Identity-Centric EASM

Identity-Centric External Attack Surface Management (EASM) is a cybersecurity approach that focuses on discovering, monitoring, and securing the digital assets, accounts, and exposures associated with an organization's human workforce and machine identities.

Unlike traditional EASM, which primarily maps technical infrastructure like IP addresses, servers, and domains, Identity-Centric EASM treats the identity (the user) as the primary attack vector. It operates on the premise that in a modern, cloud-first environment, the network perimeter has dissolved, and the new perimeter is the person accessing the data.

This discipline bridges the gap between digital footprinting, identity protection, and infrastructure security by correlating a user's external online presence with enterprise risk.

The Difference Between Traditional and Identity-Centric EASM

To understand this concept, it is helpful to distinguish it from legacy approaches:

• Traditional EASM: Starts with a domain (e.g., company.com) and looks for connected servers, open ports, and vulnerabilities. It answers the question, "What machines do we own?"

• Identity-Centric EASM: Starts with a person (e.g., employee@company.com) and looks for third-party accounts, code repositories, leaked credentials, and shadow assets they have created. It answers the question, "Where are our people operating?"

Core Functions of Identity-Centric EASM

This security strategy involves several key operational capabilities designed to protect the "human perimeter."

Discovery of Shadow Identities

It identifies unmanaged accounts created by employees using corporate email addresses on third-party SaaS platforms, developer forums, and file-sharing sites. This reveals "Shadow IT" that standard network scans miss because the traffic does not pass through the corporate firewall.

Mapping Personal-Professional Crossover

It detects instances where employees use personal email addresses for work purposes (e.g., signing up for a business tool with a Gmail account) or corporate credentials for personal services. This "blur" is a frequent entry point for attackers.

Monitoring for Credential Leaks

It continuously scans the dark web, paste sites, and breach databases to see if an employee’s credentials have been exposed. Unlike generic monitoring, it correlates these leaks specifically to the active identity to prioritize risk (e.g., flagging a VIP's compromised password as a critical emergency).

Social Engineering Vulnerability Assessment

It analyzes the public availability of an employee’s data—such as their job role, reporting lines, and social media activity—to determine their susceptibility to spear-phishing, whaling, and Business Email Compromise (BEC).

Why Identity-Centric EASM Is Critical

The modern threat landscape has shifted specifically to target identities.

• The SaaS Explosion: Employees can sign up for powerful software tools without IT approval, creating a sprawling, invisible attack surface.

• Remote Work: Users access corporate data from home networks and personal devices, making traditional network controls less effective.

• Credential Stuffing: Attackers prefer logging in with stolen credentials over hacking in through software exploits. Securing the identity prevents the most common access route.

Frequently Asked Questions

How does Identity-Centric EASM differ from IAM? Identity and Access Management (IAM) controls internal access—who can log in to your systems and what they can do. Identity-Centric EASM monitors the external world—where your users have left footprints, exposed data, or created risks outside your firewall.

Does this violate employee privacy? No, when performed correctly. Identity-Centric EASM focuses on corporate risk. It monitors the exposure of corporate credentials and data. It does not read private emails or monitor personal browsing history; rather, it identifies public-facing risks linked to the corporate identity.

Can it detect insider threats? Yes. Identifying employees who hoard code in personal repositories, share sensitive documents on public slides, or discuss proprietary information on forums provides early warning signs of negligent or malicious insider behavior.

Is it necessary to have Multi-Factor Authentication (MFA)? Yes. While MFA protects the login process, it does not stop an employee from spinning up an unsecured cloud server, leaking API keys on GitHub, or falling for a sophisticated social engineering attack based on their public profile. Identity-Centric EASM covers these gaps.

Identity-Centric EASM with ThreatNG

ThreatNG empowers organizations to implement Identity-Centric External Attack Surface Management (EASM) by shifting the focus from purely managing infrastructure to managing the digital footprints of the people who operate it. By discovering, assessing, and monitoring the external assets tied to specific identities, ThreatNG bridges the gap between technical vulnerabilities and human risk.

External Discovery of Identity Infrastructure

ThreatNG performs purely external, unauthenticated discovery to map the digital ecosystem surrounding an organization's workforce. In an identity-centric model, "discovery" means locating the infrastructure that employees have created, abandoned, or exposed.

• Mapping Shadow Identity Infrastructure: The solution identifies subdomains, cloud buckets, and development environments (e.g., on AWS, Azure, or Google Cloud) that employees often name using personal identifiers or departmental shorthand. ThreatNG detects these "Shadow IT" assets, which act as proxies for employees' identities, revealing where they are working outside corporate governance.

• Vendor and SaaS Identification: Utilizing its comprehensive Vendor List, ThreatNG detects connections to third-party services like Heroku, GitHub, or Vercel. Identifying a connection to a specific SaaS platform often reveals the activity of a specific user group (e.g., developers using Vercel, marketing using Shopify), allowing security teams to attribute external risks to specific internal identities.

External Assessment of Identity Vulnerabilities

Once identity-linked infrastructure is identified, ThreatNG conducts deep assessments to determine whether these assets expose the user to compromise. These assessments quantify the risk level of the identity attack surface.

Web Application Hijack Susceptibility This assessment is critical for protecting user sessions. ThreatNG assigns a security rating (A-F) based on the presence of key security headers on subdomains associated with user identities.

• Identity Impact: If a developer sets up a login portal on a subdomain like dev-team-login.company.com and ThreatNG rates it an "F" due to missing Content-Security-Policy (CSP) or HTTP Strict-Transport-Security (HSTS) headers, that specific identity is vulnerable. Attackers can exploit the missing CSP to inject malicious scripts (XSS), steal the developer's session tokens, and hijack their identity to gain access to the codebase.

Subdomain Takeover Susceptibility ThreatNG identifies abandoned infrastructure that attackers can weaponize to impersonate trusted identities.

• Identity Impact: ThreatNG performs DNS enumeration to find CNAME records pointing to third-party services that are no longer active. If an employee created a project page and then left the company, the subdomain might still point to a deleted Azure or GitHub page. ThreatNG flags this as a takeover risk, warning that an attacker could claim the subdomain to host a phishing site that appears to belong to that specific employee or department, leveraging their reputation for social engineering.

BEC & Phishing Susceptibility ThreatNG evaluates email security configurations (DMARC, SPF, DKIM) to protect executive and employee identities from spoofing.

• Identity Impact: By analyzing domain permutations and email records, ThreatNG identifies if an organization’s identities can be easily impersonated. If DMARC policies are lax, it underscores that the CEO’s—or any employee’s—identity can be spoofed in Business Email Compromise (BEC) attacks, underscoring the need to lock down the identity perimeter.

Investigation Modules for Identity Profiling

ThreatNG provides specialized investigation modules that allow analysts to pivot from technical findings to specific identity risks, often mirroring the logic found in DarChain.

Username Exposure Module This module directly supports identity-centric discovery by validating the presence of corporate handles across the web.

• Identity Profiling: Security teams can input username formats to check for their existence on hundreds of platforms, ranging from social media to coding forums. A positive match on a site like Pastebin or a hacking forum (often used for data leaks) immediately flags a specific identity for deeper investigation.

Social Media and Reddit Discovery These modules manage "Narrative Risk" by monitoring the conversations associated with the organization's people.

• Identity Profiling: The Reddit Discovery module monitors for mentions of internal projects or employee names. It can identify if a specific user identity is inadvertently leaking sensitive architectural details or expressing sentiment that indicates an insider threat risk.

Domain Intelligence and Permutations This module protects identities from external impersonation.

• Identity Profiling: ThreatNG generates and checks for typosquatted domains (e.g., company-hr-support.com) that mimic legitimate internal portals. This identifies infrastructure specifically built to harvest credentials from employees, allowing the team to block these domains before identities are compromised.

Intelligence Repositories (DarCache & DarChain)

ThreatNG enriches identity data by cross-referencing findings with its proprietary intelligence repositories and data chaining logic.

• Compromised Credential Correlation: ThreatNG uses DarCache to check if discovered usernames or emails appear in known breach datasets ("Compromised Emails"). This immediately validates if an identity is currently at risk of account takeover due to password reuse.

• Risk Chaining (DarChain Logic): ThreatNG applies logic to connect disparate findings. For example, it might connect Code Repositories Found (Discovery) to Sensitive Data Disclosure via Commit History (Assessment). If a specific user's repository contains hardcoded secrets, ThreatNG correlates this with Ransomware Events or Lawsuits, illustrating how a single identity's error could cause macro-level organizational damage.

Continuous Monitoring

Identity risk is not static; employees create new accounts and shadow assets daily.

• Surveillance of the Human Perimeter: ThreatNG monitors the external environment 24/7. It triggers alerts when new subdomains are spun up (potential Shadow Identity) or when a monitored handle appears in a new data leak.

• Configuration Drift: It detects when a previously secure identity-linked asset becomes vulnerable, such as a portal losing its SSL certificate or a cloud bucket being changed from private to public.

Reporting

ThreatNG compiles identity-centric data into actionable reports that translate technical flaws into business risk.

• Contextualized Risk: Reports prioritize findings based on the identity involved. A vulnerability on a "test" server might be low risk, but the same vulnerability on a "CFO-Office" subdomain is flagged as critical.

• Remediation Guidance: Reports provide specific steps to secure the identity, such as implementing missing headers (CSP, X-Frame-Options) on specific portals or removing CNAME records to prevent takeover.

Complementary Solutions

ThreatNG serves as the external intelligence engine that enhances the effectiveness of internal identity and security tools.

Cooperation with Identity and Access Management (IAM) Tools

• How They Work Together: IAM tools control internal access policies. ThreatNG verifies the external security of the access points.

• Example: An IAM solution ensures an employee has the correct login permissions. ThreatNG complements this by ensuring the login portal itself is not vulnerable to Web Application Hijack (due to missing headers), protecting IAM credentials from being stolen via XSS.

Cooperation with Cloud Access Security Brokers (CASB)

• How They Work Together: CASBs monitor sanctioned cloud usage. ThreatNG discovers unsanctioned "Shadow Identity" usage.

• Example: A CASB protects corporate Google Drive accounts. ThreatNG complements this by discovering a personal AWS bucket named company-backup created by an employee. ThreatNG flags this external asset so the security team can bring it under CASB management.

Cooperation with Security Information and Event Management (SIEM)

• How They Work Together: SIEMs analyze internal logs. ThreatNG feeds them external identity risk data.

• Example: ThreatNG identifies a corporate username in a Compromised Email dump (via DarCache). It feeds this intelligence to the SIEM. The SIEM then correlates this with internal login logs to detect if that compromised credential is being used for unauthorized access attempts, triggering an immediate account lockout.

Cooperation with Digital Risk Protection (DRP) Services

• How They Work Together: DRP services perform takedowns. ThreatNG provides the evidence.

• Example: ThreatNG identifies a typosquatted domain posing as an employee portal and flags it for Subdomain Takeover Susceptibility. It provides the technical proof (DNS records, screenshots) to the DRP provider, enabling them to execute a rapid takedown of the impersonating infrastructure.