External Discovery

External Discovery in cybersecurity is the fundamental, systematic process of identifying and mapping all digital assets that are visible and accessible from outside an organization’s internal network, often referred to as the external attack surface. This process is crucial because it adopts the outsider's view—exactly how a threat actor would perform their initial reconnaissance—to uncover potential entry points and security weaknesses.

Core Objectives and Asset Types

External discovery is the essential first step in any effective exposure management program because organizations cannot protect assets they don't know they have. The process aims to provide a complete and accurate inventory of all internet-facing components.

Discovered Asset Types

The assets identified can range from obvious websites to forgotten development resources:

• Domains and Networking: Primary domains, subdomains (e.g., dev.company.com), IP addresses, and the associated network blocks (netblocks).

• Web Services: Public-facing web applications, login pages, and APIs.

• Cloud Infrastructure: Virtual machines (VMs), storage resources (e.g., cloud storage buckets), containers, and other resources deployed across cloud providers (AWS, Azure, GCP).

• Shadow IT: Unknown, unauthorized devices, SaaS applications, or legacy systems that were set up without proper security oversight, creating unmonitored blind spots.

• Cryptographic Assets: X.509 digital certificates used for SSL/TLS, which help map domains and identify configuration weaknesses like expired certificates.

Key Discovery Methodologies

External discovery is achieved primarily through agentless, non-intrusive techniques, meaning no software needs to be installed on the target systems:

1. Passive Discovery (OSINT): This involves using publicly available information and databases without actively engaging the target network. Methods include:

• DNS Enumeration: Analyzing DNS records to find associated subdomains and IP addresses.

• WHOIS Lookups: Checking domain registration records.

• Certificate Transparency Logs: Searching public logs of SSL/TLS certificates issued to the organization's domain to uncover unknown subdomains.

• Search Engine Reconnaissance: Using specialized queries (dorking) on public search engines and code repositories (like GitHub) to find exposed sensitive data.

2. Active Scanning: This involves directly probing identified assets to confirm their existence and state, in a non-disruptive manner. This typically requires port scanning across public IP ranges to identify open services such as SSH or RDP.

3. Attribution: The discovery process includes advanced techniques to accurately link an asset (e.g., an IP address or storage bucket) to its owning organization, which is critical for managing third-party risks and mergers/acquisitions.

Cybersecurity Impact

The findings from external discovery are foundational for improving security posture:

• Risk Identification: Once assets are mapped, they are immediately monitored for security issues such as misconfigured systems, exposed credentials, and known vulnerabilities.

• Proactive Defense: It allows security teams to identify and remediate vulnerabilities before attackers can exploit blind spots (unknown or forgotten assets).

Continuous Vigilance: Since the external attack surface is constantly evolving due to new deployments and cloud services, the discovery process must be automated and continuous to maintain an accurate view of current exposure.

ThreatNG's Approach to External Security

ThreatNG is designed as an all-in-one platform for external attack surface management, digital risk protection, and security ratings. A core strength of ThreatNG lies in its ability to conduct purely external, unauthenticated discovery. This means it can identify and assess an organization's security posture from the same perspective as an external attacker without needing any internal access or credentials.

1. External Discovery

ThreatNG excels at external discovery by identifying an organization's internet-facing assets. This process involves finding assets like:

• Websites and web applications

• Domains and subdomains

• Servers and network infrastructure

• Cloud services and SaaS solutions

• Mobile applications

This comprehensive discovery provides the foundation for ThreatNG's subsequent assessment and risk analysis.

2. External Assessment

ThreatNG performs various external assessments to evaluate an organization's security risks. These assessments provide detailed insights into multiple attack vectors and vulnerabilities:

• Web Application Hijack Susceptibility: ThreatNG analyzes web applications to identify potential entry points for attackers, using external attack surface and digital risk intelligence, including domain intelligence. For example, it assesses input fields, authentication mechanisms, and application logic to determine how easily an attacker could compromise the application.

• Subdomain Takeover Susceptibility: ThreatNG evaluates the risk of subdomain takeovers by analyzing subdomains, DNS records, and SSL certificate statuses. For instance, it checks for orphaned DNS records pointing to inactive services that attackers could claim and exploit.

• BEC & Phishing Susceptibility: ThreatNG assesses the organization's susceptibility to business email compromise (BEC) and phishing attacks by analyzing domain intelligence (like email security presence) and dark web presence (compromised credentials). An example would be ThreatNG's ability to detect weak email security configurations (e.g., lack of SPF, DMARC records) that make the organization's domain easier to spoof.

• Brand Damage Susceptibility: This assessment uses attack surface intelligence, digital risk intelligence, ESG violations, sentiment, financials, and domain intelligence to determine the potential for brand damage. For example, ThreatNG monitors negative news, social media sentiment, and the registration of lookalike domains that could be used for phishing.

• Data Leak Susceptibility: ThreatNG identifies potential data leaks by analyzing cloud and SaaS exposure, dark web presence (compromised credentials), and domain intelligence. ThreatNG's detection of exposed cloud storage buckets containing sensitive information is an example.

• Cyber Risk Exposure: This assessment considers factors like certificates, subdomain headers, vulnerabilities, and sensitive ports to determine cyber risk. For instance, ThreatNG identifies outdated software versions or exposed databases that increase the risk of a cyberattack.

• Code Secret Exposure: ThreatNG discovers code repositories and checks for exposed secrets like API keys and credentials. For example, it Can find a public GitHub repository containing an exposed AWS secret access key.

• Cloud and SaaS Exposure: ThreatNG evaluates the security of the organization's cloud services and SaaS solutions. For example, it can identify misconfigured cloud storage or SaaS applications with weak access controls.

• ESG Exposure: ThreatNG rates the organization based on discovered environmental, social, and governance (ESG) violations. For instance, it analyzes information related to competition, consumer, employment, and environmental offenses.

• Supply Chain & Third-Party Exposure: ThreatNG assesses risks associated with the organization's supply chain and third parties by analyzing vendor technologies and cloud and SaaS exposure. An example is identifying third-party vendors with known security vulnerabilities.

• Breach & Ransomware Susceptibility: This assessment uses external attack surface and digital risk intelligence, including domain intelligence and dark web presence, to determine the likelihood of breaches and ransomware attacks. For example, ThreatNG can detect compromised credentials on the dark web, which increases the risk of a violation.

• Mobile App Exposure: ThreatNG evaluates an organization’s mobile app exposure by discovering them in marketplaces and analyzing their contents for sensitive information, such as access and security credentials. ThreatNG’s detection of hard-coded API keys within a mobile app is an example.

• Positive Security Indicators: ThreatNG also identifies and highlights an organization's security strengths, such as Web Application Firewalls and multi-factor authentication.

3. Reporting

ThreatNG provides various reporting options to communicate its findings effectively. These reports can be tailored for different audiences, including:

• Executive summaries for high-level decision-makers

• Technical reports for security teams

• Prioritized reports based on risk level (high, medium, low)

• Security ratings reports

• Inventory reports of discovered assets

• Ransomware susceptibility reports

• U.S. SEC Filings

4. Continuous Monitoring

ThreatNG monitors organizations' external attack surfaces, digital risks, and security ratings. This ongoing monitoring helps organizations stay informed about their evolving risk posture and promptly detect new threats and vulnerabilities.

5. Investigation Modules

ThreatNG includes investigation modules that provide in-depth information and tools for analyzing specific security areas. These modules offer valuable insights for security professionals:

• Domain Intelligence: This module provides a comprehensive analysis of domains, including:

  • Domain Overview (Digital Presence Word Cloud, Microsoft Entra Identification and Domain Enumeration, Bug Bounty Programs)

  • DNS Intelligence (Domain Record Analysis, Domain Name Permutations, and Web3 Domains)

  • Email Intelligence (Security Presence, Format Predictions, and Harvested Emails)

  • WHOIS Intelligence (WHOIS Analysis and Other Domains Owned)

  • Subdomain Intelligence (HTTP Responses, Header Analysis, Server Headers, Cloud Hosting, E-commerce Platforms)

  • IP Intelligence (IPs, Shared IPs, ASNs, Country Locations, Private IPs)

  • Certificate Intelligence (TLS Certificates, Associated Organizations)

• Social Media: This module monitors social media posts for mentions of the organization.

• Sensitive Code Exposure: This module discovers public code repositories and uncovers digital risks, such as exposed credentials and API keys.

• Mobile Application Discovery: This module discovers mobile apps in marketplaces and analyzes them for sensitive information.

• Search Engine Exploitation: This module helps users investigate an organization’s susceptibility to exposing information via search engines.

• Cloud and SaaS Exposure: This module identifies sanctioned and unsanctioned cloud services and SaaS implementations.

• Online Sharing Exposure: This module identifies the organizational entity's presence within online Code-Sharing Platforms like Pastebin, GitHub Gist, Scribd, Slideshare, Prezi, and GitHub Code.

• Sentiment and Financials: This module gathers information on organizational lawsuits, layoff chatter, SEC filings, and ESG violations.

• Archived Web Pages: This module identifies information that has been archived on the organization’s online presence.

• Dark Web Presence: This module monitors the dark web for mentions of the organization, ransomware events, and compromised credentials.

• Technology Stack: This module identifies the technologies used by the organization.

6. Intelligence Repositories

ThreatNG gathers and maintains a wealth of intelligence data to enhance its analysis. These repositories include:

• Dark web data

• Compromised credentials

• Ransomware events and groups

• Known vulnerabilities

• ESG violations

• Bug bounty programs

• SEC filings

• Bank Identification Numbers

• Mobile app data

How ThreatNG Works with Complementary Solutions

While ThreatNG is a comprehensive platform, it can also complement and enhance the effectiveness of other security solutions. Here are some examples:

• SIEM (Security Information and Event Management): ThreatNG's external attack surface data can be fed into a SIEM to provide a broader context for security events. For instance, if a SIEM detects an intrusion attempt, ThreatNG data can reveal the attacker's potential entry points and the organization's external vulnerabilities.

• Vulnerability Management Tools: ThreatNG's external vulnerability assessments can complement internal vulnerability scans. While internal scans provide detailed information about vulnerabilities within the network, ThreatNG focuses on externally exposed vulnerabilities that are visible to attackers.

• SOAR (Security Orchestration, Automation and Response): ThreatNG can trigger automated responses in SOAR platforms. For example, if ThreatNG detects a high-risk vulnerability on a critical web application, it could automatically trigger a patching workflow in the SOAR platform.

• Threat Intelligence Platforms: ThreatNG's threat intelligence, such as dark web monitoring and ransomware tracking, can be integrated with other threat intelligence platforms to provide a more comprehensive threat landscape.