Identity Reclamation Program

An Identity Reclamation Program, in the context of cybersecurity, is a formal, organized effort undertaken by an individual or organization to regain control of compromised or exposed digital identities proactively. It is a structured response designed to neutralize the assets (credentials, PII, account access) that have been harvested or leaked and are being used by attackers for fraud, account takeover, or extortion.

Program Components and Objectives

The primary objective of an Identity Reclamation Program is to systematically identify all exposed identity fragments and eliminate the attacker's ability to use them.

1. Discovery and Inventory

The initial phase focuses on comprehensive external intelligence gathering to discover the full scope of the exposure.

• Credential Monitoring: Scanning the deep web and dark web for compromised usernames and passwords associated with the target's identity (personal or corporate emails).

• Data Footprint Mapping: Identifying where the target's Personally Identifiable Information (PII)—such as phone numbers, addresses, and social media aliases—has been exposed on public forums, past data breaches, or in archives.

• Typo-squatting Detection: Discovering and tracking malicious look-alike domain names created to impersonate the target's corporate identity.

2. Prioritization and Takedown

Once discovered, the exposed identity assets are assessed for risk and actively addressed.

• Risk Scoring: Assigning a criticality score to each exposed asset (e.g., a leaked password for a high-value account is High Risk; an old, publicly posted phone number is Medium Risk).

• Account Remediation: For compromised accounts, this involves forced password resets, enabling Multi-Factor Authentication (MFA), and revoking any unauthorized session tokens or API keys.

• Data Removal (Takedown): Initiating requests for the removal of sensitive PII or corporate data from public websites, search engine caches, and data breach indexes where feasible. This is a complex but necessary step to minimize exposure.

3. Policy and Prevention

The final, continuous phase involves implementing policies and technical controls to prevent future exposures.

• Credential Hygiene Policy: Enforcing organization-wide rules against password reuse, particularly between personal and professional accounts, which prevents personal leaks from becoming corporate breaches.

• Digital Shadow Management: Implementing regular, automated monitoring of external data sources (like paste sites and dark web forums) to continuously track the organization's or individual's identity fragments.

• Executive Training: Providing specific training to high-value individuals on personal digital safety, social media privacy settings, and the risks associated with identity exposure and executive extortion.

By taking these steps, an Identity Reclamation Program transforms a reactive security posture (responding after a breach) into a proactive one (preemptively neutralizing exposed identity assets).

ThreatNG directly supports an Identity Reclamation Program by providing the critical external intelligence needed for the initial Discovery and Inventory phase. It continuously maps and validates the organization's exposed identities and credentials outside the perimeter, allowing security teams to focus their reclamation efforts precisely where the identity risk is highest.

ThreatNG's Role in Identity Reclamation

External Discovery

ThreatNG's purely external, unauthenticated discovery serves as the initial, comprehensive scan to identify all exposed identity fragments,the foundational step of any reclamation program.

• Example of ThreatNG Helping: An attacker's identity-harvesting often includes discovering email addresses for high-privilege functions. ThreatNG's NHI Email Exposure feature identifies and groups non-human email addresses such as security@company.com or admin@company.com. By identifying these exposed identities, ThreatNG enables the organization to prioritize changing them or removing their external visibility, beginning the reclamation of machine identities.

External Assessment

The security ratings quantify the risks associated with exposed identity components, which guides the Prioritization and Takedown phase of the reclamation program.

• Data Leak Susceptibility Security Rating (A-F): This rating is derived from uncovering Compromised Credentials.

• Example in Detail: ThreatNG's assessment finds that the corporate email for a former employee is present in its Compromised Credentials intelligence. Since the identity is known, available, and compromised, this finding receives a poor rating. This directs the reclamation program to immediately check the IAM system for an orphaned account linked to that identity and delete/disable it, neutralizing the risk of a successful account takeover.

• BEC & Phishing Susceptibility Security Rating (A-F): This rating is based on findings like Email Format Guessability and Domain Name Permutations.

• Example in Detail: ThreatNG discovers a close Domain Name Permutation, such as c0mpany.com, that has been taken by a malicious actor and configured with a mail record. The reclamation program uses this intelligence to issue a takedown request against the look-alike domain, reclaiming the integrity of the corporate identity from the threat actor.

Reporting

ThreatNG’s reports are designed to turn identity intelligence into actionable security tasks, supporting the program's efficiency.

• Security Ratings Reports (A through F): These provide continuous, high-level metrics on the organization’s external identity security posture, aligning with existing identity governance and administration efforts.

• MITRE ATT&CK Mapping: By correlating a finding (e.g., exposed code secrets) with the Initial Access technique, ThreatNG provides the necessary context to justify investments in identity reclamation efforts to the executive team.

Continuous Monitoring

Continuous Monitoring of the external attack surface and digital risk is the most critical defense against identity harvesting, ensuring the reclamation program is ongoing and adaptive.

• Example of ThreatNG Helping: A database of employee PII, including full names and personal email addresses, is newly posted to a Pastebin site. Continuous monitoring instantly detects this Online Sharing Exposure, flagging a mass identity leak. This triggers an immediate reclamation task to notify the affected individuals and initiate a corporate-wide password rotation, preventing the newly exposed personal data from being weaponized.

Investigation Modules

ThreatNG's modules allow for a deep-dive investigation necessary to trace and remediate exposed identity fragments.

• Dark Web Presence: This module monitors for Compromised Credentials and organizational mentions.

• Example in Detail: An analyst uses this module to confirm that a list of company usernames is being sold on an underground forum. This intelligence is crucial for the reclamation program as it confirms the identities are actively compromised and require immediate remediation, such as a forced company-wide credential reset.

• Sensitive Code Exposure: This module discovers public code repositories and checks for digital risks, such as Access Credentials and API Keys.

• Example in Detail: ThreatNG finds a developer's public Git repository that exposes an AWS Access Key ID. This exposed machine identity is a high-value target. The reclamation program uses this finding to immediately revoke the exposed key and implement a secret management policy to prevent future machine identity leaks.

• Social Media / Username Exposure: This performs a Passive Reconnaissance scan for usernames across a wide range of social media and forums.

• Example in Detail: An analyst uses this tool to find that a key executive's personal alias is active on a high-risk forum. This confirms a digital exposure point that could lead to social engineering or executive extortion. The reclamation program can then advise the executive on hardening those specific personal accounts, effectively reclaiming the security of their digital identity.

Intelligence Repositories (DarCache)

The intelligence repositories provide the raw, external data that fuels the reclamation program's discovery phase.

• Compromised Credentials (DarCache Rupture): This repository is the core source for identifying exposed employee and organizational passwords, which are the primary assets an attacker harvests.

• SEC Form 8-Ks (DarCache 8-K): These filings, used in risk assessments, can inadvertently contain details about a breach or identity-related incident, which ThreatNG monitors to provide context for a data reclamation effort.

Complementary Solutions

ThreatNG's external focus creates strong synergy with internal security tools, enabling a faster, more effective response to reclamation.

• Cooperation with IAM Solutions: When the Compromised Credentials (DarCache Rupture) identifies a leaked credential, this high-fidelity intelligence can be automatically sent to a complementary Identity and Access Management (IAM) system. The IAM solution can then be configured to automatically implement the reclamation step: triggering a password reset, revoking all existing session tokens, and requiring step-up authentication (like MFA) for the affected user.

• Cooperation with Security Orchestration, Automation, and Response (SOAR) Platforms: Findings from the Domain Name Permutations module, showing a newly registered typosquatting domain, can be fed into a complementary SOAR platform. The platform can then automatically orchestrate the takedown or domain acquisition request, managing the complex administrative and legal steps of identity reclamation without human intervention.