. These modules are vital for XTI as they provide the granularity to understand specific threats and their context.
Domain Intelligence: This module provides a comprehensive overview of digital presence, including DNS Intelligence (Domain Record Analysis, Domain Name Permutations, Web3 Domains), Email Intelligence (Security Presence, Format Predictions, Harvested Emails), WHOIS Intelligence, and Subdomain Intelligence.
Example: If an organization's brand is "ExampleCorp", ThreatNG's Domain Intelligence might uncover newly registered look-alike domains like "ExampleCorp-support.net" through Domain Name Permutations, which could be used for phishing campaigns. The Email Intelligence might lack DMARC records, making email spoofing easier.
Subdomain Intelligence: This provides granular details such as HTTP Responses, Header Analysis (Security Headers, Deprecated Headers), Server Headers (Technologies), Cloud Hosting, Website Builders, E-commerce Platforms, Content Management Systems, and content identification (Admin Pages, APIs, Development Environments, VPNs). It also identifies exposed ports (IoT/OT, Industrial Control Systems, Databases, Remote Access Services) and known vulnerabilities. An example would be finding an exposed API endpoint on a subdomain or an unsecured database port (e.g., MongoDB on 27017) directly accessible from the internet, which an attacker could use to compromise the organization.
IP Intelligence: This covers IPs, Shared IPs, ASNs, Country Locations, and Private IPs, helping to understand the network infrastructure from an external perspective.
Certificate Intelligence: This provides insights into TLS Certificates (Status, Issuers, Active, Certs without Subdomains, Subdomains without Certificates) and Associated Organizations. An example would be identifying expired SSL certificates, which can lead to trust issues and indicate a lapse in security hygiene.
Sensitive Code Exposure: This module discovers public code repositories and uncovers digital risks within them, such as Access Credentials (API Keys, Access Tokens, Generic Credentials, Cloud Credentials), Security Credentials (Cryptographic Keys), Configuration Files (Application, System, Network), Database Exposures (Files, Credentials), Application Data Exposures (Remote Access, Encryption Keys, Encrypted Data, Java Keystores, Code Repository Data), Activity Records (Command History, Logs, Network Traffic), Communication Platform Configurations, Development Environment Configurations, Security Testing Tools, Cloud Service Configurations, Remote Access Credentials, System Utilities, Personal Data, and User Activity. For instance, ThreatNG might find a GitHub repository belonging to the organization containing a hardcoded AWS Access Key ID, which could lead to unauthorized cloud access.
Mobile Application Discovery: This discovers mobile apps in marketplaces and identifies the presence of Access Credentials, Security Credentials, and Platform-Specific Identifiers within them. It helps in XTI by identifying potential data leaks or misconfigurations in mobile applications that could be exploited.
Search Engine Exploitation: This includes Website Control Files (Robots.txt, Security.txt) and the Search Engine Attack Surface. ThreatNG could identify a misconfigured robots.txt file that inadvertently exposes sensitive directories to search engine indexing, making it easier for attackers to discover critical paths.
Cloud and SaaS Exposure: This identifies Sanctioned/Unsanctioned Cloud Services, Cloud Service Impersonations, and Open Exposed Cloud Buckets across major providers (AWS, Azure, GCP). It also lists SaaS implementations used by the organization (e.g., Salesforce, Slack, Workday, Okta, Zoom). ThreatNG could flag an unsanctioned cloud storage service or an open S3 bucket, indicating potential data exposure.
Online Sharing Exposure: This discovers the presence of organizational entities on code-sharing platforms like Pastebin, GitHub Gist, and Scribd. ThreatNG might find sensitive internal documentation or credentials posted on Pastebin, indicating a data leak.
Sentiment and Financials: This module monitors organizational lawsuits, layoff chatter, SEC Filings (especially Risk and Oversight Disclosures and Form 8-Ks), and ESG Violations. This data helps XTI by providing non-technical context on financial health and potential internal turmoil that could correlate with increased cyber risk.
Archived Web Pages: This feature identifies various types of archived content from the organization's online presence, including APIs, document files, login pages, and directories. This helps XTI by revealing historical information that might contain forgotten sensitive data or outdated configurations.
Dark Web Presence: This module tracks organizational mentions of related people, places, or things, associated ransomware events, and compromised credentials. ThreatNG might detect an organization's domain mentioned in a dark web forum discussing recent ransomware victims, or find a large set of compromised employee credentials being sold, indicating a significant dark web presence and immediate threat.
Technology Stack: This identifies all technologies the organization uses, from web servers and operating systems to CRM, CMS, and security solutions. This provides valuable context for XTI, as knowledge of the technology stack helps understand potential vulnerabilities and attack vectors.
6. Intelligence Repositories (DarCache): ThreatNG maintains continuously updated intelligence repositories (DarCache) that are crucial for XTI by providing rich context and actionable data.
Dark Web (DarCache Dark Web): Provides insights into dark web activities relevant to the organization.
Compromised Credentials (DarCache Rupture): Information on compromised credentials is a critical indicator of potential breaches.
Ransomware Groups and Activities (DarCache Ransomware): Tracks over 70 ransomware gangs, providing insights into their TTPs and recent activities.
Vulnerabilities (DarCache Vulnerability): Offers a holistic approach to managing external risks and vulnerabilities by understanding their real-world exploitability, likelihood of exploitation, and potential impact. It integrates:
NVD (DarCache NVD): Provides a deep understanding of the technical characteristics and potential impact of each vulnerability, including Attack Complexity, Attack Interaction, Attack Vector, Impact scores (Availability, Confidentiality, Integrity), CVSS Score, and Severity.
EPSS (DarCache EPSS): Offers a probabilistic estimate of the likelihood of a vulnerability being exploited shortly, allowing forward-looking prioritization.
KEV (DarCache KEV): Identifies vulnerabilities actively being exploited in the wild, providing critical context for prioritizing remediation.
Verified Proof-of-Concept (PoC) Exploits (DarCache eXploit): Provides direct links to PoC exploits on platforms like GitHub, accelerating the understanding of how a vulnerability can be exploited and aiding in reproduction and mitigation strategies.
ESG Violations (DarCache ESG): Tracks Competition, Consumer, Employment, Environment, Financial, Government Contracting, Healthcare, and Safety-related offenses.
Bug Bounty Programs (DarCach Bug Bounty): Lists in-scope and out-of-scope assets for bug bounty programs.
SEC Form 8-Ks (DarCache 8-K): Provides access to SEC Form 8-Ks, which often contain disclosures about cybersecurity incidents.
Bank Identification Numbers (DarCache BIN)
Mobile Apps (DarCache Mobile): Indicates the presence of sensitive credentials and identifiers within discovered mobile apps.
These repositories are central to XTI as they provide rich, contextualized data that allows organizations to identify vulnerabilities, assess their likelihood of being exploited, and assess the potential impact.
Examples of ThreatNG Helping with XTI
Identifying Shadow IT: ThreatNG's external discovery could uncover an unknown cloud instance or a forgotten development server exposed to the internet. This "shadow IT" is a significant blind spot for traditional CTI. Still, XTI, powered by ThreatNG, brings it into visibility, allowing the organization to assess and secure it before an attacker discovers it.
Proactive Brand Protection: ThreatNG's Digital Risk Protection capabilities might detect an identical brand logo being used on a newly registered domain in a foreign country, along with phishing kit mentions on the dark web, indicating an impending phishing attack targeting the brand's customers. This early warning enables the organization to take legal action or issue warnings before a widespread attack.
Prioritizing Vulnerability Remediation: Instead of patching all identified vulnerabilities, ThreatNG, through its DarCache Vulnerability intelligence (EPSS, KEV, and PoC exploits), could highlight a specific critical vulnerability (e.g., Log4Shell) that is not only severe but also actively being exploited in the wild and has publicly available PoC code. This allows the security team to prioritize patching this specific vulnerability over others, significantly reducing immediate risk.
Understanding Supply Chain Risk: ThreatNG might identify that a critical third-party software vendor has recently had numerous zero-day vulnerabilities in its products, coupled with mentions of the vendor's compromised credentials on the dark web. This information, part of the supply chain exposure assessment, enables the organization to assess its reliance on this vendor and potentially implement mitigating controls or seek alternatives.
Synergies with Complementary Solutions
While ThreatNG is a comprehensive solution, it can work synergistically with other cybersecurity tools to enhance an organization's XTI capabilities.
Security Information and Event Management (SIEM) / Security Orchestration, Automation, and Response (SOAR) Platforms: ThreatNG's external assessment findings, especially prioritized vulnerabilities and indicators of compromise (IOCs) from its Dark Web and Ransomware intelligence, could be fed into a SIEM. This allows security analysts to correlate external threat data with internal logs, identifying potential internal exploitation of externally exposed vulnerabilities. A SOAR platform could then use ThreatNG's output to automate responses, such as blocking malicious IPs identified by ThreatNG or automatically initiating vulnerability scans on assets flagged by ThreatNG.
Vulnerability Scanners and Penetration Testing Tools: ThreatNG identifies external attack surface vulnerabilities. This information can then inform and focus internal vulnerability scans and penetration tests. For example, if ThreatNG identifies specific sensitive ports exposed or particular web applications with high hijack susceptibility, internal vulnerability scanners can be configured to target those areas for deeper analysis specifically. Penetration testers can use ThreatNG's external view to plan their attack simulations more effectively, mirroring real-world adversary tactics.
Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platforms (CWPP): ThreatNG's Cloud and SaaS Exposure findings, particularly discovering unsanctioned cloud services or exposed cloud buckets, can inform CSPM and CWPP solutions. The CSPM can then enforce policies to prevent future misconfigurations. CWPP can monitor workloads within those cloud environments for malicious activity that might stem from an external exposure identified by ThreatNG.
Identity and Access Management (IAM) Solutions: ThreatNG's compromised credentials intelligence (DarCache Rupture) can directly integrate with IAM solutions. Suppose ThreatNG discovers compromised employee credentials on the dark web. In that case, the IAM system can be triggered to force a password reset for those users or apply multi-factor authentication requirements, significantly reducing the risk of account takeover.
Brand Protection and Anti-Fraud Services: While ThreatNG offers digital risk protection, specialized brand protection services can benefit from ThreatNG's initial discovery of brand impersonations or domain permutations. Using the evidence provided by ThreatNG, these services can then more effectively initiate takedowns of fraudulent websites or social media accounts.
By combining ThreatNG's deep external visibility and intelligence with other security solutions' internal monitoring and enforcement capabilities, organizations can create a truly robust and adaptive XTI program, enhancing their overall security posture and resilience against sophisticated cyber threats.
