Pre-Breach Threat Intelligence

Pre-Breach Threat Intelligence (PBTI) is a proactive, forward-looking security discipline focused on gathering, processing, and analyzing information about threats and adversaries before a compromise occurs, specifically to prevent the initial stages of a cyberattack.

It represents the shift from monitoring a network for suspicious activity to monitoring the external environment for suspicious intent and capability directed at the organization.

Core Focus and Intelligence Categories

PBTI is rooted in the adversary's perspective and aims to answer the question: "What intelligence is the attacker gathering, and how can we neutralize it?"

1. External Attack Surface Intelligence

This category focuses on identifying and cataloging an organization's publicly exposed assets and vulnerabilities that an adversary would use for initial access.

• Vulnerability Context: Intelligence about newly disclosed zero-day vulnerabilities or vulnerabilities known to be actively exploited in the wild (Known Exploited Vulnerabilities - KEV) that affect the organization’s specific technologies.

• Shadow IT and Exposure: Discovery of forgotten or unmanaged internet-facing assets (e.g., misconfigured cloud services, test servers, unknown domains) that represent an easy, unmonitored entry point for an attacker.

2. Digital Risk and Human Intelligence

This category focuses on the human and brand factors that enable social engineering and targeted attacks.

• Credential Leakage: High-fidelity intelligence regarding corporate login credentials, private keys, or intellectual property found on the dark web, hacker forums, or public code repositories. This information is the attacker's primary reconnaissance goal.

• Brand and Executive Monitoring: Tracking the creation of lookalike domains (typosquatting), social media threats, or executive-specific personal information (whaling bait) that an attacker could use to stage a convincing social engineering campaign.

3. Adversary Capability and Intent

This is the strategic component that gives PBTI its predictive power.

• Targeting Chatter: Monitoring deep and dark web forums for discussions, threads, or posts that specifically mention the organization, its industry, or its technology stack as a target.

• Malware and TTPs (Tactics, Techniques, and Procedures): Intelligence on the newest malware strains, exploit kits, or specific techniques being adopted by known threat groups, allowing the defender to patch the specific controls that would prevent the attack.

Strategic Value

The decisive value of PBTI is that it allows the security team to implement preventive controls rather than reactive detection. By gathering this intelligence, an organization can:

1. Prioritize Patching: Focus resources only on the small percentage of vulnerabilities that are both exposed and actively exploited.

2. Neutralize Reconnaissance: Preemptively revoke leaked credentials and remove exposed access points before the attacker can weaponize them, effectively forcing the adversary to abandon the attack.

3. Harden the Human Layer: Provide targeted, relevant security training based on the specific social engineering threats being discussed on the dark web.

ThreatNG is an excellent solution for executing Pre-Breach Threat Intelligence (PBTI) because its entire architecture is focused on gathering and analyzing external, adversary-centric information. It proactively maps the attacker's reconnaissance data to help the organization neutralize threats before the attacker can move to the exploitation phase.

How ThreatNG Provides Pre-Breach Threat Intelligence

ThreatNG's capabilities directly align with the three core components of PBTI:

1. External Attack Surface Intelligence (External Discovery and Assessment)

ThreatNG provides intelligence about the most vulnerable entry points an attacker will target.

• External Discovery: The platform performs purely external unauthenticated discovery using no connectors, ensuring it finds every exposed asset—including "Shadow IT" and forgotten servers—that an adversary would find and target. This is the foundation of pre-breach intelligence.

• External Assessment (Breach & Ransomware Susceptibility): This assessment directly measures the likelihood of a pre-breach state escalating to a full compromise. It fuses multiple technical factors that an attacker gathers during reconnaissance.

• Highlight and Provide Examples in Great Detail: The assessment calculates the score based on findings such as exposed sensitive ports (like RDP or SSH), known vulnerabilities on subdomains, and Compromised Credentials from the dark web. The discovery of an exposed RDP port combined with the presence of an employee’s credential in a data dump provides the pre-breach insight that the attacker has already completed two critical phases of reconnaissance, making a breach highly imminent.

2. Digital Risk and Human Intelligence (Investigation Modules and Repositories)

ThreatNG focuses on the human element and leaked data that enable sophisticated social engineering.

• Intelligence Repositories (DarCache Rupture): This repository is a primary source of PBTI regarding identity. It flags Compromised Credentials from the dark web. Finding a System Administrator's corporate credential here is the clearest form of pre-breach intelligence, indicating an attacker has obtained the keys to the kingdom.

• Social Media Investigation Module: This module helps neutralize social engineering reconnaissance by tracking the Human Attack Surface.

• Highlight and Provide Examples in Great Detail: The LinkedIn Discovery feature identifies an executive who frequently posts personal details. This information is a reconnaissance goldmine for whaling attacks. The resulting pre-breach intelligence allows the security team to implement highly targeted, executive-specific phishing defenses, neutralizing the attacker's ability to craft a believable social engineering narrative.

3. Adversary Capability and Intent (Reconnaissance Hub and Continuous Monitoring)

ThreatNG ensures that the collected intelligence is immediately actionable and prioritized based on adversary activity.

• Reconnaissance Hub (Overwatch): This system is designed to provide immediate, portfolio-wide prioritization for PBTI. It integrates intelligence on actively exploited threats.

• Example of Pre-Breach Insight: Overwatch instantly cross-references all discovered external assets with the DarCache KEV (Known Exploited Vulnerabilities) repository. If a critical vulnerability is found on an exposed server, and that vulnerability is confirmed to be actively exploited in the wild (KEV), this is the most valuable form of PBTI, necessitating an emergency patch.

• Continuous Monitoring: By constantly checking the attack surface, ThreatNG provides the intelligence that an attacker is moving toward an organization. A sudden change, such as a newly opened RDP port or a newly registered typo-squatting domain, provides an immediate pre-breach alert that reconnaissance is accelerating.

Cooperation with Complementary Solutions

ThreatNG's PBTI is crucial for triggering responses in internal systems, ensuring the intelligence is acted upon instantly.

• Cooperation with Endpoint Detection and Response (EDR) Solutions: ThreatNG’s Code Secret Exposure module provides PBTI by finding an embedded API Key or database password in a public repository. This intelligence is sent to an EDR solution (like those from vendors such as CrowdStrike or SentinelOne). The complementary solution uses this pre-breach intelligence to immediately search all corporate endpoints for the exposed file and automatically flag or quarantine any employee attempt to use that exposed credential or related application, neutralizing the attack path.

• Cooperation with Security Orchestration, Automation, and Response (SOAR) Solutions: When ThreatNG generates a high-priority PBTI alert (e.g., "Critical CVE on financial server validated by KEV"), this intelligence is ingested by a SOAR solution (like those from vendors such as Palo Alto Networks Cortex XSOAR or IBM Resilient). The complementary solution uses this insight to automatically initiate a pre-defined remediation playbook, which could include isolating the affected server and creating an emergency change request in the ITSM system, all before the attacker has a chance to exploit the vulnerability.