Risk Relationship Mapping
Risk Relationship Mapping in cybersecurity is a sophisticated analytical process beyond identifying individual risks, vulnerabilities, or assets. It involves understanding and visualizing the intricate connections, dependencies, and potential attack paths between these elements, revealing how seemingly isolated risks can combine to create a much larger, systemic threat to an organization.
At its core, Risk Relationship Mapping aims to answer questions like:
"If this specific vulnerability is exploited, what other systems, data, or processes could be impacted?"
"How could an attacker chain together a series of low-severity vulnerabilities to achieve a high-impact objective?"
"What are the critical choke points or single points of failure within our infrastructure that, if compromised, would have cascading effects?"
"Which users or systems, if compromised, could provide access to the most valuable assets or sensitive data?"
Key Components and How it Works:
Entity Identification: The process begins with identifying all relevant entities within a cybersecurity context. These include:
Assets: Servers, endpoints, applications, databases, cloud instances, network devices, mobile devices, IoT devices, intellectual property, data.
Users/Identities: Employees, contractors, privileged accounts, customer accounts, service accounts.
Vulnerabilities: Specific flaws (e.g., CVEs, misconfigurations, weak passwords, exposed services).
Threats/Threat Actors: Malware, phishing campaigns, specific attack groups, insider threats.
Controls/Defenses: Firewalls, IDS/IPS, MFA, patching programs, security policies.
Relationship Discovery: This is the most crucial step. It involves mapping the connections between these entities. These relationships can be:
Logical: A web application "uses" a database; a user "accesses" a server; a server "hosts" an application.
Physical: A server is "connected to" a specific network segment, and a device is “located in" a particular data center.
Dependency-based: A critical business process "relies on" an application; an application "depends on" a third-party API.
Risk-based: A vulnerability "exists on" a server; an exposed port "provides access to" a service; a compromised credential "enables access to" a system.
Temporal: A logging event "occurred after" a suspicious login attempt.
Graph Representation: The most effective way to perform Risk Relationship Mapping is often through a graph database or a similar graph-based structure. In this model:
Each entity (asset, user, vulnerability) becomes a node.
Each relationship (uses, accesses, exists on, connected to) becomes an edge connecting two nodes. Edges often have properties describing the nature or direction of the relationship.
Analysis and Visualization: Once the graph is populated, various analytical techniques can be applied:
Pathfinding Algorithms: Identifying all possible paths an attacker could take from an entry point to a critical asset. This helps visualize potential "kill chains" or "attack graphs."
Centrality Measures: Identifying the most critical or highly connected nodes (e.g., a "crown jewel" asset, a highly privileged user, or a central server that, if compromised, could affect many others).
Community Detection: Grouping related entities (e.g., all systems belonging to a particular business unit, or all systems exposed to a specific type of threat).
Impact Analysis: Simulating the cascading effects of a compromise. If Node A is compromised, what other nodes (and their associated data/processes) become vulnerable due to their relationships?
Control Effectiveness Mapping: Understanding where security controls are placed and how they impact potential attack paths.
Benefits in Cybersecurity:
Holistic Risk Context: Moves beyond siloed risk assessments to provide a comprehensive, interconnected view of an organization's true risk landscape.
Prioritized Remediation: Helps security teams prioritize remediation efforts based on the actual impact and exploitability of vulnerabilities within the context of their relationships, rather than just their individual severity scores.
Proactive Threat Hunting: Enables security analysts to identify and disrupt complex attack paths before they are fully exploited by adversaries.
Improved Incident Response: During an incident, it allows for rapid understanding of the scope of a breach, identifying all potentially affected systems and data due to the established relationships.
Better Security Investments: Informs strategic decisions on where to invest security resources for maximum impact, by highlighting critical dependencies and single points of failure.
Enhanced Communication: A clear, visual way to communicate complex risks and their potential impact to non-technical stakeholders and management.
Compliance and Audit Readiness: Demonstrates a deeper understanding of the security posture and the relationships between controls and risks.
Risk Relationship Mapping transforms raw security data into actionable intelligence by revealing the hidden dependencies and potential attack vectors that define an organization's cybersecurity risk.
ThreatNG extensively facilitates Risk Relationship Mapping by building a comprehensive, interconnected view of an organization's external attack surface, digital risks, and associated vulnerabilities. ThreatNG defines and illustrates the relationships between identified entities and their corresponding risks. This mapping allows ThreatNG to move beyond simple risk identification to show how risks are connected and what the cascading impact of an exploit could be.
ThreatNG’s External Discovery: Identifying the Nodes of the Risk Graph
ThreatNG's purely external, unauthenticated discovery process serves as the initial phase for populating the nodes (entities) that will form the basis of the risk relationship map. Each identified asset or piece of information becomes a point on the map.
Domains, Subdomains, and IPs: ThreatNG discovers example.com, its various subdomains (e.g., dev.example.com, mail.example.com), and associated public IP addresses. These become distinct nodes in the risk relationship map.
Cloud and SaaS Instances: ThreatNG identifies sanctioned and unsanctioned cloud services (e.g., AWS S3, Azure) and SaaS implementations (e.g., Salesforce, Slack). Each instance is a node, representing a potential entry point or data exposure.
Code Repositories and Mobile Apps: Public code repositories (e.g., GitHub) and mobile applications found in marketplaces (e.g., Google Play, Apple App Store) are discovered as nodes.
Specific Ports and Services: ThreatNG identifies exposed sensitive ports (e.g., FTP, Telnet, SSH, RDP) and the services running on them. These ports and services are nodes, often representing direct access points.
External Assessment: Building the Risk Edges and Relationships
ThreatNG's assessment capabilities are crucial for drawing the "edges" between these discovered nodes, illustrating how different elements relate to specific risks and potential attack paths.
Web Application Hijack & Subdomain Takeover Susceptibility: ThreatNG analyzes the relationships between a web application or subdomain node, DNS records, and SSL certificate statuses. Suppose staging.example.com (a subdomain node) has a misconfigured DNS record (an attribute of that node). In that case, an edge is drawn connecting staging.example.com to a "subdomain takeover susceptibility" risk node, indicating a direct path an attacker could use. This risk node then connects to the overall example.com organization node, illustrating the relationship between a specific subdomain's configuration and the broader organizational risk.
BEC & Phishing Susceptibility: This score is derived by mapping relationships between identity-related data points. For instance, if ThreatNG identifies that example.com (a domain node) has poor DMARC records (an attribute node linked to the domain), and then finds employee credentials like john.doe@example.com (a user identity node) in DarCache Rupture (a compromised credentials intelligence node). ThreatNG establishes edges: example.com "has a weak email security posture," and john.doe@example.com "has compromised credentials." These risk factors then connect to a "BEC & Phishing Susceptibility" node, which links to the overall organization, illustrating how a combination of email hygiene and credential exposure contributes to a unified phishing risk for the organization.
Data Leak Susceptibility: This is mapped by connecting exposed assets to sensitive data risks. If an open AWS S3 bucket (a cloud asset node) belonging to "Example Corp" is discovered, an edge links this bucket to an "open exposure" vulnerability node. Suppose this bucket contains sensitive data (e.g., customer PII, which could be represented as a "sensitive data type" node). In that case, another edge connects the vulnerability node to a "data leak risk" node, which links to the "Example Corp" organization node. This visually represents how an exposed cloud asset relates directly to a data leak risk.
Mobile App Exposure: ThreatNG analyzes mobile app nodes for sensitive credentials. If the "Example Bank" mobile app (an app node) is found to contain a hardcoded "Stripe API Key" (a sensitive credential node), an edge explicitly links the "Example Bank Mobile App" node to the "Stripe API Key" node, and then this "API Key" node is linked to an "Access Credentials Exposure" risk node, which further links to the "Mobile App Exposure" risk node, effectively showing the relationship between the app, the exposed credential, and the overall mobile risk for the organization.
Reporting and Continuous Monitoring: Presenting and Adapting the Risk Map
ThreatNG's reporting and continuous monitoring capabilities directly leverage the underlying risk relationship map.
Reporting: The "Prioritized (High, Medium, Low, and Informational)" reports use the relationships identified in the map to rank risks. The "Reasoning" and "Recommendations" within the Knowledgebase explain why a particular risk is high by detailing the relationships it has to critical assets or other vulnerabilities. For example, a report might highlight a "High" risk because an exposed SSH port (a service node) is found on a critical server (an asset node) which also has a known vulnerability (a vulnerability node from DarCache NVD) that is actively exploited (a KEV intelligence node) – the risk relationship map reveals all these connections.
Continuous Monitoring: ThreatNG constantly updates its risk relationship map as the external attack surface changes. If a new open port is discovered, or a new vulnerability affecting an existing asset is published, new nodes and edges are added or modified, reflecting the real-time evolution of the risk relationships. This ensures the map remains current, allowing for dynamic detection of new attack pathways as they emerge.
Investigation Modules: Traversing the Risk Relationship Map
ThreatNG's investigation modules allow users to query and visualize the risk relationship map directly, helping them understand complex connections.
Domain Intelligence: When investigating a domain (a node), an analyst can see all its associated subdomains (nodes linked by "contains" edges), their hosting IPs (nodes connected by "hosts" edges), and crucially, any vulnerabilities (nodes) found on services running on those IPs (nodes linked by "has vulnerability" edges). This module helps map how a seemingly innocuous subdomain could lead to an exposed service with a critical vulnerability. For example, an analyst investigates blog.example.com and finds it's hosted on an IP with an exposed database port running an outdated MySQL version. This allows the analyst to map the relationship from the blog.example.com node to the IP node, then to the "MySQL service" node, and finally to the "outdated software vulnerability" node, revealing a clear attack path.
Sensitive Code Exposure: ThreatNG discovers public code repositories (nodes) and investigates their content for sensitive data like API keys, cloud credentials, or private keys. If a GitHub repository (a code repository node) belonging to "Example Corp" contains an "AWS Access Key ID" (a sensitive credential node), ThreatNG establishes a "contains" edge between them. This immediately maps the risk relationship from the exposed code to a potential direct compromise of AWS resources, linking an external exposure to a critical internal system.
Intelligence Repositories (DarCache): Enriching the Map with Global Threat Context
ThreatNG's DarCache intelligence repositories are external risk relationship maps seamlessly integrated to enrich an organization's specific risk map.
DarCache Vulnerability (NVD, EPSS, KEV, Verified PoC Exploits): This repository is a vast network of vulnerabilities and their characteristics. When ThreatNG identifies a specific vulnerability on an organization's asset (e.g., a server running a vulnerable version of Apache), it creates an edge from that server node to the relevant CVE node in DarCache Vulnerability. Suppose the CVE node has an edge to a "KEV" node (meaning it's actively exploited in the wild). In that case, this relationship is mapped, immediately elevating the criticality of the vulnerability on the organization's server. This shows that vulnerability is theoretical and has a proven real-world relationship with active threats.
DarCache Ransomware: This tracks over 70 ransomware gangs and their activities. Suppose ThreatNG identifies an exposed sensitive port (an asset node) on an organization's network that is a common target for a specific ransomware gang (a threat actor node) identified in DarCache Ransomware. In that case, an edge is formed between the asset node and the threat actor node. This direct relationship allows ThreatNG to contribute to the organization's "Breach & Ransomware Susceptibility" score, explicitly mapping the external exposure to a specific ransomware threat.
Synergies with Complementary Solutions
ThreatNG's ability to perform Risk Relationship Mapping makes it a powerful component in an integrated cybersecurity ecosystem.
Security Information and Event Management (SIEM) / Security Orchestration, Automation, and Response (SOAR) Platforms: ThreatNG can feed its correlated risk relationship data into a SIEM. For example, if ThreatNG maps a relationship where a publicly exposed admin.example.com subdomain (an asset node) is running an outdated web server (a vulnerability node) and this web server's vulnerability is frequently exploited by a known threat group (a threat intelligence node from DarCache Ransomware), this rich, interconnected context can be sent to a SIEM. A SOAR playbook could then use this information to automatically trigger actions like blocking access to the admin.example.com domain, prioritizing an internal patch management task for that specific server, or initiating a forensic review of the web server's logs, all driven by the clear relationship between the vulnerability and the threat.
Vulnerability Management Platforms: ThreatNG's risk relationship map can significantly enhance vulnerability prioritization within a dedicated vulnerability management platform. Suppose ThreatNG maps a relationship where a critical business application (an asset node, potentially externally exposed via ThreatNG's discovery) is dependent on a specific database (another asset node) that has a high-severity vulnerability (a vulnerability node from DarCache NVD) and is also a target of a specific threat actor (a threat actor node from DarCache Ransomware). In that case, this interconnected view can be fed into the vulnerability management platform. This allows the platform to elevate the remediation priority of that database vulnerability, understanding its direct relationship to a critical application and active threats, rather than just its base CVSS score.
Network Detection and Response (NDR) Tools: ThreatNG's external risk relationship map can provide invaluable context to NDR tools. If ThreatNG maps a relationship where a specific external IP address (an external asset node) is associated with known command and control (C2) activity (a threat intelligence node), and an NDR tool detects internal network traffic communicating with that very IP, the NDR tool can use ThreatNG's pre-mapped relationship to immediately flag this internal communication as highly suspicious and related to a known external threat.
By continuously mapping the complex relationships between assets, vulnerabilities, and threats, ThreatNG empowers organizations to understand their external cybersecurity posture not as a collection of isolated risks, but as an interconnected ecosystem, enabling more strategic and effective defense.
