External Identity Monitoring
External identity monitoring in cybersecurity is the practice of continuously searching for and analyzing an organization's and its employees' identity information that has been exposed on the public internet, dark web, and other digital channels. This process focuses on identifying credentials, personally identifiable information (PII), and other sensitive data that attackers could exploit for malicious purposes, such as unauthorized access, impersonation, or data theft.
Key Aspects of External Identity Monitoring
Proactive Discovery: This is an active search for exposed identities rather than a passive wait for a breach notification. It involves scanning a wide range of external sources, including public forums, social media, code repositories, and underground marketplaces.
Diverse Data Sources: The monitoring extends beyond just usernames and passwords. It looks for a variety of data points, including email addresses, phone numbers, employee names and roles, and internal system credentials that might have been accidentally leaked.
Contextual Analysis: It's not enough to find a leaked credential. External identity monitoring also involves analyzing the context of the exposure. For example, is the exposed data associated with a specific company or individual? Is it part of a large data dump from a previous breach? This helps determine the risk level and prioritize a response.
Early Warning System: By identifying exposed credentials and PII before they are actively used in an attack, an organization can take proactive measures to mitigate potential risks. This includes forcing password resets, invalidating session tokens, and alerting affected individuals.
The Importance of External Identity Monitoring
External identity monitoring is a critical component of a modern cybersecurity strategy. It helps an organization to:
Reduce the Risk of Account Takeover: Attackers often use leaked credentials from third-party breaches to try and access corporate accounts.
Limit the Impact of Insider Threats: It can help identify when an employee's credentials have been compromised, which could lead to an internal attack.
Protect Brand Reputation: A well-known leak of sensitive employee data can damage a company's reputation and customer trust.
Inform Security Posture: The intelligence gathered provides insights into where an organization's vulnerabilities lie and which security controls need to be strengthened.
ThreatNG helps an organization with external identity monitoring by proactively searching for and contextualizing exposed identity information from an external, unauthenticated perspective. It scans for sensitive data on the public internet, the dark web, and other channels that attackers could exploit, and then provides actionable insights to help security teams respond effectively.
ThreatNG's external discovery capability acts as a wide-net search for all publicly exposed digital assets associated with an organization. It identifies previously unknown or forgotten assets, such as exposed mobile apps, unmonitored cloud services, and public code repositories. For example, suppose an employee accidentally includes their corporate email and password in a public code snippet on GitHub. In that case, ThreatNG's discovery process can identify this leak, which is a key step in uncovering an identity exposure that the company was previously unaware of.
ThreatNG's assessments analyze the discovered data for potential identity-related risks, providing a clear picture of the threat.
BEC & Phishing Susceptibility: This assessment is directly relevant to identity monitoring. It uses DNS intelligence to find domain name permutations—look-alike domains created to trick employees or customers. For instance, ThreatNG might discover a domain like your-company-pay.com that's been registered by a malicious actor, which could be used in a phishing attack to steal credentials and gain unauthorized access to an organization's systems.
Data Leak Susceptibility: This score is derived from external attack surface and digital risk intelligence. A key component is Dark Web Presence (Compromised Credentials), which directly relates to external identity monitoring. For example, suppose a list of compromised credentials from a third-party breach is found on the dark web. In that case, ThreatNG can use this information to calculate a higher risk score for the organization, highlighting a serious potential threat.
Sensitive Code Exposure: This assessment specifically looks for exposed credentials within public code repositories. It can uncover a variety of sensitive data, including API keys, cloud credentials, and user account information that an employee may have inadvertently published.
ThreatNG's reports are essential for communicating the findings of external identity monitoring. The Prioritized Report is beneficial, as it categorizes risks as High, Medium, or Low, allowing security teams to focus on the most critical exposures first. For instance, a report might highlight a batch of compromised employee credentials on the dark web as a "High" risk, prompting an immediate response.
ThreatNG offers continuous monitoring of an organization's external attack surface, digital risk, and security ratings. This is crucial for external identity monitoring because new data leaks and credential dumps can appear at any time. Suppose new compromised credentials associated with an organization are posted on the dark web. In that case, ThreatNG will quickly update its security ratings and generate alerts, ensuring that security teams are informed in near-real time.
ThreatNG's investigation modules provide detailed, actionable insights that enable security teams to respond to identity exposures.
Dark Web Presence: This module looks explicitly for mentions of the organization, associated ransomware events, and compromised credentials on the dark web. For example, it can find a list of employee emails and passwords for sale on a dark web marketplace, which is a direct sign of a potential account takeover threat.
Sensitive Code Exposure: This module can discover a wide range of exposed sensitive data. For instance, it could uncover a publicly accessible configuration file for a remote access service that contains a username and password.
Archived Web Pages: This module analyzes older versions of an organization's online presence, which can contain sensitive data that has since been removed. An archived version of a site might include an old, forgotten admin page with exposed credentials or an email address from a technical role, which could still be a valid point of entry for an attacker.
ThreatNG's DarCache intelligence repositories provide the data that enables its identity monitoring capabilities. The DarCache Rupture repository is dedicated explicitly to tracking compromised credentials. This repository, along with the DarCache Dark Web and DarCache Ransomware repositories, provides ThreatNG with the up-to-date threat intelligence needed to identify and contextualize identity exposures as soon as they appear in the criminal underground.
Complementary Solutions
ThreatNG's external identity monitoring capabilities can be enhanced by integrating with internal security tools.
Security Information and Event Management (SIEM) systems: ThreatNG's alerts about exposed credentials can be fed into a SIEM. The SIEM can then correlate this external data with internal logs to see if there have been any unauthorized login attempts from the associated usernames or accounts. For example, suppose ThreatNG identifies that an employee's password has been compromised on the dark web. In that case, the SIEM can flag any subsequent login attempts using that account from an unusual IP address.
Identity and Access Management (IAM) systems: The findings from ThreatNG can be used to trigger automated responses within an IAM system. If ThreatNG discovers compromised credentials, the IAM can be configured to automatically force a password reset for that account and potentially require multi-factor authentication (MFA) to prevent an account takeover.
