Prioritized Non-Web Service

P
Written By Threat NG Staff

In cybersecurity, a prioritized non-web service is a network-based application or process that doesn't use standard web protocols (like HTTP or HTTPS) but is deemed a high-priority risk. This categorization comes from a triage process that flags these services for immediate investigation.

While many security efforts focus on web applications, non-web services can be just as, if not more, vulnerable. They include things like:

  • Databases: Exposed databases (e.g., MySQL, PostgreSQL, MongoDB) can lead to massive data leaks if not properly secured.

  • Remote Access Tools: Services like SSH, RDP, or Telnet can be entry points for attackers to gain control of a server.

  • IoT/ICS Devices: Industrial Control Systems (ICS) and Internet of Things (IoT) devices often use custom protocols and can be a significant threat if exposed to the public internet.

The prioritization of these services is based on factors like:

  • Exposure: Is the service directly accessible from the internet?

  • Vulnerability: Does it have known weaknesses?

  • Potential Impact: What would an attacker gain if they compromised this service?

By identifying and prioritizing these non-web services, an organization can focus its limited resources on the most critical risks, moving beyond a web-centric security approach to a more comprehensive defense strategy.

ThreatNG helps with prioritized non-web service discovery by systematically identifying and evaluating internet-facing assets that don't respond on standard HTTP/HTTPS ports. The platform's methodology goes beyond a basic web scan, focusing on uncovering hidden services and determining their risk level to support a strategic, prioritized response.

External Discovery and Assessment

ThreatNG performs purely external unauthenticated discovery to find an organization's digital assets. This is the foundational step for uncovering non-web services, as ThreatNG doesn't just look for web pages; it also identifies subdomains with IP addresses that do not have an HTTP response.

Examples of how ThreatNG's external assessment helps with this:

  • Cyber Risk Exposure: This assessment is crucial for prioritizing non-web services. It considers parameters covered by the Domain Intelligence module, such as sensitive ports. ThreatNG's Subdomain Intelligence module specifically identifies exposed ports for databases (like SQL Server and MongoDB), remote access services (like SSH, RDP, and LDAP), and IoT/OT devices (like FTP and Telnet). This allows you to pinpoint a non-web service and understand its exposure level, such as finding a subdomain with an exposed MySQL port, which would be a critical priority.

  • Breach & Ransomware Susceptibility: This assessment factors in exposed sensitive ports and exposed private IPs. This directly helps in prioritizing non-web services, as an open port for a database or a remote access service significantly increases an organization's risk of a breach or ransomware attack.

  • Subdomain Takeover Susceptibility: ThreatNG evaluates this by analyzing DNS records and other relevant factors. A subdomain that is not an active web presence but has a DNS record pointing to a non-existent service could be a target for a subdomain takeover, which ThreatNG would flag as a high-priority item.

Investigation Modules and Intelligence Repositories

ThreatNG's investigation modules and intelligence repositories provide the necessary context to determine which non-web services are most critical to address.

  • Subdomain Intelligence: This module provides detailed information on discovered subdomains, including the ports they have open. It categorizes these ports into specific groups, such as Databases, Remote Access Services, and IoT/OT, which allows for immediate classification of the discovered non-web services. For example, when ThreatNG discovers a subdomain with an open SSH port, the Subdomain Intelligence module identifies it as a Remote Access Service, allowing a security team to prioritize it immediately.

  • DarCache (Intelligence Repositories): This is a continuously updated repository that provides intelligence to support prioritization.

    • DarCache Vulnerability: This repository provides information about the likelihood of a vulnerability being exploited. If a discovered non-web service, such as a database, has a known vulnerability that is being actively exploited in the wild (as tracked by DarCache KEV), it would be automatically elevated to a top priority for remediation.

    • DarCache Compromised Credentials: If a discovered non-web service is linked to compromised credentials found on the dark web, its risk level would be immediately elevated.

Reporting and Continuous Monitoring

ThreatNG provides reports, including a Prioritized report that categorizes findings based on their risk level (High, Medium, Low, and Informational). This is the direct result of the triage process, giving security teams a clear, actionable list of which non-web services to address first.

Continuous Monitoring of the external attack surface ensures that, as new non-web services are exposed or as their risk profile changes, they are immediately identified and added to the prioritized list for remediation.

Complementary Solutions

ThreatNG's findings on prioritized non-web services can be used with other cybersecurity solutions.

  • Vulnerability Scanners: When ThreatNG identifies an open database port or an exposed remote access service, it can feed this information to a specialized vulnerability scanner. This allows the scanner to perform a deep, targeted scan on that specific service, saving time and resources that would have been spent on less critical assets.

  • Security Information and Event Management (SIEM) Systems: The critical alerts from ThreatNG regarding a prioritized non-web service can be ingested into a SIEM. This enables a security analyst to correlate the external exposure with internal network logs, providing a complete picture of the potential threat and allowing for quicker incident response.

  • Endpoint Detection and Response (EDR) Solutions: When ThreatNG flags an exposed remote access service like RDP, the information can be used to inform an EDR solution. This could trigger an automated check on the host to ensure it has multi-factor authentication enabled, or it could alert a security analyst to a potential brute-force attack on that service.

Threat NG Staff
Previous

Prezi
Next

Privacy Management