System Exposure

S
Written By Threat NG Staff

System-Exposure, in the context of Continuous Threat Exposure Management (CTEM), is the risk that a computing resource owned or managed by the organization is inadvertently accessible to the public internet due to misconfiguration, weak security controls, or the use of vulnerable software.

This exposure is foundational to many cyberattacks because it represents a readily available entry point into the organization’s network, systems, or data.

Key Characteristics of the Exposure:

  • Unintended Access: The exposure results from an asset that was supposed to be internal or privately accessible but is reachable from the public internet. This includes assets like a "Directly Connected Internal System" or a "Corporate Internet Exposed Gateway Device."

  • Diverse Assets: System-Exposure covers a wide range of assets, from corporate-owned systems to cloud instances ("Corporate Cloud Connected System") and systems managed by third parties ("Contractor Or Vendor Managed System"). The commonality is that they all represent a targetable point on the external attack surface.

  • Vulnerability Gateway: An exposed system acts as a gateway for exploitation. Attackers use scanners to find these systems and then attempt to exploit any visible services (e.g., open ports such as RDP or SSH, or exposed admin panels) or software flaws.

CTEM's Role in Managing System-Exposure:

CTEM proactively manages this risk by adopting the perspective of a remote attacker to identify and prioritize all publicly exposed assets continuously.

  1. Continuous Discovery: The program continuously scans the organization's allocated IP ranges and domain infrastructure to detect all reachable hosts and open ports. This identifies misconfigured assets immediately, such as a developer's test server mistakenly set to "Remote Site Owned System Presumed Connected."

  2. Validation and Prioritization: Discovered systems are assessed for exploitability. A system is prioritized based on the sensitivity of the exposed service and the software running on it. An exposed system running a highly vulnerable, internet-facing service receives the highest priority.

  3. Mobilization and Remediation: The mobilization phase requires urgent action to either remove the exposure (e.g., closing the firewall port) or apply a patch to the exposed system. The goal is to quickly eliminate the external entry point that the attacker can use for initial access.

ThreatNG is an excellent solution for addressing System-Exposure because it operates with a pure external-adversary view, performing the reconnaissance an attacker would conduct to find and validate exposed assets across an organization's perimeter, cloud, and vendor systems.

External Discovery and Continuous Monitoring

ThreatNG performs purely external, unauthenticated discovery using no connectors, which is the necessary perspective for finding System Exposures. This continuous monitoring process involves systematically enumerating an organization's known IP ranges and associated domains to identify all reachable hosts.

This capability is key to discovering:

  • "Directly Connected Internal System": ThreatNG’s Domain Intelligence performs port scanning on discovered IP ranges, flagging open ports that should not be visible externally (like RDP, SSH, or internal database ports). This validates a system that an internal team might mistakenly believe is protected.

  • "Corporate Internet Exposed Gateway Device": The platform focuses on high-value perimeter assets by performing Subdomain Intelligence to detect and profile VPNs and other Remote Access Services facing the internet, identifying them as critical entry points.

  • "Presumed Company System By Branding": Certificate Intelligence and Domain Overview help ThreatNG link ambiguous-ownership assets back to the organization by identifying shared domains, certificates, and company names, extending the monitoring umbrella to all potential exposures.

External Assessment and Security Ratings

ThreatNG translates the discovery of an exposed system into a prioritized, actionable risk score, helping teams focus limited resources on the most exploitable entry points.

  • Cyber Risk Exposure: This is the primary rating for System-Exposure. It is susceptible to exposed services and known vulnerabilities. For example, if Subdomain Intelligence identifies a web server (a potential "Remote Site Owned System Presumed Connected") and Overwatch finds that the web server’s identified technology is linked to a recent, critical CVE (Common Vulnerabilities and Exposures), the Cyber Risk Exposure score for that asset spikes, signaling immediate danger.

  • Cloud and SaaS Exposure: This specific assessment focuses on misconfigurations in cloud environments. It would flag a "Corporate Cloud Connected System" if it detects an insecurely exposed storage bucket or an exposed administrative interface in AWS, Azure, or GCP, thereby validating the system's exposure.

  • Supply Chain & Third-Party Exposure: This rating helps manage the external systems the company relies on. If an externally facing system is identified as a "Contractor or Vendor Managed System," the rating reflects the severity of that exposure, forcing the organization to engage the third party on remediation.

Investigation Modules and Reporting

ThreatNG's tools allow security teams to quickly pivot from a high-level exposure alert to a detailed investigation of the exposed system, enabling immediate operational response.

  • Reconnaissance Hub: This unified interface enables analysts to validate findings quickly. For instance, if Overwatch alerts on a new CVE, the analyst uses the Reconnaissance Hub to instantly query the entire portfolio to find all affected assets, including a seemingly harmless "Remote Site Owned System Presumed Connected."

  • Advanced Search: This granular tool facilitates deep dives into specific exposed services. An analyst uses Advanced Search to filter all discovered ports and services for common weaknesses, such as exposed databases or outdated web applications, providing a clean list of exposed attack surfaces that must be addressed immediately.

This robust process ensures Reporting is transparent and risk-based, presenting leadership with a validated list of exploitable entry points rather than raw port-scan data.

Cooperation with Complementary Solutions

ThreatNG’s highly prioritized and validated System-Exposure data is invaluable for integrating with remediation and patching workflows across the IT and Security organizations.

When ThreatNG’s Cyber Risk Exposure assessment confirms a critical risk on a "Corporate Internet Exposed Gateway Device" due to an unpatched vulnerability (a known CVE), this information can be automatically fed into a Vulnerability Management (VM) solution. The VM solution can then ingest the external context, prioritize the patching of that specific internet-facing asset above all others, and ensure the fix is applied across the entire fleet of gateway devices.

Furthermore, suppose ThreatNG detects a "Directly Connected Internal System" that is exposed via an unexpected port. In that case, the validated finding can be sent to a Security Orchestration, Automation, and Response (SOAR) platform. The SOAR platform can automatically execute a defensive playbook: first, notifying the appropriate network operations team via their ticketing system, and second, creating a temporary emergency rule on the corporate firewall to block external access to that specific exposed port until the system configuration is corrected, thereby immediately neutralizing the exposure.

Threat NG Staff
Previous

Narrative Risk Gap
Next

Source Code Exposure