Network Filtering Rating

Managing the "Network Filtering" Rating: Ensuring Your Perimeter Is Visible Only to Those Who Need It

In the granular world of third-party risk management (TPRM), the Network Filtering rating (often referred to as "Port Hygiene," "Exposed Services," or "Attack Surface Visibility" in ratings agency reports) is the primary indicator of your infrastructure's discipline. While other ratings measure the quality of your software, Network Filtering measures the strictness of your access control.

At ThreatNG, we understand that a poor Network Filtering score signals "permissiveness" to cyber insurers and auditors. It implies that your firewalls are porous, your cloud security groups are overly broad, and your administrative interfaces are greeting the entire internet. However, automated external scanners often conflate "accessible" with "vulnerable," penalizing you for intentionally secured services. This guide explains how to use the ThreatNG ecosystem to govern your perimeter and ensure your rating reflects your actual security posture.

Understanding the Network Filtering Rating

To master this rating, you must understand the "outside-in" scanning methodology. Rating agencies constantly map the IPv4 space, probing common ports to see what responds. They are looking for services that should ideally be behind a VPN or restricted by an allowlist.

The Network Filtering score is typically degraded by:

  1. Exposed Management Ports: SSH (22), Telnet (23), RDP (3389), or VNC (5900) open to the public internet.

  2. Exposed Database Services: MySQL (3306), PostgreSQL (5432), or MongoDB (27017) listening on public IPs.

  3. Unnecessary Services: Legacy protocols like FTP (21) or NetBIOS (137-139) that increase the attack surface.

  4. Device Exposure: Identifying IoT devices, printers, or cameras directly connected to the web.

The Challenge: The rating is binary. A scanner detects an open port 22 and flags a risk. It does not know that the port is protected by an SSH key-only policy, Fail2Ban, and a geo-block. It equates reachability with exploitability.

The ThreatNG Strategy: Opportunity, Refutation, and Defense

Managing your Network Filtering rating requires a shift from reactive firewall adjustments to proactive attack surface governance. ThreatNG empowers you to control the lifecycle of a finding using continuous intelligence and rigorous policy enforcement.

1. Proactive Opportunity Finding (Beating the Algorithm)

The most effective way to protect your rating is to identify unauthorized exposures before a rating agency's monthly scan logs them. ThreatNG scans continuously. By combining Dynamic Entity Management with our deep Investigation Modules and predictive ThreatNG Security Ratings, you can close the door before anyone notices it was open.

  • The Strategy: You begin by populating Dynamic Entity Management with specific People (e.g., DevOps Leads), Places (e.g., "AWS Region us-east-1"), and Brands (e.g., "New SaaS Platform"). As soon as these entities are defined, ThreatNG continuously hunts for exposures related to them.

  • The Example: Imagine your DevOps team ("New SaaS Platform") spins up a Kubernetes cluster for testing. To speed up debugging, they temporarily open port 22 (SSH) and port 8080 (Jenkins) to 0.0.0.0/0.

    • Detection: The Subdomain Infrastructure Exposure capability immediately detects the open ports on the new IP addresses associated with the brand entity.

    • The Validation: Simultaneously, Sensitive Code Exposure finds that a developer committed a "setup script" to a public repo that includes the default root password for these instances.

    • Internal Rating Check: ThreatNG's internal Cyber Risk Exposure and Non-Human Identity Exposure ratings for this entity drop to 'D'. This indicates that open ports will not only lower your Network Filtering score but also lead to an immediate breach.

    • The Governance: Because your Customizable and Granular Risk Configuration is tuned to Averse, ThreatNG flags "Exposed Management Port" and "Default Credential Risk" as Critical Violations. You close the security groups during the "Grace Period" before the rating agency detects the open port.

  • A World of Possibilities: Crucially, this is just one example of the many possibilities with ThreatNG. You could also use Technology Stack analysis to identify "End-of-Life" VPN concentrators listening on public ports (protecting your Supply Chain & Third Party Risk Exposure rating), or use Dark Web Presence to find "Initial Access Broker" listings selling RDP access to a specific IP, allowing you to prioritize closing that port above all others.

2. Challenging Inaccuracies (The Refutation Strategy)

A significant portion of Network Filtering penalties stems from Contextual Blindness. You may be penalized for a "Honeyport" designed to trap attackers, or for a port that is actually closed to everyone except the scanner's specific IP range (a common cloud configuration quirk). To dispute this, you need forensic evidence gathered by Investigation Modules and backed by Policy Management.

  • The Strategy: When a rating agency flags a "High Risk Port," you need to prove it is either a false positive or an intentionally defensive asset.

  • The Example: A rating agency drops your score because they detect "Open Port 3389 (RDP)" on one of your cloud assets.

    • The Evidence: You use DarChain Attack Path Intelligence to trace the asset and prove that the IP belongs to a Honeypot deployed by your threat intelligence team. The "Finding" (Open Port) leads to a "Tool" (Deception Technology), breaking the attack path.

    • The Validation: You reference your Breach & Ransomware Susceptibility rating, which remains 'A' because the asset is segmented from the production network.

    • The Classification: Use Dynamic Entity Management to auto-classify this asset as "Defensive Infrastructure."

    • The Report: You generate a report using Granular Risk Scoring that indicatesthis is a "Sanctioned Deception Asset." You bolster this by using Domain Intelligence to show the DNS record is intentionally generic, designed to fool bots, providing the irrefutable data needed to refute the "Risk" label with the agency.

  • A World of Possibilities: It is important to emphasize that this is only one of many possibilities. You might also use ThreatNG to prove that an "Exposed Database Port" is actually a Proxy Service that requires mTLS (verified via Technology Stack), refute a "Telnet Open" claim by showing the service banner is a Tarpat (sticky honeypot), or use the SEC Filings capability within the Sentiment and Financials Investigation Module to prove that the IP block containing the open ports was divested to another company last quarter.

3. Demonstrating Context & Control (The Bolstering Strategy)

Sometimesthe port is open but is obscured by controlsthe scanner cannot see. For example, an SFTP server (Port 22) must be public for clients to upload data. A rating agency sees "SSH Exposed"; you see "Business Necessity." Here, your goal shifts from refuting the data to bolstering the context using technical validation and Exception Management.

  • The Strategy: You use ThreatNG to prove that the exposure is necessary, governed, and hardened.

  • The Example: A rating agency flags your file transfer server as "High Risk" because Port 22 is visible to the internet.

    • The Evidence: You use Technology Stack analysis to prove the server is running a hardened version of OpenSSH, and Vulnerability Intelligence (EPSS) to demonstrate that there are no active exploits for this version.

    • The Validation: You reference your Data Leak Susceptibility rating, which remains 'A' because the server is configured to deny shell access (/bin/false) and strictly enforces chrooted directories.

    • The Governance: To satisfy auditors, you use Exception Management to formally document this asset as a "Public Facing Service" with a defined business owner and review cadence. This creates an audit trail proving to stakeholders that the "Exposure" is a governed service, not a firewall misconfiguration.

  • A World of Possibilities: Explicitly, this is just one example of the many possibilities available with ThreatNG. You could also use Social Media intelligence to show you are publicly documenting the service's availability for partners, validate that an "Open Web Port" (8080) is actually a Zero Trust Gateway requiring authentication before connection (protecting your Web Application Hijack Susceptibility), or use Bank Identification Numbers data to prove that a dedicated payment gateway requires specific ports open for PCI compliance checks.

The ThreatNG Ecosystem Advantage

ThreatNG provides the contextual intelligence required to turn a static checklist into a dynamic security strategy. Here is how our specific pillars support a superior Network Filtering rating:

  • Validating the Perimeter: External Discovery ensures you find "Shadow Ports" (like a developer opening port 3000 for a Node.js app) before rating agencies do, while our internal ThreatNG Security Ratings (like Cyber Risk Exposure and Brand Damage Susceptibility) provide a "pre-flight" check, giving you a benchmark to measure your perimeter hygiene before the official audit.

  • Threat-Led Context: We move beyond simple port scans by integrating deep Intelligence Repositories. We correlate your open ports against Ransomware Gang Activity, Compromised Credentials, Bug Bounties, and Vulnerability Intelligence. This allows you to prioritize port closures based on reality (e.g., "Is there a new exploit for the service running on this port?") rather than a generic "Close All Ports" policy.

  • Proving Logic with DarChain: Finally, DarChain Attack Path Intelligence utilizes the "Finding -> Path -> Step -> Tool" logic to cut through the noise. It helps you prioritize the 5% of exposed services that actually lead to a breach (like a confirmed Non-Human Identity Exposure on an admin portal), ensuring you are governing true risk rather than just chasing a score.