Identity-Centric Attack Surface Management
Identity-Centric Attack Surface Management (IASM) is a cybersecurity discipline focused on identifying, monitoring, and mitigating security risks associated with all an organization's identities. Unlike traditional security models that focus on a network perimeter, IASM considers identities—both human and non-human (like service accounts and APIs)—as the new security boundary. The goal is to proactively identify and mitigate all potential exposure points that an attacker could use to compromise an identity and gain unauthorized access to systems and data.
Core Principles and Goals
Holistic Visibility: IASM aims to provide a comprehensive view of an organization's identity landscape, encompassing all users, service accounts, and API keys across on-premises and cloud environments. This involves discovering and inventorying all identities, their associated privileges, permissions, and access rights.
Risk-Based Prioritization: Not all identities pose the same level of risk. IASM assesses identities based on factors like their exposure, privilege level, and potential attack paths. This allows security teams to focus their efforts on the identities that pose the greatest threat, such as privileged or over-permissioned accounts.
Continuous Monitoring: The identity attack surface is dynamic and constantly evolving due to factors such as remote work and the rapid adoption of new cloud services. IASM involves continuously scanning and analyzing the identity footprint in real time to detect misconfigurations, credential exposures, and other vulnerabilities as they emerge.
Proactive Mitigation: This practice is designed to help security teams detect and mitigate identity-related threats before attackers can exploit them. This includes enforcing least privilege principles, detecting "privilege creep" (when a user accumulates excessive permissions over time), and securing orphaned or unmanaged accounts that can evade security controls.
How It Differs from Traditional Security
IASM complements, rather than replaces, traditional security measures. It shifts the focus from securing infrastructure (like firewalls and networks) to ensuring the identities that interact with that infrastructure. This is particularly important in modern, distributed IT environments where the traditional network perimeter is no longer a clear boundary. An identity-centric approach aligns with the Zero Trust security model, which operates on the principle of "never trust, always verify".
ThreatNG helps an organization with Identity-Centric Attack Surface Management (IASM) by providing a continuous, external perspective on identity-related risks, which complements traditional internal security tools. It operates from the outside in, discovering and assessing an organization's identity exposure as an attacker would.
ThreatNG's external discovery is a foundational element that helps organizations gain a complete picture of their identity attack surface. It performs unauthenticated, purely external reconnaissance to uncover a wide range of public-facing assets, including domains, code repositories, and mobile apps.
For example, ThreatNG can identify a publicly exposed code repository that contains sensitive data, such as usernames and passwords. It also identifies email addresses associated with specific roles, such as "admin" or "devops," which are often high-value targets for attackers, and locates them in various sources, including archived web pages and compromised credential data. This helps to identify shadow IT or forgotten accounts that could be part of the identity attack surface.
ThreatNG's external assessment capabilities transform discovered identity-related data into a clear view of an organization's risk. The platform provides various scores and ratings that directly relate to identity security.
Data Leak Susceptibility: This score is derived from multiple sources, including an organization’s Dark Web Presence and its Cloud and SaaS Exposure. For example, suppose ThreatNG finds compromised credentials from a third-party breach on the dark web. In that case, it contributes to a higher data leak susceptibility score, indicating a direct risk to user identities.
Breach & Ransomware Susceptibility: ThreatNG's score for this is based on compromised credentials found on the dark web. If ThreatNG discovers that a user's login information is available on the dark web, it raises the organization's susceptibility score, highlighting a potential entry point for a ransomware attack.
Sensitive Code Exposure: This assessment specifically discovers public code repositories and their contents for exposed access credentials and security credentials. For instance, ThreatNG might find an API key or a hardcoded username and password in a public repository, which could be exploited to compromise an identity and gain unauthorized access to an internal system.
ThreatNG's reporting capabilities help organizations act on the identity-related intelligence it provides. The Prioritized Report is beneficial for IASM, as it helps security teams focus on the most critical identity risks. For example, a report might highlight a breached administrator account as a "High" priority, while an exposed test account found on an old web page is ranked as "Informational".
ThreatNG provides continuous monitoring of an organization’s external attack surface, digital risk, and security ratings. This is crucial for IASM, as the identity attack surface is constantly changing. ThreatNG's continuous monitoring ensures that if new compromised credentials appear on the dark web or if sensitive information of a new employee is accidentally exposed in a code repository, the organization is promptly alerted.
ThreatNG's investigation modules enable a deep dive into identity-related exposures, allowing security teams to understand the full context of a threat.
Dark Web Presence: This module specifically monitors for mentions of an organization and associated compromised credentials. An example is if ThreatNG discovers that a list of employee email addresses and passwords has been leaked as part of a third-party breach, providing the security team with the necessary intelligence to initiate a password reset for those individuals.
Sensitive Code Exposure: This module is crucial for identifying non-human identities, such as API keys, cloud credentials, and other sensitive secrets, that are exposed in public code repositories. For example, ThreatNG can find a hardcoded AWS Access Key ID in a public GitHub repository, which an attacker could use to access the organization's cloud infrastructure.
Online Sharing Exposure: This module investigates an organization’s presence on online code-sharing platforms like Pastebin or GitHub Gist. It can detect sensitive data, including credentials, that have been pasted by an employee or a third party, providing a valuable lead for an identity-focused investigation.
ThreatNG's intelligence repositories, branded as DarCache, provide the raw, up-to-date data that powers its IASM capabilities.
DarCache Rupture focuses on Compromised Credentials. It provides a continuously updated list of leaked credentials that ThreatNG's platform then uses to assess an organization's risk.
DarCache Dark Web tracks dark web activities and mentions, including those related to compromised identities. This repository provides ThreatNG with the data to identify discussions about an organization's exposed credentials or planned attacks that rely on identity compromise.
Complementary Solutions
ThreatNG's external focus makes it a powerful complement to internal IASM solutions.
Identity and Access Management (IAM) and Privileged Access Management (PAM) systems: ThreatNG's external findings can be used to inform and reinforce the policies of an IAM or PAM system. For example, suppose ThreatNG identifies that an admin's credentials have been compromised on the dark web. In that case, a PAM system can be configured to automatically enforce a password reset and require stronger multi-factor authentication for that account, effectively reducing the risk of a breach.
Security Information and Event Management (SIEM) systems: ThreatNG's intelligence can be fed into a SIEM. Suppose ThreatNG discovers a publicly exposed API key. In that case, the SIEM can then correlate this external finding with internal logs to determine if there have been any unusual API calls or unauthorized access attempts associated with that key, providing a unified view of the threat.
