External Due Diligence Assurance

E
Written By Threat NG Staff

External Due Diligence Assurance in the context of cybersecurity is a specialized and ongoing process of evaluating the cybersecurity posture and digital risk of an organization, or a third party it interacts with, from an outside-in, unprivileged perspective. It's about gaining an objective and continuous understanding of an entity's external security strengths and weaknesses, digital vulnerabilities, and potential liabilities, primarily through publicly available information and external reconnaissance, without relying on internal access or self-reported data.

This form of due diligence goes beyond traditional, often self-attested, questionnaires. It provides independent verification of cybersecurity claims and reveals hidden or overlooked risks that could impact business decisions, partnerships, investments, or compliance obligations.

Here's a detailed breakdown:

  • Purpose and Core Objective:

    • Independent Validation: To provide an unbiased, external validation of an entity's cybersecurity claims and actual security posture.

    • Risk Identification for Strategic Decisions: To identify potential cybersecurity risks, liabilities, or exposures that could impact mergers & acquisitions (M&A), investments, partnerships, vendor onboarding, or supply chain relationships.

    • Continuous Monitoring of External Risk: To ensure that the external risk profile of a target or partner remains acceptable over time, as their digital footprint evolves.

    • Reputational and Financial Protection: To mitigate potential financial losses, legal repercussions, or reputational damage arising from an association with a cyber-insecure entity.

  • "External" and "Outside-In" Perspective:

    • This is the defining characteristic. The assessment is conducted solely using publicly available information and external observation methods, mirroring what a sophisticated attacker or a well-resourced competitor could discover.

    • It does not involve internal network scans, access to internal systems, or relying solely on questionnaires filled out by the target organization (though it can complement such methods).

  • Key Data Sources and Focus Areas: External Due Diligence Assurance aggregates and analyzes a wide array of public and open-source intelligence (OSINT), including:

    • Internet Infrastructure: Domains, subdomains, IP ranges, public-facing servers, cloud deployments, and associated DNS records.

    • Web and Application Presence: Public websites, web applications, APIs, and mobile applications available in public stores.

    • Code Repositories: Public code hosting platforms (e.g., GitHub, GitLab) for inadvertently exposing sensitive data or credentials.

    • Digital Brand Footprint: Social media profiles, domain registrations (including typosquatting or brand impersonation attempts), and public relations.

    • Data Exposure: Monitoring for leaked credentials, sensitive documents, or other data found on the dark web, paste sites, or misconfigured public cloud storage.

    • Vulnerability Information: Publicly known vulnerabilities (CVEs) associated with an entity's exposed software and services.

    • Financial and Legal Data: Publicly available financial filings, legal records, news articles, and regulatory disclosures that may indicate past security incidents, lawsuits, or compliance issues.

    • Third-Party & Supply Chain Linkages: Identifying technologies, services, and other digital relationships with third parties that might inherit or introduce risk.

  • Beyond a Point-in-Time Check:

    • While traditional due diligence is often a snapshot before a transaction, assurance implies ongoing verification. The digital landscape and an organization's security posture are dynamic.

    • Continuous monitoring of the external attack surface and digital risk profile provides ongoing assurance, flagging any new exposures or deteriorating security postures that could invalidate initial findings.

  • Benefits:

    • Informed Decision-Making: Provides comprehensive, objective data to support critical business decisions (M&A, investments, vendor selection).

    • Risk Mitigation: Identifies unforeseen cybersecurity risks and liabilities, enabling adjustments or risk remediation plans.

    • Enhanced Trust: Builds confidence in the cybersecurity posture of partners, suppliers, and potential acquisitions.

    • Proactive Threat Identification: Uncovers vulnerabilities and exposures that attackers could exploit, before a relationship is formalized.

    • Compliance Verification: Aids in verifying if a third party meets required security standards and regulatory obligations.

    • Competitive Advantage: Offers deeper insights into an entity's true security strength compared to competitors, who rely solely on self-reported data.

External Due Diligence Assurance serves as a vital external cybersecurity intelligence layer, enabling organizations to make more secure and informed decisions by continuously validating the digital trustworthiness and risk profile of any entity they engage with in the interconnected business ecosystem.

ThreatNG, as an all-in-one external attack surface management, digital risk protection, and security ratings solution, offers comprehensive capabilities that directly support and enhance an organization's

External Due Diligence Assurance. ThreatNG provides a continuous, outside-in evaluation of an organization's digital risk posture by identifying exposed assets, critical vulnerabilities, and digital risks from an unauthenticated attacker's perspective, mapping these findings directly to relevant GRC frameworks. This capability enables organizations to proactively uncover and address external security gaps, thereby strengthening their overall security standing and providing robust due diligence.

ThreatNG's Role in External Due Diligence Assurance

1. External Discovery: ThreatNG's ability to perform purely external, unauthenticated discovery using no connectors is crucial for External Due Diligence Assurance. This means it can identify an organization's digital footprint as an attacker would see it, without needing internal access or credentials. This unauthenticated discovery provides an accurate "outside-in" view, fundamental for robust due diligence, as it ensures all internet-facing assets of the assessed entity are accounted for.

  • How ThreatNG Helps: ThreatNG automatically discovers an organization's internet-facing assets, including domains, subdomains, IP addresses, cloud services, and mobile applications. This helps establish a comprehensive asset inventory from an external perspective, ensuring that no unknown exposures exist that could impact the due diligence assessment.

  • External Due Diligence Assurance Example: A company is evaluating a potential acquisition target. ThreatNG's External Discovery identifies several unknown domains and subdomains owned by the target company that are not listed in their provided asset inventory. This immediate discovery of "shadow IT" expands the scope of due diligence, revealing potential unmanaged security risks that could affect the acquisition's value or future liability.

2. External Assessment: ThreatNG conducts a comprehensive range of external assessments that directly inform External Due Diligence Assurance by highlighting potential risks and vulnerabilities from an attacker's perspective.

  • Web Application Hijack Susceptibility:

    • How ThreatNG Helps: ThreatNG analyzes parts of a web application accessible from the outside world to identify potential entry points for attackers. External Attack Surface and Digital Risk Intelligence, including Domain Intelligence substantiate this score.

    • External Due Diligence Assurance Example: During the due diligence for a partnership, ThreatNG assesses the partner's public-facing web applications and identifies a high "Web Application Hijack Susceptibility" due to outdated software. This indicates that the partner's web security posture is weak, highlighting a potential entry point for attackers that could ultimately compromise the partnership.

  • Subdomain Takeover Susceptibility:

    • How ThreatNG Helps: ThreatNG evaluates subdomain takeover susceptibility by analyzing a website's subdomains, DNS records, SSL certificate statuses, and other relevant factors using external attack surface and digital risk intelligence that incorporates Domain Intelligence.

    • External Due Diligence Assurance Example: When performing due diligence on a new vendor, ThreatNG discovers that one of their subdomains is vulnerable to takeover. This assures that the vendor has a critical unpatched vulnerability that could be exploited for brand impersonation or phishing, directly impacting the risk assessment of engaging with that vendor.

  • BEC & Phishing Susceptibility:

    • How ThreatNG Helps: This susceptibility score is derived from Sentiment and Financial Findings, Domain Intelligence (DNS Intelligence capabilities, which include Domain Name Permutations and Web3 Domains that are available and taken), and email intelligence (providing email security presence and format prediction), as well as dark web presence (Compromised Credentials).

    • External Due Diligence Assurance Example: For a crucial supplier, ThreatNG identifies weak DMARC policies via "Email Intelligence" and a high number of "Compromised Credentials" on the dark web. This assures that the supplier has a high "BEC & Phishing Susceptibility," indicating a risk of supply chain attacks through email compromise that could directly impact the assessing organization.

  • Brand Damage Susceptibility:

    • How ThreatNG Helps: Derived from attack surface intelligence, digital risk intelligence, ESG Violations, Sentiment and Financials (Lawsuits, SEC filings, SEC Form 8-Ks, and Negative News), and Domain Intelligence (Domain Name Permutations and Web3 Domains that are available and taken).

    • External Due Diligence Assurance Example: During due diligence for a marketing partnership, ThreatNG detects numerous instances of brand impersonation on newly registered domain permutations associated with the potential partner. This assures the partner's "Brand Damage Susceptibility," indicating a risk to shared brand reputation that would influence the partnership terms.

  • Data Leak Susceptibility:

    • How ThreatNG Helps: This is derived from external attack surface and digital risk intelligence based on Cloud and SaaS Exposure, Dark Web Presence (Compromised Credentials), Domain Intelligence, and Sentiment and Financials (Lawsuits and SEC Form 8-Ks).

    • External Due Diligence Assurance Example: Before acquiring a software company, ThreatNG identifies an "Open Exposed Cloud Bucket" belonging to the target, which contains sensitive customer data. This provides critical assurance that the target has a "Data Leak Susceptibility," revealing a significant liability that must be addressed before finalizing the acquisition.

  • Cyber Risk Exposure:

    • How ThreatNG Helps: This score considers parameters ThreatNG's Domain Intelligence module covers, including certificates, subdomain headers, vulnerabilities, and sensitive ports, to determine cyber risk exposure. Code Secret Exposure, which discovers code repositories and their exposure level and investigates their contents for the presence of sensitive data, is factored into the score. Cloud and SaaS Exposure evaluates cloud services and Software-as-a-Service (SaaS) solutions. Additionally, the score considers the organization's compromised credentials on the dark web, which increases the risk of successful attacks.

    • External Due Diligence Assurance Example: For a potential investment, ThreatNG identifies that the target company has multiple public-facing servers with "sensitive ports" exposed and significant "Code Secret Exposure" where credentials are found in public code repositories. This assures a high "Cyber Risk Exposure," indicating a severe lack of external security hygiene and potential for immediate compromise.

  • Supply Chain & Third Party Exposure:

    • How ThreatNG Helps: This is derived from Domain Intelligence (Enumeration of Vendor Technologies from DNS and Subdomains), Technology Stack, and Cloud and SaaS Exposure.

    • External Due Diligence Assurance Example: When onboarding a new critical supplier, ThreatNG assesses their external posture and discovers that they use outdated "Technology Stack" components and have significant "Cloud and SaaS Exposure" on unsanctioned services. This provides assurance of the supplier's "Supply Chain & Third Party Exposure," directly impacting the risk assessment of integrating with them.

  • Breach & Ransomware Susceptibility:

    • How ThreatNG Helps: This is derived from calculated based on external attack surface and digital risk intelligence, which includes domain intelligence (exposed sensitive ports, exposed private IPs, and known vulnerabilities), dark web presence (compromised credentials and ransomware events and gang activity), and sentiment and financials (SEC Form 8-Ks).

    • External Due Diligence Assurance Example: In evaluating a potential partner, ThreatNG identifies that they have a high volume of "Compromised Credentials" on the dark web and recent "ransomware events and gang activity" mentions. This assures their "Breach & Ransomware Susceptibility," highlighting a significant operational risk that could propagate through the partnership.

  • Mobile App Exposure:

    • How ThreatNG Helps: Evaluates how exposed an organization’s mobile apps are through the discovery of them in marketplaces and for the following contents: Access Credentials, Security Credentials, and Platform Specific Identifiers.

    • External Due Diligence Assurance Example: During the due diligence for a mobile app development firm, ThreatNG discovers one of their public apps contains hardcoded "Access Credentials" (e.g., an AWS API Key). This assures that their development practices do not have critical security flaws, which directly impacts the risk assessment of outsourcing mobile development to them.

  • Positive Security Indicators:

    • How ThreatNG Helps: This feature identifies and highlights an organization's security strengths. Instead of only focusing on vulnerabilities, this feature detects the presence of beneficial security controls and configurations, such as Web Application Firewalls or multi-factor authentication. It validates these positive measures from the perspective of an external attacker, providing objective evidence of their effectiveness.

    • External Due Diligence Assurance Example: When evaluating a cloud service provider, ThreatNG identifies "Positive Security Indicators" such as the verified presence of robust Web Application Firewalls and strong email authentication (DMARC, SPF, DKIM) on their external posture. This provides positive assurance of their strong security controls, boosting confidence in their digital resilience.

3. Reporting: ThreatNG offers various reporting capabilities, including Executive, Technical, Prioritized (High, Medium, Low, and Informational), Security Ratings, Inventory, Ransomware Susceptibility, U.S. SEC Filings, and External GRC Assessment Mappings (e.g., PCI DSS). These reports are essential for communicating the findings of External Due Diligence Assurance.

  • How ThreatNG Helps: ThreatNG's "Security Ratings" provide a quick, high-level overview of an entity's external digital risk posture. The "Executive" and "Technical" reports provide granular details explaining the rating and specific findings. "U.S. SEC Filings" reports directly provide public financial and risk disclosures.

  • External Due Diligence Assurance Example: An investment firm receives a ThreatNG "Executive" report on a target company, which includes a low "Security Rating". The accompanying "Prioritized" report details critical data leaks and high "Breach & Ransomware Susceptibility". This clear reporting provides rapid, objective assurance of the target's high digital risk, influencing the investment decision and potential valuation.

4. Continuous Monitoring: ThreatNG provides continuous monitoring of external attack surface, digital risk, and security ratings of all organizations.

  • How ThreatNG Helps: For External Due Diligence Assurance, continuous monitoring is critical, especially for ongoing partnerships or long-term investments. An entity's digital risk posture can change rapidly. ThreatNG ensures that any new exposures or deteriorations in security posture are identified promptly, providing ongoing assurance beyond a single point in time.

  • External Due Diligence Assurance Example: After an acquisition, the acquiring company uses ThreatNG to continuously monitor the acquired entity's external posture. If ThreatNG's "Continuous Monitoring" detects a new, unmanaged cloud instance or a sudden increase in "Compromised Credentials" on the dark web associated with the acquired entity, this provides immediate assurance of a deteriorating risk posture, prompting immediate action to secure the new assets.

5. Investigation Modules: ThreatNG's investigation modules offer deep insights into various aspects of an organization's external posture, which are invaluable for detailed External Due Diligence Assurance.

  • Domain Intelligence:

    • How ThreatNG Helps: Provides comprehensive intelligence on an organization's digital presence, including Domain Overview (Digital Presence Word Cloud, Microsoft Entra Identification and Domain Enumeration, Bug Bounty Programs, and related SwaggerHub instances), DNS Intelligence (IP Identification, Vendors and Technology Identification, Domain Name Permutations, Web3 Domains), Email Intelligence (Security Presence, Format Predictions, Harvested Emails), WHOIS Intelligence (WHOIS Analysis and Other Domains Owned), and detailed Subdomain Intelligence (HTTP Responses, Header Analysis, Server Headers, Cloud Hosting, Content Identification, Ports, Known Vulnerabilities).

    • External Due Diligence Assurance Example: During due diligence for a potential technology partner, ThreatNG's "Domain Intelligence" reveals numerous "Domain Name Permutations" that are available for registration, indicating a lack of proactive domain protection. It also identifies several "Web3 Domains" and "SwaggerHub instances" linked to unknown APIs. This detailed intelligence assures potential brand exploitation risks and unmanaged API exposures.

  • Sensitive Code Exposure:

    • How ThreatNG Helps: Discovers public code repositories that uncover digital risks, including "Access Credentials" (e.g., API Keys, AWS Access Key ID), "Security Credentials" (e.g., PGP private key block, RSA Private Key), "Configuration Files," and "Database Exposures."

    • External Due Diligence Assurance Example: In evaluating a software vendor, ThreatNG's "Code Repository Exposure" module discovers that their public GitHub profile contains "AWS Access Key ID Values" and "Potential cryptographic private keys". This provides critical assurance of severe security flaws in their development practices and represents a significant liability if sensitive credentials are being exposed.

  • Cloud and SaaS Exposure:

    • How ThreatNG Helps: Identifies "Sanctioned Cloud Services, Unsanctioned Cloud Services, Cloud Service Impersonations, and Open Exposed Cloud Buckets" of major providers like AWS, Microsoft Azure, and Google Cloud Platform; and covers various SaaS implementations (e.g., Salesforce, Slack, Workday, Okta).

    • External Due Diligence Assurance Example: When performing due diligence on a new B2B service provider, ThreatNG discovers they are using "Unsanctioned Cloud Services" or have "Open Exposed Cloud Buckets" on Azure that contain client data. This assures that their cloud security posture is weak, introducing significant data privacy risks to any organization partnering with them.

  • Online Sharing Exposure:

    • How ThreatNG Helps: Identifies the presence of organizational entities within online code-sharing platforms, such as Pastebin, GitHub Gist, Scribd, and SlideShare.

    • External Due Diligence Assurance Example: During due diligence for a new technology partner, ThreatNG discovers sensitive internal documents (e.g., project plans, meeting minutes) that have been publicly shared on a platform like Scribd or Pastebin. This raises concerns about their overall security hygiene due to weak information handling practices.

  • Sentiment and Financials:

    • How ThreatNG Helps: Uncovers "Organizational Related Lawsuits, Layoff Chatter, SEC Filings of Publicly Traded US Companies (especially their Risk and Oversight Disclosures), SEC Form 8-Ks, and ESG Violations".

    • External Due Diligence Assurance Example: For a potential merger candidate, ThreatNG's "Sentiment and Financials" module uncovers recent "SEC Form 8-Ks" detailing a significant cybersecurity breach and "Lawsuits" related to data privacy. This provides critical assurance of past security incidents and ongoing legal liabilities, significantly impacting the terms of the merger.

6. Intelligence Repositories (DarCache): Contextualizing External Due Diligence Assurance ThreatNG's continuously updated intelligence repositories, branded as DarCache, provide critical context that directly influences the depth and accuracy of External Due Diligence Assurance.

  • Dark Web (DarCache Dark Web), Compromised Credentials (DarCache Rupture), Ransomware Groups and Activities (DarCache Ransomware): Tracking Over 70 Ransomware Gangs.

    • How ThreatNG Helps: This intelligence directly informs due diligence by revealing whether the target entity's credentials have been compromised, if they are being discussed on the dark web, or if they have been victims of ransomware.

    • External Due Diligence Assurance Example: When performing due diligence on a managed service provider (MSP), ThreatNG's "Dark Web Presence" monitoring discovers a high volume of "Compromised Credentials" for the MSP's employees and recent "Ransomware events and gang activity" associated with the MSP (DarCache Ransomware). This provides critical assurance that the MSP itself faces significant ongoing threats, which directly impacts the risk of using their services.

  • Vulnerabilities (DarCache Vulnerability): Includes NVD (DarCache NVD), EPSS (DarCache EPSS), KEV (DarCache KEV), and Verified Proof-of-Concept (PoC) Exploits (DarCache eXploit).

    • How ThreatNG Helps: This data provides a deep understanding of the technical characteristics, potential impact, likelihood of exploitation, and active exploitation status of each vulnerability found on the target entity's external attack surface.

    • External Due Diligence Assurance Example: In assessing a software library vendor, ThreatNG identifies several critical vulnerabilities on their public-facing systems. DarCache KEV indicates that some of these vulnerabilities are "actively being exploited in the wild" , and DarCache eXploit provides "Verified Proof-of-Concept (PoC) Exploits". This assures that the vendor's unpatched vulnerabilities pose an immediate and proven threat, directly influencing the decision to use their software.

Complementary Solutions

ThreatNG's external focus creates powerful synergies with other cybersecurity and GRC tools, enriching their data and contributing to a more complete due diligence process.

  • Complementary Solutions: Vendor Risk Management (VRM) Platforms

    • Synergy Example: ThreatNG's continuous "Supply Chain & Third Party Exposure" assessments and "Security Ratings" for a vendor can be directly integrated into a VRM platform. For instance, if ThreatNG's rating for a critical vendor drops due to new external vulnerabilities, the VRM platform can automatically trigger a re-assessment workflow or alert the vendor manager, complementing self-attested questionnaire data with objective, continuous external validation.

  • Complementary Solutions: Mergers & Acquisitions (M&A) Due Diligence Tools

    • Synergy Example: ThreatNG's comprehensive external insights into a target company's "Data Leak Susceptibility", "Cyber Risk Exposure", and "Sensitive Code Exposure" can be fed into specialized M&A due diligence platforms. This provides a rapid, unauthenticated cybersecurity health check, complementing traditional financial and legal due diligence by quickly identifying hidden cyber liabilities and integration risks before an acquisition.

  • Complementary Solutions: GRC Platforms

    • Synergy Example: The findings from ThreatNG's External Due Diligence Assurance, such as identified external risks (e.g., exposed credentials, misconfigured cloud assets) or compliance deviations, can be ingested directly into a GRC platform. This allows the GRC platform to automatically update its risk register and compliance dashboards with external third-party risks, ensuring a holistic and continuously informed GRC posture for all associated entities.

  • Complementary Solutions: Threat Intelligence Platforms (TIPs)

    • Synergy Example: ThreatNG's rich "Adversary Exposure Intelligence" and "DarCache" data (e.g., compromised credentials, ransomware activities) can feed into a broader TIP. The TIP can then correlate ThreatNG's external findings with internal telemetry and global threat intelligence, providing a more comprehensive view of how external exposures align with active threats and campaigns, enhancing the organization's overall threat landscape understanding.

By combining ThreatNG's unique external perspective with the internal visibility and process automation of complementary solutions, organizations can achieve a more robust and proactive approach to External Due Diligence Assurance, enabling more secure and informed business decisions.

Threat NG Staff
Previous

External CDE Footprint
Next

External GRC Assessment