External Attack Surface Analysis
External Attack Surface Analysis involves identifying, assessing, and monitoring an organization's IT assets and infrastructure that are visible and accessible from the outside world (e.g., the Internet or other external networks). It evaluates potential entry points attackers could exploit to gain unauthorized access to systems or data.
Here's a breakdown of what this analysis entails:
Discovery: The first step involves discovering all external-facing assets. This includes:
Websites and web applications
Email servers
DNS servers
Cloud services and storage
APIs (Application Programming Interfaces)
Firewalls and routers
Any other systems that communicate with the internet
Assessment: Once the external-facing assets are identified, they are assessed for vulnerabilities and weaknesses. This assessment may involve:
Vulnerability scanning to detect known software flaws
Configuration reviews to identify security misconfigurations
Analysis of open ports and services to find potential entry points
Evaluation of SSL/TLS certificates for weaknesses
Examination of web application security (e.g., susceptibility to injection attacks, cross-site scripting)
Risk Evaluation: The identified vulnerabilities and weaknesses are then evaluated to determine the potential risk they pose to the organization. This involves considering factors such as:
The criticality of the affected systems and data
The likelihood of exploitation
The potential impact of a successful attack
Monitoring: External attack surface analysis is not a one-time activity. Continuous monitoring is essential to:
Detect new external-facing assets as they are deployed
Identify changes in existing assets that could introduce new vulnerabilities
Stay informed about emerging threats that could target the organization's external attack surface
External attack surface analysis aims to provide organizations with a comprehensive understanding of their external-facing risks, enabling them to prioritize remediation efforts and improve their overall security posture.
Here’s how ThreatNG addresses External Attack Surface Analysis:
ThreatNG starts with a strong emphasis on external discovery, a fundamental aspect of External Attack Surface Analysis.
ThreatNG performs "purely external unauthenticated discovery" without needing connectors. This is crucial because it allows ThreatNG to identify visible assets to an attacker, even if they are not well-documented or managed internally.
Example: ThreatNG can discover all subdomains associated with an organization, including those that might be forgotten, abandoned, or set up by shadow IT. This complete view of subdomains is essential for a thorough External Attack Surface Analysis.
Complementary Solutions:
Shodan: While ThreatNG discovers an organization's attack surface, Shodan can provide additional insights into internet-connected devices and services that might be associated with the organization. Combining these tools can offer a more comprehensive view of externally exposed assets.
Asset Discovery Tools: Some network-focused asset discovery tools can complement ThreatNG by providing more detailed information about the underlying infrastructure of the discovered assets.
ThreatNG provides a range of external assessment capabilities to identify vulnerabilities and weaknesses in the external attack surface.
It delivers various assessment ratings, each focusing on a different aspect of external risk:
Web Application Hijack Susceptibility: Analyzes web applications for potential hijack entry points.
Subdomain Takeover Susceptibility: Evaluates the risk of subdomain takeovers.
BEC & Phishing Susceptibility: Assesses vulnerability to Business Email Compromise and phishing.
Brand Damage Susceptibility: Assesses risks to brand reputation.
Data Leak Susceptibility: Identifies potential for data leaks.
Cyber Risk Exposure: Determines overall cyber risk.
Code Secret Exposure: Discovers exposed code repositories and secrets.
Cloud and SaaS Exposure: Evaluates risks from cloud and SaaS services.
ESG Exposure: Rates the organization based on ESG violations.
Supply Chain & Third Party Exposure: Assesses third-party risks.
Breach & Ransomware Susceptibility: Determines susceptibility to breaches and ransomware.
Mobile App Exposure: Assesses mobile app vulnerabilities.
Positive Security Indicators: Identifies security strengths.
Examples:
ThreatNG's "Code Secret Exposure" assessment is a critical component of External Attack Surface Analysis, as it can discover exposed code repositories containing sensitive information like API keys, credentials, and configuration files.
The "Mobile App Exposure" assessment helps analyze the security of an organization's mobile apps, identifying potential vulnerabilities like exposed credentials or identifiers, which are part of the external attack surface.
Complementary Solutions:
Web Application Scanners: These scanners can provide more in-depth vulnerability assessments of web applications identified by ThreatNG.
API Security Testing Tools: As APIs are a significant part of the external attack surface, dedicated API testing tools can complement ThreatNG's analysis.
3. Reporting
ThreatNG provides reporting capabilities to communicate findings from the External Attack Surface Analysis.
It offers various reporting formats, including executive, technical, and prioritized reports.
Example: Prioritized reports help security teams focus on the most critical vulnerabilities and weaknesses in the external attack surface, enabling efficient remediation efforts.
Complementary Solutions:
GRC Tools: ThreatNG's reports can be integrated into Governance, Risk, and Compliance tools to view external risks and compliance status comprehensively.
Dashboards: Security dashboards can use ThreatNG's data to provide a real-time view of the organization's external attack surface and security posture.
ThreatNG emphasizes continuous monitoring, essential for managing the dynamic nature of the external attack surface.
It continuously monitors the external attack surface, digital risk, and security ratings, ensuring that organizations know of any changes or additions to their external footprint.
Example: ThreatNG's continuous monitoring can detect new subdomains, changes in DNS records, or newly exposed cloud services, all representing changes in the external attack surface.
Complementary Solutions:
Security Orchestration, Automation, and Response (SOAR) Platforms: ThreatNG's monitoring can trigger automated SOAR platform workflows to respond to external attack surface changes, such as automatically investigating new subdomains.
Change Management Systems: Integrating with change management systems can help correlate changes in the external attack surface with planned IT changes, improving risk management.
ThreatNG includes investigation modules that enable security teams to delve deeper into specific aspects of the external attack surface.
These modules provide detailed information and analysis capabilities:
Domain Intelligence: Provides insights into domains, subdomains, DNS, and email.
IP Intelligence: Analyzes IP addresses.
Certificate Intelligence: Examines TLS certificates.
Social Media: Monitors social media presence.
Sensitive Code Exposure: Discovers exposed code repositories.
Mobile Application Discovery: Investigates mobile apps.
Search Engine Exploitation: Analyzes search engine exposure.
Cloud and SaaS Exposure: Provides visibility into cloud and SaaS usage.
Online Sharing Exposure: Monitors online sharing platforms.
Sentiment and Financials: Analyzes sentiment and financial data.
Archived Web Pages: Examines archived web pages.
Dark Web Presence: Monitors dark web activity.
Technology Stack: Identifies technologies used.
Examples:
The "Domain Intelligence" module is valuable for investigating the domain-based external attack surface, providing details on subdomains, DNS records, and potential vulnerabilities. For instance, it gives Domain Overview (Digital Presence Word Cloud, Microsoft Entra Identification and Domain Enumeration, Bug Bounty Programs, and related SwaggerHub instances, which include API documentation and specifications, enabling users to understand and potentially test the API's functionality and structure) and DNS Intelligence (Domain Record Analysis (IP Identification, Vendors and Technology Identification), Domain Name Permutations (Taken and Available), and Web3 Domains (Taken and Available)
The "Search Engine Exploitation" module helps identify how search engines can expose sensitive information, a critical aspect of understanding the external attack surface.
Complementary Solutions:
Threat Hunting Platforms: These platforms can proactively use ThreatNG's investigation data to hunt for threats within the external attack surface.
Digital Forensics Tools: In the event of a security incident, these tools can work with ThreatNG to provide detailed forensic analysis of the compromised parts of the external attack surface.
ThreatNG's intelligence repositories provide valuable context and threat intelligence to enhance the analysis of the external attack surface.
These repositories ("DarCache") include information on:
Dark Web
Compromised Credentials
Ransomware Groups
Vulnerabilities
ESG Violations
Mobile Apps
Example: The "DarCache Vulnerability" repository provides information on known vulnerabilities (NVD, EPSS, KEV) and proof-of-concept exploits, helping organizations prioritize remediation of vulnerabilities in their external attack surface.
Complementary Solutions:
Threat Intelligence Platforms (TIPs): Integrating with TIPs can provide a broader, more diverse set of threat intelligence to enrich ThreatNG's analysis.
SIEM Systems: Threat intelligence from DarCache can be integrated into SIEM systems to correlate external attack surface risks with internal security events.
ThreatNG offers a comprehensive External Attack Surface Analysis platform, with robust discovery, assessment, reporting, continuous monitoring, investigation, and threat intelligence capabilities. Its potential to work with complementary solutions can further strengthen an organization's ability to manage and secure its external-facing assets.
