Insufficient Lifecycle Management

I
Written By Threat NG Staff

In cybersecurity, Insufficient Lifecycle Management is a systemic failure to properly manage a digital asset, identity, or security control throughout its entire lifecycle, from creation to eventual retirement. It's a key governance gap that leaves an organization vulnerable because assets and identities that are not actively managed can become forgotten, unpatched, or over-privileged, creating security blind spots.

This failure can be observed at various stages:

  • Provisioning: Assets or identities are created with default, weak, or excessive privileges.

  • Maintenance: They are not regularly monitored, patched, or updated, allowing vulnerabilities to accumulate over time.

  • Review: Access and permissions are not periodically audited, which can result in stale or overly privileged accounts.

  • Deprovisioning: When an asset or identity is no longer needed, it is not properly decommissioned or removed, leaving "zombie accounts" and orphaned resources that an attacker can exploit.

The consequences of insufficient lifecycle management are severe, as it creates a larger attack surface and makes it more difficult to enforce a consistent security posture.

ThreatNG helps an organization manage Insufficient Lifecycle Management by providing an external, unauthenticated view of its attack surface, identifying "zombie" or unmanaged assets and identities. It proactively identifies and evaluates these orphaned resources, which often result from poor lifecycle management.

ThreatNG's Role in Managing Insufficient Lifecycle Management

External Discovery

ThreatNG performs purely external, unauthenticated discovery to find public-facing assets that have not been properly decommissioned. This helps an organization find assets that have been left behind due to insufficient lifecycle management. ThreatNG's discovery capabilities include:

  • Subdomain Intelligence: It analyzes subdomains for various factors like HTTP responses, header analysis, cloud hosting, and open ports. It can identify subdomains that are no longer in use but are still pointing to a live service, which could be a forgotten asset.

  • Sensitive Code Exposure: It identifies public code repositories and examines their contents for sensitive data, including API keys, access tokens, and cloud credentials. This helps identify credentials that may have been forgotten and are still active.

  • Archived Web Pages: ThreatNG identifies all archived items on the organization’s online presence, including emails, usernames, admin pages, and other sensitive files. This can reveal information about assets and identities that have been forgotten.

  • Online Sharing Exposure: It identifies organizational entities on platforms such as Pastebin, GitHub Gist, and others. This can reveal a lack of control over what information is being shared externally.

  • Cloud and SaaS Exposure: It evaluates cloud services and SaaS solutions, discovering sanctioned, unsanctioned, and open-exposed cloud buckets. This is critical for identifying assets that individual teams may have deployed without central oversight.

Example of ThreatNG Helping: A development team retires an application but forgets to remove its subdomain and API keys. ThreatNG's discovery capabilities would find the old subdomain and the exposed API keys in a public code repository, highlighting a clear case of insufficient lifecycle management.

External Assessment

ThreatNG assesses the risk of the newly discovered assets to provide context and prioritization. These assessments directly relate to the problems of insufficient lifecycle management.

  • Cyber Risk Exposure: This score considers parameters our Domain Intelligence module covers, including certificates, subdomain headers, vulnerabilities, and sensitive ports. It also factors in "Code Secret Exposure," which involves discovering code repositories, assessing their exposure levels, and investigating their contents for sensitive data. An orphaned asset or an unmanaged credential can significantly increase an organization's cyber risk exposure.

    • Example: ThreatNG discovers an old, unpatched web server that is no longer in use. This would lead to a high "Cyber Risk Exposure" score due to the unpatched vulnerabilities, which are a direct result of insufficient lifecycle management.

  • Subdomain Takeover Susceptibility: The platform evaluates a website's susceptibility to subdomain takeover by analyzing its subdomains, DNS records, and SSL certificate statuses. An old subdomain that is no longer in use is a prime target for a subdomain takeover, which is a direct result of insufficient lifecycle management.

  • Breach & Ransomware Susceptibility: This score is derived from external attack surface and digital risk intelligence, which includes domain intelligence (exposed sensitive ports, exposed private IPs, and known vulnerabilities), dark web presence (compromised credentials and ransomware events and gang activity), and sentiment and financials (SEC Form 8-Ks). An unmanaged asset or unmanaged credential can increase an organization's risk of breaches and ransomware.

Reporting

ThreatNG's reports, which include Executive, Technical, and Prioritized (High, Medium, Low, and Informational), are crucial for communicating the organization's security posture to leadership. These reports would detail newly discovered assets, their associated risks, and the specific vulnerabilities that were identified. The "External GRC Assessment" report provides a mapping of findings to relevant compliance frameworks.

Example of ThreatNG Helping: An executive report from ThreatNG would show a low security rating due to significant "Cloud and SaaS Exposure" and "Code Secret Exposure". The corresponding technical report would list specific findings, such as an exposed API key with a "High" risk level, and provide actionable recommendations, allowing the organization to improve its lifecycle management processes.

Continuous Monitoring

ThreatNG continuously monitors an organization's external attack surface, digital risk, and security ratings. This is crucial for managing insufficient lifecycle management, as it ensures that the organization's inventory of public-facing assets is always up to date. As new assets are added, ThreatNG automatically discovers and assesses them, and it can detect when old assets or credentials have been left behind.

Example of ThreatNG Helping: An organization retires an application and its associated subdomain. ThreatNG's continuous monitoring would detect that the subdomain is still active and flag it as a potential risk, prompting the organization to decommission it properly.

Investigation Modules

ThreatNG's investigation modules enable a deep dive into specific areas of the attack surface, which is crucial for understanding new exposures.

  • Sensitive Code Exposure: This module directly identifies public code repositories and detects digital risks by analyzing their contents for various access credentials, security credentials, and configuration files. This is crucial for identifying accidental exposure of credentials that result directly from insufficient lifecycle management.

  • Subdomain Intelligence: This module analyzes subdomains for various factors, including HTTP responses, header analysis, cloud hosting, and open ports, and assesses their susceptibility to subdomain takeover. An old subdomain that is no longer in use is a prime target for a subdomain takeover.

  • Cloud and SaaS Exposure: This module identifies sanctioned and unsanctioned cloud services, open exposed cloud buckets, and various SaaS implementations. This helps an organization find and secure assets that have been deployed without central oversight.

  • Dark Web Presence: This module tracks organizational mentions and associated compromised credentials. It can identify credentials that have been compromised and remain active due to inadequate lifecycle management.

Example of ThreatNG Helping: An investigation using the Sensitive Code Exposure module reveals a publicly accessible configuration file with hard-coded database credentials for an old, retired application. This is a critical example of insufficient lifecycle management.

Intelligence Repositories

ThreatNG's intelligence repositories, known as DarCache, provide critical context for assessing the risks associated with insufficient lifecycle management.

  • Vulnerabilities (DarCache Vulnerability): This repository includes information from NVD, EPSS, and KEV, providing a holistic approach to managing external risks by understanding their real-world exploitability and potential impact. An unmanaged asset is often unpatched, which can lead to it having known vulnerabilities.

  • Compromised Credentials (DarCache Rupture): This repository contains information on compromised credentials. When new assets are added to the attack surface, a breach can result in these credentials being leaked. ThreatNG would use this repository to determine if any credentials associated with the new assets have been compromised.

Example of ThreatNG Helping: The DarCache Vulnerability repository identifies a known vulnerability in an old, unpatched web server that ThreatNG has discovered on the organization's attack surface. This provides a direct indicator of insufficient lifecycle management and helps the organization to prioritize the asset's decommissioning.

Synergies with Complementary Solutions

Other security solutions can complement ThreatNG's external focus on insufficient lifecycle management.

  • Complementary Solutions: Configuration Management and Patch Management Tools: ThreatNG's external assessment identifies newly discovered vulnerabilities and misconfigurations. This information can be utilized by configuration management and patch management tools to automatically patch new systems and enforce secure configurations, thereby preventing the attack surface from expanding due to known weaknesses.

  • Complementary Solutions: Cloud Security Posture Management (CSPM): ThreatNG's external discovery of exposed cloud assets and services can be complemented by a CSPM. The CSPM would perform a deeper, internal scan of the cloud environment to ensure that the newly discovered assets adhere to internal security policies and do not have misconfigurations that could lead to further expansion of the attack surface.

  • Complementary Solutions: Secrets Management Solutions: ThreatNG's discovery of hard-coded credentials in public code repositories provides strong evidence for implementing a secrets management solution. This allows organizations to securely manage and rotate credentials, preventing them from being accidentally exposed in the future.

  • Complementary Solutions: Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) Platforms: ThreatNG's alerts on newly discovered assets or critical vulnerabilities can be ingested by a SIEM for consolidated logging. A SOAR platform can then use these alerts to automate response actions, such as isolating a newly discovered, vulnerable asset or triggering a workflow to notify the team responsible for the asset.

Threat NG Staff
Previous

Integrated Digital Presence Reporting
Next

Insecure Design