Identity Exposure Gap
The Identity Exposure Gap refers to the discrepancy between an organization's perception of its identity security and the actual level of its exposure. It's the "blind spot" that exists when an organization is unaware of all the identity-related risks and vulnerabilities it faces, leaving it susceptible to attack. This gap is perilous because attackers often target identities, both human and non-human, to gain initial access and move laterally within a network.
Key Factors Contributing to the Gap
Several factors contribute to the Identity Exposure Gap:
Identity Sprawl: The number of human and machine identities has exploded with the growth of cloud services, remote work, and automation. Organizations often lack a comprehensive inventory of these identities and their associated permissions, resulting in significant blind spots.
Misconfigurations: Identity and access management (IAM) protocols can be misconfigured, leading to over-privileged accounts, stale or unused access keys that remain active, and a lack of multi-factor authentication (MFA) enforcement. These misconfigurations often result from the complexity of the IT infrastructure.
Credential Leakage: Identity data, including usernames, passwords, and API keys, is constantly being exposed in third-party data breaches, malware infections, and phishing campaigns. Organizations are often unaware that their employees' credentials are for sale on the dark web, leaving them vulnerable to account takeover.
Insufficient Monitoring: Many organizations adopt a reactive approach to security, waiting for an attack to occur before responding. Without continuous and proactive monitoring of their identity attack surface, they fail to detect and address risks before they can be exploited.
The Importance of Closing the Gap
Closing the Identity Exposure Gap is crucial because identity compromise is at the center of nearly every successful cyberattack. A firewall cannot stop an attacker who possesses valid credentials. By proactively identifying and addressing identity-related weaknesses, organizations can strengthen their security posture, prevent attacks before they occur, and reduce their overall cyber risk.
ThreatNG helps an organization close the Identity Exposure Gap by providing an external, attacker-centric view of its identity-related risks and vulnerabilities. It proactively discovers and assesses exposed credentials and other digital assets that could be exploited by attackers to compromise identities, allowing an organization to address these issues before they can be compromised.
ThreatNG's external discovery capabilities are the first step in addressing the Identity Exposure Gap. It performs unauthenticated, credential-free reconnaissance to find all of an organization's internet-facing assets, including those that may be unknown to the security team. This is crucial for uncovering "shadow IT" or forgotten assets, such as misconfigured cloud services or outdated subdomains, that may contain exposed personal or sensitive information. By providing a comprehensive view of the external attack surface, ThreatNG helps organizations gain the holistic visibility they need to identify blind spots related to identity.
For example, a developer might create an unmonitored test environment that contains hardcoded user credentials or API keys. ThreatNG would discover this exposed asset, which is a key part of the Identity Exposure Gap.
ThreatNG’s external assessment capabilities transform raw data into a clear view of an organization’s identity-related risks. The platform provides detailed susceptibility scores and risk ratings that directly address different types of identity exposure.
Sensitive Code Exposure: This assessment is a core element of closing the Identity Exposure Gap. ThreatNG discovers public code repositories and checks them for exposed credentials and secrets. For example, it can find hardcoded API keys, cloud credentials (like an AWS Access Key ID), and security credentials (such as PGP private keys or SSH private keys) that an attacker could use to compromise a non-human identity.
Breach & Ransomware Susceptibility: This score is derived, in part, from Dark Web Presence and compromised credentials. Suppose ThreatNG discovers a list of employee emails and passwords for sale on the dark web. In that case, it increases the susceptibility score, directly highlighting an identity exposure that could lead to a breach or a ransomware attack.
Mobile App Exposure: ThreatNG evaluates an organization's mobile app exposure by discovering them in various marketplaces and analyzing their contents for exposed credentials. It can find a hardcoded API key or user account in a mobile app, which directly exposes an attacker's identity.
ThreatNG's reporting capabilities provide the necessary context to address identity exposures effectively. The Prioritized Report is beneficial for closing the Identity Exposure Gap, as it categorizes risks into four levels: high, medium, low, and informational. This helps security teams focus on the most critical exposures, such as a compromised administrator email account, rather than being overwhelmed by a flood of alerts.
ThreatNG provides continuous monitoring of an organization’s external attack surface and digital risk. This is vital for addressing the Identity Exposure Gap because credentials can be leaked at any time and remain active for long periods. ThreatNG’s continuous monitoring ensures that if an employee's credentials are revealed in a new breach or if a developer accidentally exposes a secret in a public repository, the organization is alerted promptly, enabling a timely response.
ThreatNG's investigation modules allow security teams to drill down into the details of identity-related findings.
Dark Web Presence: This module monitors explicitly for compromised credentials, providing a focused view of an organization's identity exposure. For example, ThreatNG can determine if an employee's email and password have been compromised and are available on the dark web, providing the security team with the necessary intelligence to initiate a password reset for that individual.
NHI Email Exposure: This feature specifically groups discovered emails associated with non-human roles, such as "admin," "devops," or "svc". By highlighting these high-value targets, ThreatNG provides a clear view of which exposed identities carry the most significant risk for an organization.
Search Engine Exploitation: This module helps to identify identity data that a search engine may have indexed. ThreatNG can uncover exposed user data, privileged folders, or public passwords that have been inadvertently made available.
ThreatNG’s continuously updated intelligence repositories, known as DarCache, provide the raw data essential for identifying and contextualizing the Identity Exposure Gap.
DarCache Rupture: This repository contains explicitly Compromised Credentials from breaches. It provides a continuously updated list of leaked credentials that ThreatNG's platform then uses to assess an organization's risk.
DarCache Dark Web: This repository tracks dark web activity and mentions, including those related to compromised identities. The combination of these repositories enables ThreatNG to not only identify exposed credentials but also correlate them with other dark web activity, providing a more comprehensive picture of the threat.
Complementary Solutions
ThreatNG's external focus makes it a powerful complement to internal security solutions.
Identity and Access Management (IAM) and Privileged Access Management (PAM) systems: ThreatNG's external findings can be used to inform and reinforce the policies of an IAM or PAM system. For example, suppose ThreatNG identifies a service account credential exposed in a public code repository. In that case, the IAM system can automatically revoke that credential and provision a new one, mitigating the threat.
Security Information and Event Management (SIEM) systems: ThreatNG can feed its external intelligence into a SIEM. Suppose ThreatNG flags a publicly exposed administrative page. In that case, the SIEM can correlate this external finding with internal login logs to see if there have been any unauthorized login attempts from the exposed page, providing a unified view of the potential attack.
Endpoint Detection and Response (EDR) solutions: If ThreatNG identifies a user's compromised credentials on the dark web, the EDR solution can be used to monitor that user's endpoint for any suspicious activity, such as unusual file access or connections to malicious domains. This allows for a targeted response based on the external intelligence provided by ThreatNG.
