Threat Validation
Threat validation in the context of cybersecurity is the process of confirming that a discovered security alert, vulnerability, or potential threat is genuine, exploitable, and poses a real risk to an organization. This is a critical step that follows initial detection, where security tools or human analysts identify a potential issue.
The goal of threat validation is to reduce false positives and ensure that security teams are focusing their efforts on the most significant and immediate risks. It typically involves a series of steps to verify the alert, such as:
Replicating the finding: Attempting to reproduce the vulnerability or exploit the potential threat in a controlled environment to confirm its existence.
Assessing the impact: Determining what an attacker could achieve if they successfully exploited the vulnerability. This includes evaluating the potential for data theft, system compromise, or service disruption.
Contextual analysis: Understanding the specific environment of the organization, including the asset's importance, the data it holds, and the network it operates on. A vulnerability on a public-facing web server is often a higher priority than the same vulnerability on an internal, non-critical system.
Determining exploitability: Assessing whether the threat is not just a theoretical possibility but can be actively and easily exploited by an attacker. This may involve checking for known proof-of-concept exploits or active attacker interest in the vulnerability.
By performing this validation, security teams can transform a large volume of alerts into a manageable list of confirmed, high-priority threats. This allows for a more efficient and effective response, ensuring that resources are not wasted on benign or low-risk issues.
ThreatNG can assist with threat validation by providing a comprehensive, external-facing view of an organization's security posture and potential vulnerabilities. It helps to verify the existence and potential impact of threats by using a combination of discovery, assessment, monitoring, and intelligence features.
External Discovery and Continuous Monitoring
ThreatNG performs purely external, unauthenticated discovery to find an organization's attack surface without needing any connectors. This includes discovering public code repositories, mobile apps in marketplaces, and website control files like robots.txt and security.txt. The platform also offers continuous monitoring of this external attack surface, digital risk, and security ratings, ensuring that newly exposed assets or changes are identified as they occur. This constant process is the first step in threat validation, as it uncovers potential areas of concern that need further investigation.
External Assessment
ThreatNG conducts various external assessments that are crucial for validating threats:
Subdomain Takeover Susceptibility: This assessment analyzes a website's subdomains, DNS records, and SSL certificate statuses to determine if a subdomain is vulnerable to takeover. This helps validate a threat by confirming if a subdomain is misconfigured and could be hijacked by an attacker.
Breach & Ransomware Susceptibility: ThreatNG calculates this susceptibility based on factors like exposed sensitive ports, known vulnerabilities, compromised credentials on the dark web, and ransomware events. A high susceptibility score for ransomware, supported by a finding of compromised credentials, helps validate a specific and immediate threat to the organization.
Mobile App Exposure: ThreatNG evaluates an organization's mobile apps for the presence of sensitive data. For instance, if the assessment finds a Stripe API Key or an Amazon AWS Access Key ID in a mobile app, it validates a critical security risk that an attacker could use to access financial or cloud resources.
Cyber Risk Exposure: This assessment considers parameters like certificates, subdomain headers, and sensitive ports to determine cyber risk. It also factors in Code Secret Exposure, which discovers public code repositories and their exposure levels. For example, finding a public repository with an AWS Secret Access Key would validate a significant cyber risk, as an attacker could use this to access the organization's cloud environment.
Investigation Modules
ThreatNG's investigation modules enable a detailed analysis of discovered findings to validate their severity and impact:
Domain Intelligence: This module provides a deep dive into a domain, including DNS records and subdomains. A security professional could use the Subdomain Intelligence feature to investigate a suspicious subdomain and find out what technologies it uses, what ports are open, and if there are any known vulnerabilities associated with it.
Sensitive Code Exposure: This module discovers public code repositories and investigates them for sensitive data. If the initial discovery phase found a potential code exposure, this module could be used to validate the threat by confirming the presence of a hardcoded password or a Google OAuth Access Token within the code, indicating a serious leak.
Search Engine Attack Surface: This facility helps users investigate an organization’s susceptibility to exposing sensitive information via search engines. A security professional could use this to validate a threat by searching for "public passwords," "privileged folders," or other susceptible files associated with their organization, confirming the information is indeed exposed and indexable.
Intelligence Repositories
ThreatNG's Intelligence Repositories, or DarCache, provide a wealth of context to support threat validation:
Vulnerabilities (DarCache Vulnerability): This repository includes data from NVD, EPSS, and KEV. For a newly discovered vulnerability, an analyst can use this data to validate the threat by checking the EPSS score to see the probabilistic estimate of it being exploited and the KEV data to confirm if it's actively being exploited in the wild.
Compromised Credentials (DarCache Rupture): This repository contains information on compromised credentials. An analyst can validate a dark web presence finding by checking this repository to see if the compromised credentials are still active and associated with the organization.
Verified Proof-of-Concept (PoC) Exploits (DarCache eXploit): This repository provides direct links to PoC exploits on platforms like GitHub. This information is invaluable for security teams to reproduce a vulnerability and assess its real-world impact, thereby validating the threat and developing effective mitigation strategies.
Reporting and Complementary Solutions
ThreatNG provides various reports, including executive, technical, and prioritized reports with risk levels (High, Medium, Low). For a discovered vulnerability, a report might highlight it as a "High" risk and provide reasoning and recommendations, helping security teams understand and validate the threat.
ThreatNG's capabilities can also be used with complementary solutions to enhance the validation process.
Complementary Solutions: SIEM (Security Information and Event Management) A ThreatNG assessment might flag an exposed database port as a high risk. A security team can use this finding to correlate with log data in a SIEM to determine if there have been any unauthorized connection attempts to that specific port. This process validates the finding as not just a potential vulnerability, but one that is actively being targeted.
Complementary Solutions: SOAR (Security Orchestration, Automation, and Response) Platform ThreatNG's Sensitive Code Exposure module might discover a hardcoded API key in a public code repository. A SOAR platform could use this finding to automatically trigger a workflow, which might include creating a ticket for the development team, rotating the exposed key, and running an internal scan to ensure the key isn't used elsewhere.
Complementary Solutions: Pentesting Service ThreatNG could identify a specific subdomain susceptible to takeover. This validated finding could be passed to a third-party pentesting service to use as a starting point. The pentesting team would then attempt to exploit the vulnerability to confirm its severity and assess the potential impact of a successful takeover.
