Primary Source Collection

In the context of cybersecurity, primary source collection (PSC) refers to the process of gathering raw, first-hand data directly from its source. This differs from secondary sources, which are interpretations or analyses of primary information. For cybersecurity professionals, utilizing primary sources offers a direct and unfiltered view of threats, adversary activities, and vulnerabilities, enabling more timely and accurate intelligence.

Key Aspects of Primary Source Collection

• First-Hand Data: The core of PSC is collecting data that hasn't been processed, analyzed, or interpreted by an intermediary. It's about getting as close to the event or subject as possible.

• Targeted and Specific: Unlike general threat intelligence feeds, which can be broad and generic, PSC is driven by an organization's specific intelligence requirements. Teams can gather data directly from closed forums, private messaging apps, and other fringe platforms to address unique questions.

• Actionable and Timely: By cutting out the middleman, PSC allows cybersecurity teams to gain visibility into emerging threats in near real-time. This quick access to information is crucial for proactive defense and incident response.

Examples of Primary Sources in Cybersecurity

Primary source collection can be either passive or active, depending on the method of collection.

• Passive Collection involves monitoring public and semi-public spaces without direct interaction. Examples include:

• Open-Source Intelligence (OSINT): Gathering data from publicly available sources like social media, news outlets, public records, and government reports. For instance, a security analyst might monitor public forums and social media for mentions of a specific vulnerability or a planned cyberattack.

• Dark Web and Deep Web Monitoring: Sourcing intelligence from closed forums, underground marketplaces, and private chat rooms where threat actors communicate and trade stolen data. This provides a direct look at the criminal ecosystem.

• Technical Data: Collecting raw network logs, malware samples, system configurations, and indicators of compromise (IoCs) directly from a compromised system or a honeypot.

• Active Collection involves direct interaction or engagement to obtain information. While more intrusive and often requiring careful legal and ethical consideration, it can yield invaluable insights. Examples include:

• Engaging with Threat Actors: Interacting with cybercriminals on forums or messaging apps to gain intelligence on their tactics, tools, and targets.

• Penetration Testing and Red Teaming: Conducting a simulated attack on one's own systems to collect first-hand data on vulnerabilities and the effectiveness of security controls.

Based on the ThreatNG capabilities description, here is a detailed explanation of how it helps with Primary Source Collection (PSC) in cybersecurity. ThreatNG is an all-in-one platform that serves as a powerful tool for PSC by gathering raw, first-hand data from external sources to provide a comprehensive view of an organization's security posture from an attacker's perspective.

External Discovery

ThreatNG's external discovery is fundamental to PSC because it performs unauthenticated, purely external discovery without needing internal connectors. This means it mimics an attacker's approach by mapping out an organization's digital footprint from the outside in. For example, it can identify publicly accessible APIs, forgotten subdomains, and exposed development environments that traditional internal tools might miss. This first-hand discovery of the "external attack surface" provides the raw data needed for analysis and assessment.

External Assessment

ThreatNG performs various external assessments by analyzing the discovered primary data. This provides detailed, first-hand insights into an organization's risks and susceptibilities. Key assessment areas include:

• Subdomain Takeover Susceptibility: This is assessed by analyzing the website's subdomains, DNS records, and SSL certificate statuses. For instance, it can detect a subdomain pointing to a service that is no longer active, which could be taken over by an attacker to host malicious content.

• BEC & Phishing Susceptibility: This is derived from analyzing domain intelligence, including domain name permutations and dark web presence, to identify compromised credentials. A practical example would be ThreatNG detecting a typo-squatted domain like threaatng.com (with an extra 'a') that is already taken and has a mail record, indicating a potential phishing campaign targeting the organization.

• Breach & Ransomware Susceptibility: This score is based on external intelligence, including exposed sensitive ports and compromised credentials found on the dark web. ThreatNG could see an exposed, sensitive port with known vulnerabilities, increasing the likelihood of a successful ransomware attack. The presence of compromised credentials related to the organization on the dark web would further substantiate this risk.

• Non-Human Identity (NHI) Exposure: This assessment is crucial, as non-human identities often outnumber human ones and serve as significant attack vectors. ThreatNG uncovers this risk by analyzing sensitive code exposure in repositories and mobile apps, and by finding NHI-specific email addresses. For example, it might find an exposed API key hardcoded in a public code repository, which could be a non-human identity that an adversary could use to gain access to an organization's systems.

• Mobile App Exposure: ThreatNG evaluates how exposed an organization's mobile apps are by discovering them in marketplaces and analyzing their contents for access credentials, security credentials, and platform-specific identifiers. It can flag a mobile app that contains a hardcoded API key or an exposed AWS access key ID, which are primary source data points for an attacker.

Reporting and Continuous Monitoring

ThreatNG translates the collected primary data and assessment findings into actionable intelligence through various reports, including Executive, Technical, and Prioritized reports. For PSC, these reports provide a detailed, first-hand view of the risks. The platform also offers continuous monitoring of an organization's external attack surface, digital risks, and security ratings. This ensures that as new primary source data emerges—such as a new exposed subdomain or a fresh set of compromised credentials on the dark web—it is immediately captured and assessed, providing an up-to-the-minute view of the threat landscape.

Investigation Modules

ThreatNG's investigation modules are at the heart of its PSC capabilities, allowing for deep dives into specific areas of interest.

• Domain Intelligence: This module provides a comprehensive view of domain-related data. For example, the DNS Intelligence capability can detect domain name permutations that could be used for phishing attacks, such as mycompany-login.com.

• Sensitive Code Exposure: This module directly addresses PSC by discovering and analyzing public code repositories and mobile apps for exposed sensitive data. It can find exposed API keys, cloud credentials, and database exposures, which are prime targets for attackers seeking raw data.

• Cloud and SaaS Exposure: This module investigates an organization's cloud and SaaS implementations, uncovering sanctioned, unsanctioned, and impersonated services. A good example is finding an open exposed AWS S3 bucket, which is a critical primary source of data for an attacker and a direct indicator of a significant vulnerability.

• Dark Web Presence: This module monitors the dark web for mentions of the organization, associated ransomware events, and compromised credentials. This provides first-hand intelligence on active threats and compromised data that is being traded or sold.

Intelligence Repositories (DarCache)

ThreatNG maintains continuously updated intelligence repositories, branded as DarCache, that act as rich primary data sources for its assessments.

• DarCache Dark Web: This repository provides intelligence from the dark web, including compromised credentials and ransomware events. This is unfiltered, real-world data from the threat landscape.

• DarCache Vulnerability: This repository offers a comprehensive view of vulnerabilities by combining data from multiple primary sources. For example, it uses the National Vulnerability Database (NVD) for technical characteristics, EPSS for the likelihood of exploitation, and the KEV (Known Exploited Vulnerabilities) catalog for vulnerabilities that are actively being exploited. It also provides direct links to verified Proof-of-Concept (PoC) exploits, which is a critical primary source for understanding how a vulnerability can be exploited in the real world.

Complementary Solutions

ThreatNG's PSC capabilities can be enhanced by working with complementary solutions to provide a more holistic security picture.

• Security Information and Event Management (SIEM) Solutions: ThreatNG's external data, such as exposed sensitive ports or compromised credentials, can be fed into a SIEM. This enables the correlation of external attack surface data with internal network logs and events, providing a more comprehensive view of potential attacks. For example, suppose ThreatNG identifies a newly exposed API endpoint. In that case, a SIEM can be used to monitor for suspicious traffic directed at that specific endpoint, alerting the security team to a potential attack in progress.

• Extended Detection and Response (XDR) Platforms: XDR platforms collect data from multiple security tools to automate threat detection and response. ThreatNG's first-hand external intelligence on compromised credentials or newly discovered shadow IT assets can enrich an XDR platform's data set. For instance, if ThreatNG uncovers a user's compromised credentials on the dark web, the XDR can automatically monitor that user's account for anomalous activity, like logging in from an unusual location, and initiate a response, such as forcing a password reset.