NIST 800-53 Risk Assessment
NIST 800-53 control RA-3, titled Risk Assessment, mandates a rigorous, structured process for evaluating threats to an organization's information systems and the potential harm they could cause. It is a foundational control that informs the selection and tailoring of all other security and privacy controls within the framework.
The primary purpose of RA-3 is to understand the whole risk landscape, including the likelihood and magnitude of harm arising from unauthorized access, use, disclosure, disruption, modification, or destruction of the system and its information.
The control requires several key activities:
Threat and Vulnerability Identification: The assessment must systematically identify potential threats, such as hostile attacks or insider activity, and pinpoint specific vulnerabilities, such as technical flaws or procedural gaps, within the system.
Likelihood and Impact Determination: For each identified threat-vulnerability pair, the organization must determine the probability that the threat will exploit the vulnerability and the resulting adverse impact on organizational operations, assets, individuals, or the nation. This determination is crucial for assigning risk levels and prioritizing mitigation efforts.
Documentation and Review: The results of the risk assessment must be formally documented, typically in a risk assessment report, and reviewed by relevant personnel at an organization-defined frequency.
Continuous Updating: The risk assessment is not a one-time event; it must be updated at a specified frequency or whenever there are significant changes to the information system, its operating environment, or new threats and vulnerabilities are identified. This ensures that risk-based decisions remain relevant over time.
Inclusion of External Risk: The assessment must account for risks from external parties, such as service providers, contractors, and other outsourcing entities, recognizing that supply chain risk is integral to the system's overall security posture.
Essentially, RA-3 provides the evidence base for an organization to make informed risk management decisions, ensuring that security controls are implemented in a targeted, cost-effective manner.
ThreatNG is a highly effective solution for supporting the NIST 800-53 Risk Assessment (RA-3) process because it provides continuous, quantifiable, and external risk data directly from the attacker's perspective. This eliminates guesswork and provides the "absolute certainty" required to justify security investments and prioritize remediation. The external findings are crucial inputs for an accurate risk assessment, which must account for threats arising from unauthorized external access or destruction of information.
External Discovery
ThreatNG performs purely external unauthenticated discovery to establish the whole universe of assets the organization needs to include in its risk assessment.
Example: ThreatNG identifies all subdomains, Mobile applications, and cloud assets exposed to the internet, ensuring the scope of the RA-3 assessment is complete and does not overlook unknown attack vectors. It also identifies the associated Technology Stack, providing specific context on which software is running, so the assessment can accurately determine vulnerabilities.
External Assessment
ThreatNG’s security ratings provide quantified risk metrics, directly supporting the RA-3 requirement for determining the likelihood and impact of harm.
Subdomain Takeover Susceptibility Rating: A low rating here indicates a high likelihood of domain hijacking.
Detailed Example: The assessment discovers a subdomain with a dangling CNAME record pointing to an unclaimed third-party service on the Vendor List. This finding represents a high-impact risk of Subdomain Takeover, which an attacker could use for phishing or malicious code injection. This direct evidence allows the RA-3 process to accurately rate the likelihood of impersonation as high, justifying immediate remediation.
Data Leak Susceptibility Rating: This rating is driven by the exposure of sensitive credentials and data.
Detailed Example: ThreatNG uncovers Compromised Credentials (e.g., exposed on the Dark Web). This constitutes irrefutable evidence that a key threat (compromised accounts) is highly likely to be exploited for unauthorized access. This input is critical to the risk assessment, which evaluates the magnitude of harm and prioritizes AC-2 (Account Management) and IA-5 (Authenticator Management) controls.
BEC & Phishing Susceptibility Rating: This rating assesses the risk of impersonation and social engineering.
Detailed Example: ThreatNG identifies numerous unregistered Domain Name Permutations - Available. While not an active compromise, this represents a significant future risk opportunity for malicious registration and phishing if an attacker were to claim the domains. The RA-3 assessment uses this to document the risk for later mitigation (e.g., domain pre-registration), which is a key requirement of RA-3.
Continuous Monitoring
Continuous Monitoring is a key NIST requirement for updating the risk assessment whenever new vulnerabilities or threats are identified. ThreatNG is built on constant external discovery and evaluation.
Example: If ThreatNG’s continuous monitoring detects an exposed, newly identified API on a Subdomain, this discovery immediately triggers an update to the risk assessment (RA-3) because a new, high-risk attack vector (AC-17 - Remote Access) has been introduced to the environment. Similarly, if Private IPs Found are exposed via public DNS, the risk assessment must be updated to reflect the increased ease of network reconnaissance.
Investigation Modules
The investigation modules provide the specific, context-specific evidence (Legal-Grade Attribution) needed to support the risk assessment's findings and conclusions.
Sensitive Code Exposure: This module is critical for identifying specific, high-risk vulnerabilities.
Detailed Example: The module finds Code Secrets Found in a public repository, such as a private SSH key or an Artifactory API Token. The risk assessment uses this as absolute, irrefutable evidence of a failure in SC-12 (Cryptographic Key Establishment and Management). It can then determine the maximum impact based on the privileges the key grants.
WHOIS Intelligence: This provides information on administrative risks.
Detailed Example: Analysis reveals the organization is missing WHOIS Privacy, publicly exposing the registrant's identity and contact information. The risk assessment (RA-3) must evaluate how this exposure increases the likelihood of social engineering and targeted attacks, which can bypass technical controls.
Subdomain Intelligence (Known Vulnerabilities): This module assesses the practical exploitability of findings.
Detailed Example: When an external vulnerability is found, ThreatNG cross-references it with KEV (Known Exploited Vulnerabilities) data from its intelligence repository. The RA-3 process can then use the KEV confirmation to justify classifying the likelihood of exploitation for this vulnerability as very high, supporting a critical-level risk score.
Intelligence Repositories (DarCache)
The intelligence repositories provide the necessary threat and vulnerability data to ground the risk assessment in a real-world context and probability.
Ransomware Groups and Activities (DarCache Ransomware): By tracking over 70 ransomware groups, the repository helps the RA-3 process determine the relevance of ransomware threats.
Example: If a tracked ransomware group actively targets an organization's exposed technology stack, the RA-3 assessment must increase the likelihood of a ransomware event, justifying higher prioritization for the IR-8 (Incident Response Plan) and SI-3 (Malicious Code Protection) controls.
Vulnerabilities (DarCache EPSS and KEV): These provide probabilistic and confirmed exploitation data.
Example: The EPSS (Exploit Prediction Scoring System) provides a probabilistic estimate of the likelihood that a vulnerability will be exploited in the near future. The RA-3 process uses this data to move beyond simple CVSS severity scores and to prioritize vulnerabilities based on real-world threat intelligence, ensuring effective risk management.
Reporting
ThreatNG provides comprehensive and context-driven reports that serve as the formal documentation required by RA-3.
Example: The Security Ratings Report provides a snapshot of risk across multiple domains (A-F), while the External GRC Assessment Mappings report documents the exact findings, such as an Invalid Certificate, and explicitly maps them to the corresponding NIST control for formal inclusion in the risk assessment documentation.
Complementary Solutions
ThreatNG's data ensures the accuracy of other risk-related platforms.
GRC Platforms: ThreatNG's Contextual Risk Intelligence and Legal-Grade Attribution (Context Engine™) for risks like ESG Violations are fed into a GRC platform. The GRC platform, which manages policies and controls, uses this validated external risk data to update the policy enforcement status and formally document the external non-technical risk within its risk register, fulfilling a critical input requirement for the RA-3 review.
Security Orchestration, Automation, and Response (SOAR) Systems: When ThreatNG identifies an open Default Port Scan on a critical asset, it sends this finding to the SOAR. The SOAR automatically triggers a threat modeling playbook to assess the attack paths enabled by that open port and generates a preliminary risk score for that incident. This automated analysis provides the initial likelihood and impact determinationrequired by RA-3 much faster than manual processes.
Third-Party Risk Management (TPRM) Solutions: ThreatNG can dynamically track the security posture of an organization's third-party vendors (Dynamic Entity Management) and identify their own Supply Chain & Third Party Exposure. This external risk data for vendors is imported into the TPRM solution, ensuring that the organization's RA-3 assessment accurately incorporates external supply chain risk, as required by the control.
