External Threat Exposure Management
External Threat Exposure Management (ETEM), often referred to as Continuous Threat Exposure Management (CTEM) or simply Exposure Management (EM), is a proactive and integrated cybersecurity methodology that focuses on identifying, assessing, prioritizing, and mitigating security risks that originate from an organization's digital assets and presence accessible from the internet or otherwise outside its direct control.
Unlike traditional vulnerability management, which often involves cyclical scans and patching, ETEM takes a more holistic and continuous approach. It aims to provide a comprehensive view of an organization's external attack surface and understand how real-world attackers might exploit vulnerabilities and exposures to compromise systems and data.
Here's a detailed breakdown of its key components and processes:
1. External Attack Surface Discovery and Mapping
This foundational step involves comprehensively identifying all digital assets that are visible or accessible from the outside world. This can include:
Websites and Web Applications: All public-facing web properties, including subdomains and associated applications.
IP Addresses and Network Ranges: Publicly routable IP addresses and network blocks.
Cloud Services and Storage: Cloud instances, storage buckets (e.g., S3 buckets), databases, and other cloud-native services that might be unintentionally exposed.
Domains and Subdomains: Identifying all registered domains and subdomains, including those that might be forgotten or unmanaged ("shadow IT").
APIs and Endpoints: Publicly exposed APIs that could serve as entry points.
IoT and OT Devices: Internet-connected operational technology (OT) and Internet of Things (IoT) devices.
Public Code Repositories: Discovering instances where sensitive code, credentials, or configuration files might be accidentally exposed in public or poorly secured repositories (e.g., GitHub, GitLab).
Employee Information/Dark Web Presence: Identifying if sensitive organizational or employee data is exposed on the dark web or other public forums.
Third-Party and Supply Chain Exposure: Assessing the exposure introduced by third-party vendors and supply chain partners with access to the organization's systems or data.
The goal is to think like an attacker and understand all potential entry points they could use. This discovery process must be continuous as environments evolve rapidly.
2. Risk Assessment and Analysis
Once external assets are identified, the next step is to assess the risks associated with each. This involves:
Vulnerability Scanning: Checking for known weaknesses (CVEs) in web applications, servers, and other external-facing systems.
Configuration Review: Assessing if systems are securely configured (e.g., proper security headers, secure protocols, default credentials).
Data Leak Detection: Identifying if sensitive data is exposed through external assets (e.g., credentials in code, open databases).
Attack Path Analysis: Evaluating how different exposures could be chained together by an attacker to achieve a larger compromise. This involves understanding the interdependencies between assets.
Threat Modeling: Simulating attacker behavior and understanding potential attack vectors.
Compliance Assessment: Checking if external assets comply with relevant security standards and regulations (e.g., GDPR, HIPAA, PCI DSS).
3. Prioritization of Exposures
Given the often overwhelming number of potential exposures, prioritization is crucial. ETEM focuses on a risk-based approach that considers:
Exploitability: How easily can an attacker exploit a vulnerability?
Business Impact: What would be the potential impact (financial, reputational, operational) if a specific asset or vulnerability were exploited? This involves classifying assets based on their criticality to business operations.
Threat Intelligence: Incorporating real-time threat intelligence to understand which vulnerabilities are actively exploited by threat actors or are part of emerging attack campaigns.
Existing Controls: The effectiveness of current security controls in mitigating the risk.
Effort to Remediate: The resources and time required to address the exposure.
This allows security teams to focus their efforts on the most critical exposures that pose the highest risk to the organization.
4. Validation and Remediation Planning
After prioritization, the organization develops and executes remediation plans:
Validation: This often involves conducting simulated attacks (e.g., penetration testing, breach and attack simulation, red teaming exercises) to confirm whether identified exposures are exploitable and test the effectiveness of existing security controls and incident response capabilities.
Remediation Strategies: Developing and implementing strategies to address identified risks. This can include:
Patching vulnerabilities: Applying security updates to software and systems.
Improving configurations: Implementing secure configurations for servers, applications, and network devices.
Removing exposed data: Securing or removing any sensitive data that is publicly accessible.
Strengthening access controls: Implementing strong authentication and authorization mechanisms.
Closing unnecessary ports or services.
Updating security policies and procedures.
Implementing security awareness training for employees.
5. Continuous Monitoring and Communication
ETEM is not a one-time activity but an ongoing process.
Continuous Monitoring: Regularly assessing the external attack surface to identify new exposures, changes to existing assets (e.g., new subdomains, software updates, misconfigurations), and emerging threats.
Change Detection: Tracking changes to external assets that could introduce new security risks.
Risk Communication: Regularly communicating identified risks, their potential impact, and remediation progress to relevant stakeholders, including technical teams, management, and executive leadership. This fosters a shared understanding of the organization's security posture.
Feedback Loop: Using the results of monitoring and remediation to refine and improve the overall ETEM program.
Benefits of External Threat Exposure Management:
Proactive Security: Shifts from a reactive "patch-and-pray" approach to a proactive stance that aims to identify and mitigate risks before they are exploited.
Reduced Attack Surface: Continuously shrinks the potential entry points for attackers.
Improved Risk Posture: Provides a clearer understanding of the organization's actual risk exposure and allows for more informed decision-making.
Prioritized Remediation: Ensures security resources focus on the most critical issues, maximizing their impact.
Enhanced Cyber Resilience: Strengthens the organization's ability to withstand and recover from cyberattacks.
Better Compliance: Helps organizations meet regulatory requirements by demonstrating a comprehensive and continuous approach to risk management.
Business Alignment: Connects technical security issues to their potential business impact, enabling better communication with non-technical stakeholders.
External Threat Exposure Management is about understanding and reducing the risk of a successful cyberattack by continuously identifying and addressing visible and exploitable weaknesses outside the organization's direct control.
ThreatNG is an all-in-one solution for external attack surface management, digital risk protection, and security ratings. It provides comprehensive visibility into an organization's internet-facing assets and associated risks, making it a powerful tool for implementing and maintaining a robust external threat exposure management (ETEM) program.
Here's how ThreatNG would significantly help with ETEM, module by module:
External Discovery
ThreatNG excels at the foundational ETEM step of external attack surface discovery. It can perform purely external, unauthenticated discovery without the need for connectors. This means it can identify assets as an attacker would, without needing internal access or credentials.
Example: ThreatNG would autonomously scan the internet, discovering all public-facing IP addresses, domains, subdomains (e.g.,
dev.yourcompany.com,shop.yourcompany.co.uk), associated web applications, and cloud services linked to your organization. This includes identifying forgotten or unknown "shadow IT" assets that could pose a significant risk if unmanaged. It would also find public code repositories (e.g., on GitHub) that might belong to the organization and expose sensitive data.
External Assessment
ThreatNG provides a detailed array of external assessment ratings that directly align with understanding and prioritizing risks in ETEM. These assessments are derived from various intelligence sources and offer a nuanced view of exposure.
Web Application Hijack Susceptibility: ThreatNG analyzes parts of a web application accessible from the outside world, using domain intelligence to identify potential entry points for attackers and substantiate this score.
Example: If your marketing website has an outdated content management system (CMS) with known vulnerabilities, ThreatNG would factor this into the "Web Application Hijack Susceptibility" score, indicating a high risk of compromise through that application.
Subdomain Takeover Susceptibility: It evaluates this risk by comprehensively analyzing a website's subdomains, DNS records, SSL certificate statuses, and other factors.
Example: If your organization has an unmanaged DNS record pointing a subdomain (e.g.,
oldblog.yourcompany.com) to a decommissioned service, an attacker could potentially claim that service and host malicious content on your subdomain, which ThreatNG would identify and flag.
BEC & Phishing Susceptibility: This is derived from sentiment and financials findings, domain intelligence (including DNS intelligence capabilities like domain name permutations and Web3 domains, and email intelligence for security presence and format prediction), and dark web presence (compromised credentials).
Example: ThreatNG might detect that your domain's SPF record is misconfigured, making it easier for attackers to spoof emails from your organization. Combined with findings of compromised employee credentials on the dark web, this would contribute to a high "BEC & Phishing Susceptibility" score, indicating a strong likelihood of successful business email compromise or phishing attacks.
Brand Damage Susceptibility: Derived from attack surface intelligence, digital risk intelligence, ESG violations, sentiment and financials (lawsuits, SEC filings, negative news), and domain intelligence (domain name permutations and Web3 domains).
Example: If ThreatNG discovers a publicly available document on a cloud storage service linked to your organization that contains unredacted customer information, or if it finds negative news about a recent data breach, these factors would increase your "Brand Damage Susceptibility" score.
Data Leak Susceptibility: This score is derived from external attack surface and digital risk intelligence based on Cloud and SaaS Exposure, Dark Web Presence (Compromised Credentials), Domain Intelligence (DNS Intelligence capabilities like domain name permutations and Web3 domains, and Email Intelligence for security presence and format prediction), and Sentiment and Financials (Lawsuits and SEC Form 8-Ks).
Example: ThreatNG could identify an open AWS S3 bucket belonging to your organization (
yourcompany-data-archive-public) that inadvertently exposes customer spreadsheets. This direct exposure of sensitive data would primarily drive a high "Data Leak Susceptibility" score.
Cyber Risk Exposure: This considers parameters covered by the Domain Intelligence module, including certificates, subdomain headers, vulnerabilities, and sensitive ports. Code Secret Exposure is also factored in, as it discovers code repositories and their exposure level, investigating the contents for sensitive data. Cloud and SaaS Exposure is also evaluated, including compromised credentials on the dark web.
Example: ThreatNG might identify an externally accessible server with an expired SSL certificate and an open, sensitive port (e.g.,
3389for RDP) without proper authentication. Additionally, if it discovers internal API keys exposed in a public GitHub repository linked to your organization, these issues would severely impact the "Cyber Risk Exposure" score.
ESG Exposure: ThreatNG rates an organization based on discovered environmental, social, and governance (ESG) violations through its external attack surface and digital risk intelligence findings. It analyzes Competition, Consumer, Employment, Environment, Financial, Government Contracting, Healthcare, and Safety-related offenses.
Example: If ThreatNG identifies public news articles or regulatory filings indicating a recent environmental violation by your company, or if it uncovers consumer complaints about unfair practices linked to your online presence, these would contribute to the "ESG Exposure" score.
Supply Chain & Third Party Exposure: This is derived from Domain Intelligence (enumeration of vendor technologies from DNS and subdomains), Technology Stack, and Cloud and SaaS Exposure.
Example: Your organization uses a third-party CRM software. If ThreatNG identifies that this vendor has a known vulnerability in its public-facing portal or has exposed sensitive data through its cloud instances that could impact your organization, it would highlight this in the "Supply Chain & Third Party Exposure" assessment.
Breach & Ransomware Susceptibility: This is calculated based on external attack surface and digital risk intelligence, including domain intelligence (exposed sensitive ports, exposed private IPs, and known vulnerabilities), dark web presence (compromised credentials and ransomware events/gang activity), and sentiment and financials (SEC Form 8-Ks).
Example: ThreatNG could discover that your organization has multiple publicly exposed RDP ports with weak credentials, and simultaneously identify that many of your employees’ credentials are circulating on the dark web, alongside recent ransomware events targeting similar industries. This combination would produce a high "Breach & Ransomware Susceptibility" score.
Mobile App Exposure: ThreatNG evaluates an organization’s mobile app exposure by discovering them in marketplaces and analyzing their contents for access credentials, security credentials (e.g., PGP private keys, RSA private keys), and platform-specific identifiers (e.g., S3 bucket names, Firebase instances, API keys).
Example: If ThreatNG finds your company's mobile application in a marketplace and, upon analysis, discovers hardcoded AWS access keys or an exposed Firebase database endpoint within the app's code, this would severely impact the "Mobile App Exposure" score, indicating a direct path for attackers.
Positive Security Indicators: This unique feature identifies and highlights an organization's security strengths, detecting beneficial security controls and configurations like Web Application Firewalls (WAFs) or multi-factor authentication. It validates these from an external attacker's perspective, providing objective evidence of effectiveness.
Example: ThreatNG might confirm the presence and proper configuration of a WAF protecting your main e-commerce site or detect that your exposed login pages enforce multi-factor authentication, thus providing a more balanced view of your security posture and confirming effective controls.
Reporting
ThreatNG's robust reporting capabilities are essential for communicating ETEM findings to various stakeholders and driving remediation efforts.
Executive Reports: Provide high-level summaries of an organization's overall external security posture and digital risk, suitable for leadership.
Technical Reports: Offer detailed findings for security teams, including specific vulnerabilities, misconfigurations, and exposures.
Prioritized Reports: Categorize risks as High, Medium, Low, and Informational, helping organizations focus on the most critical issues first.
Security Ratings Reports: Provide a quantified score of the organization's security posture.
Inventory Reports: List all discovered external assets.
Ransomware Susceptibility Reports: Specifically detail an organization's susceptibility to ransomware attacks.
U.S. SEC Filings Reports: Integrate findings from public financial disclosures, which can indicate risk.
These reports, combined with the embedded knowledge base providing risk levels, reasoning, recommendations, and reference links, enable organizations to prioritize security efforts and make informed decisions about risk mitigation.
Continuous Monitoring
Continuous monitoring is a cornerstone of ETEM, and ThreatNG explicitly provides this capability for the external attack surface, digital risk, and security ratings of all organizations.
Example: As soon as a new subdomain is registered or a new cloud service is brought online and inadvertently exposed, ThreatNG detects this change and immediately assesses the new exposure. If a developer accidentally pushes sensitive credentials to a public code repository, ThreatNG's continuous monitoring flags this exposure quickly, preventing a prolonged window of vulnerability. This ongoing vigilance ensures that the external attack surface is always accounted for.
Investigation Modules
ThreatNG's detailed investigation modules allow security teams to drill down into specific areas of concern identified during discovery and assessment. This is crucial for understanding the root cause of an exposure and planning effective remediation.
Domain Intelligence:
Domain Overview: Provides a digital presence word cloud, Microsoft Entra identification, domain enumeration, bug bounty programs, and related SwaggerHub instances for API documentation.
Example: If an analyst wants to understand all subdomains associated with
yourcompany.com, including development environments or staging sites, ThreatNG's Domain Intelligence module would provide this consolidated view, flagging any unusual or forgotten subdomains.
DNS Intelligence: Includes domain record analysis (IP identification, vendors, technology identification), domain name permutations (taken and available), and Web3 domains (taken and available).
Example: An analyst could use this to see if a seemingly legitimate domain (e.g.,
y0urcompany.com) is registered and if it's being used for malicious purposes, or to verify if DNS records are correctly configured to prevent spoofing.
Email Intelligence: Provides email security presence (DMARC, SPF, DKIM records), format predictions, and harvested emails.
Example: An investigation into a phishing attempt could use this module to verify the SPF and DKIM records of the organization's legitimate email domains, helping to identify if the phishing email bypassed DMARC or if the organization's email configuration is weak.
Subdomain Intelligence: Offers HTTP responses, header analysis (security and deprecated headers), server headers (technologies), cloud hosting, website builders, e-commerce platforms, CMS, code repositories, ports (IoT/OT, ICS, databases, remote access services), known vulnerabilities, and WAF discovery.
Example: If ThreatNG flags a subdomain with a "High" web application hijack susceptibility, the analyst can use Subdomain Intelligence to inspect the HTTP responses, server headers, and open ports to understand why it's vulnerable. This may reveal an outdated Apache server running a known vulnerable version or an exposed database port.
Sensitive Code Exposure: Discovers public code repositories and investigates their contents for a vast array of sensitive data, including API keys, access tokens, generic and cloud credentials, security credentials (cryptographic keys), configuration files (application, system, network), database exposures, application data exposures (remote access, encryption keys, Java keystores), activity records (command history, logs), communication platform configurations, development environment configurations, security testing tools, cloud service configurations, remote access credentials, system utilities, personal data, and user activity.
Example: An alert for "Code Secret Exposure" would lead an analyst to this module, where they could find the exact GitHub repository, file, and line number where an AWS access key or a database password was accidentally committed. This would allow for immediate remediation and credential rotation.
Mobile Application Discovery: This process discovers mobile apps in marketplaces and identifies the presence of access credentials, security credentials, and platform-specific identifiers within them.
Example: If a mobile app is identified as highly exposed, an analyst can use this module to determine whether internal API keys or hardcoded user credentials are present in the app's compiled code, which attackers could exploit.
Search Engine Exploitation: Discovers website control files like
robots.txtandsecurity.txt, and helps investigate susceptibility to exposing errors, sensitive information, public passwords, user data, and more via search engines.Example: This module could reveal that your
robots.txtfile inadvertently allows search engines to index sensitive administrative directories or that yoursecurity.txtfile is missing critical contact information, hindering responsible disclosure.
Cloud and SaaS Exposure: Identifies sanctioned and unsanctioned cloud services, impersonations, and open exposed cloud buckets (AWS, Azure, GCP). It also lists associated SaaS implementations across various categories like BI, collaboration, CRM, ERP, IAM, etc..
Example: If a department begins using an unsanctioned cloud storage service (e.g., a specific public cloud instance not approved by IT) and accidentally leaves a bucket exposed, ThreatNG would detect this "Cloud and SaaS Exposure" and identify the particular service and its misconfiguration.
Dark Web Presence: Detects organizational mentions, associated ransomware events, and compromised credentials on the dark web.
Example: If ThreatNG identifies a significant volume of your organization's compromised credentials on a dark web forum, this module would allow the analyst to investigate the source and nature of the compromise, informing credential reset campaigns and heightened monitoring for account takeovers.
Intelligence Repositories (DarCache)
ThreatNG's continuously updated intelligence repositories, branded as DarCache, provide crucial context and real-time threat information for effective ETEM.
Dark Web (DarCache Dark Web): This service provides insight into discussions and data leaks on the dark web related to the organization.
Compromised Credentials (DarCache Rupture): A database of compromised credentials that can be linked to your organization's employees or systems.
Ransomware Groups and Activities (DarCache Ransomware): Tracks over 70 ransomware gangs and their activities, offering context for breach and ransomware susceptibility.
Vulnerabilities (DarCache Vulnerability): Offers a holistic and proactive approach to managing external risks by understanding real-world exploitability, likelihood of exploitation, and potential impact. It includes:
NVD (DarCache NVD): Detailed information on CVEs, including attack complexity, interaction, vector, and impact scores (availability, confidentiality, integrity), CVSS score, and severity.
EPSS (DarCache EPSS): Probabilistic estimate of the likelihood of a vulnerability being exploited in the near future, allowing for forward-looking prioritization.
KEV (DarCache KEV): Identifies vulnerabilities actively being exploited in the wild, providing critical context for immediate remediation.
Verified Proof-of-Concept (PoC) Exploits (DarCache eXploit): Direct links to PoC exploits on platforms like GitHub, referenced by CVE, accelerate understanding of exploitability and mitigation strategy development.
ESG Violations (DarCache ESG): Information on competition, consumer, employment, environment, financial, government contracting, healthcare, and safety-related offenses.
Bug Bounty Programs (DarCache Bug Bounty): Details on in-scope and out-of-scope assets for bug bounty programs.
SEC Form 8-Ks (DarCache 8-K): Analysis of SEC filings, particularly for publicly traded US companies.
Mobile Apps (DarCache Mobile): Contains details about the presence of various credentials and identifiers within mobile apps.
Complementary Solutions and Synergies
While ThreatNG is a comprehensive solution, it can work synergistically with other cybersecurity tools to enhance an ETEM program:
Security Information and Event Management (SIEM) / Security Orchestration, Automation, and Response (SOAR) Platforms:
Synergy: ThreatNG identifies external exposures and risks. This information can be fed into a SIEM to correlate with internal security events and logs. A SOAR platform could then automate response actions based on ThreatNG's alerts.
Example: ThreatNG identifies a critical exposed API endpoint. This alert could trigger a SOAR playbook that automatically blocks the exposed IP on the perimeter firewall and notifies the API development team. At the same time, the SIEM logs all related external and internal events for incident response.
Vulnerability Management (VM) Scanners (Internal):
Synergy: ThreatNG focuses on external, unauthenticated assessment. Internal VM scanners provide authenticated, deep dives into vulnerabilities within the internal network. Together, they offer a complete picture of the attack surface (external and internal).
Example: ThreatNG might identify a public-facing web server as highly vulnerable due to an exposed version number. An internal VM scanner could then be directed to perform an authenticated scan of that server, uncovering additional, deeper vulnerabilities that are only visible from within the network, or confirming the external finding with greater detail.
Identity and Access Management (IAM) Solutions:
Synergy: ThreatNG identifies compromised credentials on the dark web and potential misconfigurations related to external authentication. IAM solutions manage user identities and access controls.
Example: If ThreatNG's "Dark Web Presence" or "Compromised Credentials" modules detect a large number of your employee credentials for sale, this information can be immediately fed to your IAM solution to force password resets or implement stronger multi-factor authentication policies for those users, thereby mitigating the risk of account takeover.
Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP):
Synergy: ThreatNG identifies exposed cloud services and SaaS solutions from an external perspective. CSPM tools continuously monitor cloud configurations for misconfigurations, while CWPP protects workloads within cloud environments.
Example: ThreatNG might flag an "Open Exposed Cloud Bucket" in AWS. A CSPM solution could provide deeper insights into the specific configuration leading to the exposure and recommend precise remediation steps. At the same time, a CWPP could ensure that any workloads attempting to access or modify that bucket are properly secured.
Threat Intelligence Platforms (TIPs):
Synergy: ThreatNG has its own intelligence repositories (DarCache). However, integrating with other TIPs could enrich ThreatNG's data with additional threat actor profiles, Tactics, Techniques, and Procedures (TTPs), or industry-specific intelligence.
Example: While ThreatNG tracks ransomware gangs, a dedicated TIP might provide more detailed intelligence on a specific ransomware group currently targeting your industry, including their common initial access vectors. This could further inform ThreatNG's prioritization of vulnerabilities or exposed services.
By combining its comprehensive external discovery, detailed risk assessments, continuous monitoring, deep investigation capabilities, and rich intelligence, ThreatNG provides organizations with a powerful and integrated approach to managing their external threat exposure. It proactively identifies and mitigates risks before they can be exploited.
