Unknown Unknowns
In cybersecurity, "Unknown Unknowns" refer to risks that are not only unforeseen but also unimaginable at the current moment. These are threats or vulnerabilities that organizations are not even aware exist, meaning they can't be identified, assessed, or mitigated using current knowledge, tools, or methodologies.
The concept of Unknown Unknowns originated in risk management and was popularized by Donald Rumsfeld, former U.S. Secretary of Defense, who famously stated: "There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know."
Let's break this down in the context of cybersecurity:
Characteristics of Unknown Unknowns in Cybersecurity:
Unidentifiable by Current Means: They cannot be detected by existing security scanning tools, threat intelligence feeds, or vulnerability assessments. This is because the underlying threat, attack vector, or vulnerability class is fundamentally new.
Unpredictable Impact: Since their potential impact (e.g., data breach, system compromise, financial loss) is unknown, it is also unexpected and can be catastrophic.
Emergent Nature: They often arise from novel attack techniques, previously undiscovered zero-day vulnerabilities, the convergence of different technologies in unexpected ways, or geopolitical shifts that create entirely new threat landscapes.
Lack of Precedent: There's no historical data or past incidents to draw upon for understanding or preparing for these threats.
Requires Reactive Response (Initially): Organizations typically only become aware of an Unknown Unknown after an attack has occurred or a vulnerability has been exploited. This necessitates a rapid and often ad-hoc reactive response.
Examples of Unknown Unknowns in Cybersecurity (retrospectively):
It's important to note that something is only an "Unknown Unknown" before it becomes known. Once it's identified, it becomes a "Known Unknown" (something we know we don't fully understand yet) or even a "Known Known" (something we understand and can manage). Looking back, here are examples that were once Unknown Unknowns:
Entirely New Classes of Malware: The first appearance of polymorphic malware, fileless malware, or highly sophisticated nation-state-sponsored advanced persistent threats (APTs) like Stuxnet (which attacked industrial control systems). Before Stuxnet, the idea of malware specifically designed to damage centrifuges physically was largely unimaginable to many.
Novel Zero-Day Exploits: A critical vulnerability in a widely used software or hardware that has never been discovered or exploited before, and thus has no patch available. For example, a completely new method of bypassing operating system security features that no one had ever conceived.
Supply Chain Attacks of Unprecedented Scale: While supply chain attacks were known, the SolarWinds attack, which leveraged a widely used IT management software to distribute malware to thousands of organizations, demonstrated a scale and sophistication that was previously unknown to many.
New Cryptographic Weaknesses: The discovery of a fundamental flaw in a widely used cryptographic algorithm that was previously thought to be robust. While cryptographic research is ongoing, a completely unforeseen break in a standard could be an Unknown Unknown.
Quantum Computing Threats (Future Unknown Unknowns): While we know that quantum computing might break current encryption, the exact nature of these future threats, the specific algorithms that will be vulnerable, and the timeline for such attacks are still largely unknown unknowns.
Addressing Unknown Unknowns (Proactive Strategies):
While you can't prepare for a specific Unknown Unknown, organizations can implement strategies to increase their resilience and adapt more quickly when one emerges:
Cybersecurity Hygiene and Fundamentals: Maintaining strong basic security practices (patching, least privilege, network segmentation, strong authentication) makes systems more resilient to any attack, known or unknown.
Robust Incident Response and Forensics Capabilities: The ability to quickly detect, analyze, contain, and eradicate new threats is crucial. This includes having skilled security teams and appropriate tools for deep investigation.
Threat Hunting: Proactively searching for threats within the network that have bypassed existing security controls, rather than waiting for alerts. This involves a hypothesis-driven investigation.
Red Teaming and Penetration Testing: Simulating real-world attacks to uncover unknown vulnerabilities in systems and processes. While these typically focus on known attack vectors, a skilled red team can sometimes stumble upon previously unknown weaknesses.
Security Architecture Resilience: Designing systems with built-in resilience, redundancy, and a "assume breach" mentality. This means focusing on limiting damage and ensuring business continuity even if an unknown threat compromises a part of the system.
Information Sharing and Collaboration: Participating in threat intelligence sharing communities (ISACs/ISAOs) to learn about emerging threats quickly.
Investing in Research and Development: Supporting or monitoring research into cutting-edge security technologies and methodologies that might offer new ways to detect novel threats.
Adaptive Security Frameworks: Moving away from rigid, rule-based security towards more adaptive and intelligent systems (e.g., AI/ML-driven anomaly detection) that can potentially identify deviations that signify an Unknown Unknown.
Continuous Monitoring and Logging: Comprehensive logging of system activities and constant monitoring can provide crucial data points that, upon retrospective analysis, might reveal indicators of compromise from an Unknown Unknown.
Dealing with unknown unknowns in cybersecurity is less about predicting specific threats and more about fostering a culture of adaptability, resilience, and continuous learning, ensuring an organization can react effectively to whatever new challenges the evolving threat landscape presents.
ThreatNG offers a comprehensive suite of capabilities designed to help organizations manage their external attack surface, digital risk, and security posture, thereby assisting in the identification and mitigation of various cyber threats, including those that might initially appear as "unknown unknowns" before they become fully understood.
ThreatNG's Role in Addressing Cyber Threats
1. External Discovery: ThreatNG performs purely external, unauthenticated discovery without needing any connectors. This outside-in perspective is crucial because it mirrors how an attacker would approach an organization. By mapping the external attack surface, ThreatNG can uncover assets and potential entry points that an organization might not even be aware are exposed, effectively turning "unknown unknowns" (unknown exposed assets) into "known unknowns" (identified but not yet fully understood exposures).
2. External Assessment: ThreatNG provides a detailed external assessment across numerous critical areas, helping to identify vulnerabilities and risks that could otherwise be overlooked. This extensive assessment capability is key to unearthing potential "unknown unknowns" by thoroughly scrutinizing an organization's external footprint.
Web Application Hijack Susceptibility: ThreatNG analyzes parts of a web application accessible from the outside world, using external attack surface and digital risk intelligence, including Domain Intelligence, to identify potential entry points for attackers. This assessment helps pinpoint weaknesses that could lead to web application compromises.
Subdomain Takeover Susceptibility: It evaluates a website's susceptibility to subdomain takeovers by analyzing subdomains, DNS records, SSL certificate statuses, and other relevant factors using external attack surface and digital risk intelligence that incorporates Domain Intelligence. This can uncover forgotten or misconfigured subdomains that an attacker could leverage.
BEC & Phishing Susceptibility: This is derived from Sentiment and Financials Findings, Domain Intelligence (including DNS Intelligence capabilities like Domain Name Permutations and Web3 Domains, and Email Intelligence for security presence and format prediction), and Dark Web Presence (Compromised Credentials). By analyzing these factors, ThreatNG can reveal an organization's vulnerability to business email compromise and phishing attacks.
Brand Damage Susceptibility: ThreatNG derives this from attack surface intelligence, digital risk intelligence, ESG Violations, Sentiment and Financials (Lawsuits, SEC filings, SEC Form 8-Ks, and Negative News), and Domain Intelligence (Domain Name Permutations and Web3 Domains). This broad assessment helps in understanding non-technical risks that can impact brand reputation.
Data Leak Susceptibility: This is based on external attack surface and digital risk intelligence, considering Cloud and SaaS Exposure, Dark Web Presence (Compromised Credentials), Domain Intelligence (DNS Intelligence capabilities, Domain Name Permutations, Web3 Domains, and Email Intelligence), and Sentiment and Financials (Lawsuits and SEC Form 8-Ks). This comprehensive view helps identify potential data exposure points.
Cyber Risk Exposure: ThreatNG considers Domain Intelligence parameters like certificates, subdomain headers, vulnerabilities, and sensitive ports. It also factors in Code Secret Exposure, which involves discovering code repositories and investigating their contents for sensitive data. This provides a holistic view of direct cyber risks.
Cloud and SaaS Exposure: ThreatNG evaluates sanctioned and unsanctioned cloud services, cloud service impersonations, and open exposed cloud buckets across AWS, Microsoft Azure, and Google Cloud Platform. It also assesses various SaaS implementations like Salesforce, Slack, Splunk, and Workday, identifying potential vulnerabilities from misconfigurations or exposed data. The score also includes the organization's compromised credentials on the dark web, increasing the risk of successful attacks.
ESG Exposure: It rates organizations based on discovered environmental, social, and governance (ESG) violations through external attack surface and digital risk intelligence findings, analyzing areas such as Competition, Consumer, Employment, Environment, Financial, Government Contracting, Healthcare, and Safety-related offenses.
Supply Chain & Third Party Exposure: This is derived from Domain Intelligence (Enumeration of Vendor Technologies from DNS and Subdomains), Technology Stack, and Cloud and SaaS Exposure. This helps identify risks stemming from third-party vendors, a common source of "unknown unknowns" due to interconnected systems.
Breach & Ransomware Susceptibility: Calculated using external attack surface and digital risk intelligence, including domain intelligence (exposed sensitive ports, exposed private IPs, and known vulnerabilities), dark web presence (compromised credentials and ransomware events/gang activity), and sentiment and financials (SEC Form 8-Ks).
Mobile App Exposure: ThreatNG discovers an organization’s mobile apps in marketplaces and evaluates them for exposed access credentials (e.g., AWS Access Key ID, API Keys, GitHub Access Token, Facebook Access Token), security credentials (e.g., PGP private keys, RSA Private Keys, SSH private keys), and platform-specific identifiers (e.g., Amazon AWS S3 Bucket, Firebase, GitHub). This detailed analysis helps uncover sensitive data embedded within mobile applications that could be exploited.
Positive Security Indicators: This unique feature identifies and highlights an organization's security strengths, such as the presence of Web Application Firewalls or multi-factor authentication. It validates these positive measures from an external attacker's perspective, providing objective evidence of their effectiveness and offering a more balanced view of the security posture.
External GRC Assessment: ThreatNG provides a continuous, outside-in evaluation of an organization's Governance, Risk, and Compliance (GRC) posture. It identifies exposed assets, critical vulnerabilities, and digital risks from an unauthenticated attacker's perspective and maps these findings directly to relevant GRC frameworks. This capability helps proactively uncover and address external security and compliance gaps, strengthening overall GRC standing.
External Threat Alignment: It aligns an organization's security posture with external threats by performing unauthenticated, outside-in discovery and assessment of its attack surface, identifying vulnerabilities and exposures in a manner an attacker would. For example, ThreatNG's assessments directly map to MITRE ATT&CK techniques, uncovering how an adversary might achieve initial access and establish persistence.
3. Reporting: ThreatNG offers various reports, including Executive, Technical, Prioritized (High, Medium, Low, and Informational), Security Ratings, Inventory, Ransomware Susceptibility, U.S. SEC Filings, and External GRC Assessment Mappings (e.g., PCI DSS). These reports are crucial for understanding the identified risks and prioritizing remediation efforts, making "known unknowns" actionable.
4. Continuous Monitoring: ThreatNG provides continuous monitoring of the external attack surface, digital risk, and security ratings of all organizations. This ongoing surveillance is vital for detecting new exposures or changes that could introduce "unknown unknowns" as they emerge, allowing for rapid response.
5. Investigation Modules: ThreatNG's detailed investigation modules allow for deep dives into discovered information, transforming raw data into actionable intelligence.
Domain Intelligence:
Domain Overview: Provides insights into digital presence, Microsoft Entra Identification, Domain Enumeration, Bug Bounty Programs, and related SwaggerHub instances.
DNS Intelligence: Includes Domain Record Analysis (IP Identification, Vendors, and Technology Identification), Domain Name Permutations (Taken and Available), and Web3 Domains (Taken and Available).
Email Intelligence: Offers insights into email security presence (DMARC, SPF, DKIM records), format predictions, and harvested emails.
WHOIS Intelligence: Provides WHOIS analysis and other domains owned.
Subdomain Intelligence: Analyzes HTTP Responses, Header Analysis (Security Headers, Deprecated Headers), Server Headers, Cloud Hosting providers (AWS, Microsoft Azure, Google Cloud Platform, Heroku, Pantheon, Vercel), Website Builders (Strikingly, Tilda, Webflow, WordPress), E-commerce Platforms, CMS, CRMs, Email Marketing services, Communication and Marketing tools, Landing Page Builders, Sales Enablement, Online Course Platforms, Help Desk Software, Knowledge Base Software, Customer Feedback Platforms, Code Repositories (Bitbucket, GitHub), API Management, Developer Tools, Documentation Platforms, Product Management, Video Hosting, Blogging Platforms, Podcast Hosting, Digital Publishing, Photo Sharing, Content Experience, Translation Management, Brand Management, Website Monitoring, Status Communication, Survey Platforms, Project Management, Shipment Tracking. It also identifies Subdomain Takeover Susceptibility, Content Identification (Admin Pages, APIs, Development Environments, VPNs, Empty HTTP/HTTPS Responses, HTTP/HTTPS Errors, Applications, Google Tag Managers, Javascript, Emails, Phone Numbers), Ports (IoT/OT, Industrial Control Systems, Databases, Remote Access Services), Known Vulnerabilities, and Web Application Firewall Discovery and Vendor Types. This granular detail helps uncover hidden infrastructure and potential attack vectors.
IP Intelligence: Covers IPs, Shared IPs, ASNs, Country Locations, and Private IPs.
Certificate Intelligence: Focuses on TLS Certificates (Status, Issuers, Active, Certs without Subdomains, Subdomains without Certificates) and Associated Organizations (Domains, Certificates, and Emails).
Social Media: Tracks posts from the organization, breaking out content copy, hashtags, links, and tags.
Sensitive Code Exposure: Discovers public code repositories and uncovers digital risks such as various Access Credentials (e.g., Stripe API key, Google OAuth Key, AWS Access Key ID), Security Credentials (e.g., cryptographic private keys, SSH Private Key), Configuration Files (e.g., Azure service configuration schema, Ruby On Rails secret token), System Configuration (e.g., Shell configuration, Linux shadow file), Network Configuration (e.g., OpenVPN client configuration), Database Exposures (e.g., Microsoft SQL database file, PostgreSQL password file), Application Data Exposures (e.g., Remote Desktop connection file, Java keystore file), Activity Records (e.g., Shell command history, Log files), Communication Platform Configurations, Development Environment Configurations, Security Testing Tools, Cloud Service Configurations (e.g., AWS CLI credentials file), Remote Access Credentials (e.g., SFTP connection configuration), System Utilities, Personal Data, and User Activity. This deep dive into code helps find exposed secrets that could be "unknown unknowns" if not actively searched for.
Mobile Application Discovery: Discovers mobile apps in various marketplaces (Amazon Appstore, Google Play, Apple App Store, etc.) and analyzes their content for exposed access credentials, security credentials, and platform-specific identifiers.
Search Engine Exploitation: Helps investigate susceptibility to exposing errors, general advisories, IoT entities, persistent exploitation, potential sensitive information, privileged folders, public passwords, susceptible files, susceptible servers, user data, and web servers via search engines. This includes discovering
robots.txtandsecurity.txtfiles and their contents.Online Sharing Exposure: Identifies organizational entity presence on code-sharing platforms like Pastebin, GitHub Gist, Scribd, and Slideshare.
Sentiment and Financials: Covers organizational lawsuits, layoff chatter, SEC Filings (especially Risk and Oversight Disclosures), SEC Form 8-Ks, and ESG Violations.
Archived Web Pages: Discovers archived online presence, including APIs, document files, emails, login pages, directories, subdomains, and usernames.
Dark Web Presence: Detects organizational mentions of related people, places, or things, associated ransomware events, and compromised credentials.
Technology Stack: Identifies technologies used by the organization, such as Accounting Tools, Analytics, API Management, CMS, CRMs, Databases, Developer Platforms, and Security solutions.
6. Intelligence Repositories (DarCache): ThreatNG maintains continuously updated intelligence repositories, providing critical context and helping to understand emerging threats.
Dark Web (DarCache Dark Web): Provides intelligence on the dark web.
Compromised Credentials (DarCache Rupture): Contains information on compromised credentials.
Ransomware Groups and Activities (DarCache Ransomware): Tracks over 70 ransomware gangs.
Vulnerabilities (DarCache Vulnerability): Offers a holistic and proactive approach to managing external risks and vulnerabilities by understanding their real-world exploitability, likelihood of exploitation, and potential impact. This includes:
NVD (DarCache NVD): Provides information like Attack Complexity, Attack Interaction, Attack Vector, Impact scores (Availability, Confidentiality, Integrity), CVSS Score, and Severity.
EPSS (DarCache EPSS): Offers a probabilistic estimate of the likelihood of a vulnerability being exploited in the near future, allowing for a more forward-looking prioritization.
KEV (DarCache KEV): Identifies vulnerabilities actively being exploited in the wild, providing critical context for prioritizing remediation efforts.
Verified Proof-of-Concept (PoC) Exploits (DarCache eXploit): Provides direct links to PoC exploits on platforms like GitHub, referenced by CVE, which accelerates understanding of how a vulnerability can be exploited and helps security teams reproduce and assess its real-world impact. This is crucial for understanding how an "unknown unknown" vulnerability might be weaponized once it becomes a "known unknown."
ESG Violations (DarCache ESG): Contains information on various ESG-related offenses.
Bug Bounty Programs (DarCache Bug Bounty): Lists in-scope and out-of-scope items for bug bounty programs.
SEC Form 8-Ks (DarCache 8-K): Provides access to SEC Form 8-Ks.
Bank Identification Numbers (DarCache BIN): Includes BIN data.
Mobile Apps (DarCache Mobile): Indicates the presence of access credentials, security credentials, and platform-specific identifiers within mobile apps.
Synergies with Complementary Solutions
ThreatNG's capabilities naturally complement other cybersecurity solutions, enhancing an organization's overall security posture.
Security Information and Event Management (SIEM) / Security Orchestration, Automation, and Response (SOAR) Platforms: ThreatNG's external assessment findings, continuous monitoring alerts, and intelligence from DarCache (e.g., compromised credentials, ransomware activity) can be fed into SIEM/SOAR platforms. This enriches internal log data with external context, allowing for more accurate threat correlation, automated incident response workflows, and faster remediation of issues identified by ThreatNG. For instance, if ThreatNG identifies a new exposed sensitive port, a SIEM could be alerted, and a SOAR play might automatically initiate a firewall rule change or an internal vulnerability scan.
Vulnerability Management (VM) Tools: While ThreatNG identifies external vulnerabilities, VM tools typically focus on internal network and system vulnerabilities. The "Known Vulnerabilities" found through ThreatNG's Domain Intelligence and the detailed NVD, EPSS, and KEV data from DarCache can be integrated with internal VM tools. This creates a more holistic vulnerability picture, allowing organizations to prioritize patching efforts based on both internal and external exploitability and impact. For example, if ThreatNG identifies a publicly exposed web application with a critical vulnerability also listed in KEV, the VM tool can immediately flag it for urgent internal remediation.
Endpoint Detection and Response (EDR) / Extended Detection and Response (XDR) Solutions: When ThreatNG uncovers new attack vectors or indicators of compromise (IOCs) from its dark web presence monitoring or code secret exposure, these can inform EDR/XDR solutions. This allows EDR/XDR to fine-tune their detection rules and proactively hunt for these specific threats within an organization's endpoints, providing an internal detection capability for external threats identified by ThreatNG. If ThreatNG discovers a specific type of mobile app credential exposed, an EDR solution could search for that credential's use on corporate devices.
Identity and Access Management (IAM) Systems: ThreatNG's findings on compromised credentials from the dark web (DarCache Rupture) are highly valuable for IAM systems. This intelligence can trigger automated password resets or multi-factor authentication requirements for affected users, immediately mitigating the risk of account takeover. If ThreatNG identifies a bulk of compromised credentials related to an organization's domain, the IAM system can enforce a company-wide password change or require MFA for all logins from external networks.
Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) Solutions: ThreatNG's detailed Cloud and SaaS Exposure assessment, including unsanctioned cloud services and exposed cloud buckets, provides a vital external perspective to CSPM and CWPP tools. CSPM/CWPP can then take this external intelligence and enforce stricter internal configurations, identify shadow IT, and ensure compliance with security baselines across cloud environments. If ThreatNG detects an open S3 bucket, a CSPM solution can verify its internal configuration and flag it for remediation.
By integrating and sharing intelligence with these complementary solutions, ThreatNG helps organizations move from being reactive to "unknown unknowns" to proactively managing "known unknowns," and ultimately, transforming them into "known knowns" that can be effectively controlled and mitigated.
