Infection Exposure

Infection Exposure, in the context of Continuous Threat Exposure Management (CTEM), refers to the validated risk that organizational assets are compromised by malicious software (malware, viruses, spyware, or ransomware).

This exposure is crucial because a successful infection is often the final step before an attacker achieves their objective, whether that is data exfiltration, system disruption, or lateral movement across the network.

Key Characteristics of the Exposure:

• Diverse Attack Surface: Infection exposure is unique because it spans all types of devices associated with the company, including "Infected Corporate Owned Devices," "Infected Vendor Owned Devices," and various states of an "Infected Employee Owned Device." An infection on any of these devices can serve as an initial access vector for an attacker.

• The Credential-Harvesting Link: The primary risk posed by an infection is the harvesting and leakage of corporate credentials (e.g., in a scenario such as "Infected Employee Owned Device Corporate Credentials"). Even if the infection is on a personal device, the stolen corporate access data becomes an external exposure that CTEM must track.

• Vector for Lateral Movement: An infection is an immediate precursor to a more severe internal breach. An infected device that is "Internal Network Connected" becomes a hostile node inside the security perimeter, ready to pivot and attack other systems.

CTEM's Role in Managing Infection Exposure:

CTEM treats infection exposure not as an endpoint event but as an externalized risk signal that must be neutralized proactively.

1. Continuous Discovery: While CTEM cannot see malware running within the network, it continuously monitors external sources (such as the dark web and intelligence feeds) for the output of an infection—specifically, the compromised data. The appearance of corporate credentials or sensitive files linked to an infected device confirms the exposure.

2. Prioritization: Infections are prioritized based on the role of the infected device and its likely access. An "Infected Vendor Owned Device" is high-priority due to potential supply chain access, while an infected device with "Corporate Credentials" is prioritized over a purely personal, unlinked device.

3. Mobilization and Remediation: The CTEM process mobilizes to contain the risk by invalidating the exposed attack paths. This involves actions such as revoking network access for the infected device or forcing a password reset for all compromised credentials associated with the infection, thus preventing the attacker from leveraging the initial foothold.

ThreatNG’s approach to Infection Exposure focuses solely on detecting the externalized consequences of an internal malware infection, which is crucial for Continuous Threat Exposure Management (CTEM). It treats the infection not as a problem on the endpoint, but as a risk that has manifested in the public domain and can be used for further attack.

External Discovery and Continuous Monitoring

ThreatNG performs purely external unauthenticated discovery using no connectors, continuously scanning the dark web and the public internet. This continuous monitoring is vital because it catches the output of an infection—the moment credentials or data are exfiltrated and sold.

This helps with Infection Exposure by:

• Identifying Leaked Data: The discovery process actively monitors for corporate assets appearing in public dumps. While it cannot see an "Infected Corporate Owned Device" directly, it detects the exposure once the malware on that device dumps credentials, which then appear in a dark web intelligence repository.

• Mapping Risk Perimeter: Discovery of vendor relationships via Domain Intelligence is key to managing supply chain risks, such as an "Infected Vendor Owned Device," allowing the organization to monitor external risk signals from its partners.

Intelligence Repositories

The platform's intelligence repositories are the primary source for identifying infection fallout.

• Compromised Credentials (DarCache Rupture): This repository is the definitive source for confirming an infection. Malware often harvests credentials, and when those credentials—such as those linked to an "Infected Employee Owned Device Corporate Credentials"—appear in this database, it is a validated infection exposure. ThreatNG provides the necessary context to confirm if the credential is for a high-value account.

• NHI Email Exposure: This feature helps track the use of corporate identities on external breach sites. If an "Infected Employee Owned Device Personal Use Of Corporate Identity" results in the employee's corporate email being exposed in a personal site breach, ThreatNG flags this, enabling the security team to enforce policies around corporate identity use.

External Assessment and Security Ratings

ThreatNG transforms the raw infection data into prioritized, business-relevant risk scores.

• Data Leak Susceptibility: This rating immediately increases when infection-related artifacts, such as stolen credentials or sensitive files, are found. The platform uses this to prioritize the exposure, focusing on data that gives attackers a network foothold, which is a common outcome of an infection on an "Infected Employee Owned Device Internal Network Connected."

• Cyber Risk Exposure: This score helps quantify the overall systemic risk associated with the exposed assets. Suppose the exposed credential from an infection is found to grant access to a system with known vulnerabilities. In that case, the Cyber Risk Exposure rating for that specific attack path will increase, emphasizing the urgency to act.

Investigation Modules and Reporting

ThreatNG's tools allow security teams to quickly move from an external alert to a precise, internal response.

• Reconnaissance Hub: This unified interface enables analysts to fuse intelligence. For example, suppose Compromised Credentials intelligence points to a specific employee email address. In that case, the analyst can use the Reconnaissance Hub to pivot to Advanced Search and filter for the employee’s full footprint. This can confirm the infection’s outcome, such as the use of the corporate identity in a third-party context ("Infected Employee Owned Device 3rd Party Business Use Of Corporate Identity").

• Advanced Search: This tool facilitates the detailed investigation of exposed data. An analyst uses it to filter credential dumps, specifically looking for those containing system-level usernames or access tokens that would only be present due to an infection on a high-privilege device.

This process enables transparent Reporting to management, allowing them to understand the risk of infection in terms of exploitable credentials rather than just a few infected devices.

Cooperation with Complementary Solutions

ThreatNG's highly validated infection exposure data is crucial for strengthening internal security tools by providing verified external context.

When ThreatNG's Compromised Credentials repository detects credentials likely resulting from an infection, this information can be integrated with an organization’s Endpoint Detection and Response (EDR) solution. The EDR solution, upon receiving the specific compromised username and device name, can immediately execute an automated workflow to isolate the associated endpoint and begin forensics to eliminate the malware, thus neutralizing the infection on the "Infected Corporate Owned Device" before it can spread.

Furthermore, suppose ThreatNG identifies a user whose corporate identity has been compromised by an infection (e.g., their email is exposed in a data breach). In that case, this intelligence can be fed to a Security Orchestration, Automation, and Response (SOAR) platform. The SOAR platform can automatically initiate a remediation playbook that includes forcing the affected user to re-enroll in multi-factor authentication (MFA), effectively cutting off the attacker’s access path and containing the threat.