Threat Validation involves confirming the existence and potential impact of a discovered threat. It's the process of verifying a potential vulnerability or security issue to determine if it is real, exploitable, and poses a genuine risk to an organization. This helps security teams prioritize and allocate resources effectively, focusing on the most critical risks.
ThreatNG's capabilities can be used to help with threat validation in several ways.
External Discovery
ThreatNG can perform external, unauthenticated discovery to identify an organization's attack surface without needing any connectors. This process finds assets and potential entry points that an attacker could use. For example, it discovers public code repositories, mobile apps in marketplaces, and website control files like robots.txt and security.txt. This discovery phase is the initial step in threat validation, as it uncovers potential areas of concern that need further investigation.
External Assessment
ThreatNG performs several types of external assessments that are crucial for threat validation. These assessments evaluate various aspects of an organization's security posture:
Subdomain Takeover Susceptibility: ThreatNG analyzes a website's subdomains, DNS records, and SSL certificate statuses to determine if a subdomain is vulnerable to takeover. This assessment helps validate a potential risk by confirming if a subdomain is misconfigured and could be hijacked by an attacker.
Breach & Ransomware Susceptibility: This assessment considers factors like exposed sensitive ports, known vulnerabilities, compromised credentials on the dark web, and ransomware events to determine an organization's susceptibility to breaches and ransomware attacks. It helps validate a threat by showing if an organization has existing exposures that are commonly exploited in these types of attacks.
Mobile App Exposure: ThreatNG evaluates an organization's mobile apps discovered in marketplaces for the presence of sensitive data, such as access credentials and security credentials. Finding an Amazon AWS Access Key ID in a mobile app, for example, validates a significant security risk that an attacker could use to access cloud resources.
Cyber Risk Exposure: ThreatNG's Domain Intelligence module assesses cyber risk by looking at certificates, subdomain headers, vulnerabilities, and sensitive ports. It also factors in code secret exposure, which involves investigating code repositories for sensitive data. For instance, discovering a public code repository with an AWS Secret Access Key would validate a specific and critical cyber risk.
Reporting, Continuous Monitoring, and Knowledgebase
ThreatNG's reporting and continuous monitoring features are vital for ongoing threat validation. The reports provide detailed, prioritized findings, with risk levels and recommendations, to help security teams focus on the most critical threats. For example, a report might highlight a "High" severity vulnerability and provide a recommendation on how to remediate it.
ThreatNG's Knowledgebase provides additional context and guidance. For a discovered vulnerability, it would give Reasoning to help a security professional understand the context of the threat and Recommendations on how to mitigate it. It also includes Reference links for further investigation.
Investigation Modules
ThreatNG offers several investigation modules that allow for a deeper dive into discovered threats, which is a key part of the validation process:
Domain Intelligence: This module provides a comprehensive analysis of a domain, including DNS records, subdomains, and email intelligence. For example, a security professional can use the Subdomain Intelligence feature to investigate a suspicious subdomain and find out what technologies it uses, what ports are open, and if there are known vulnerabilities associated with it.
Sensitive Code Exposure: This module discovers public code repositories and investigates their contents for sensitive data. For example, if the initial discovery phase found a public GitHub repository, this module could be used to validate the threat by confirming the presence of a hardcoded password or an API key within the code.
Search Engine Exploitation: This module helps investigate an organization's susceptibility to exposing sensitive information through search engines. A security professional could use this to validate a threat by searching for "public passwords" or "privileged folders" associated with their organization.
Intelligence Repositories (DarCache)
ThreatNG's intelligence repositories, branded as DarCache, provide a wealth of information to support threat validation.
Vulnerabilities (DarCache Vulnerability): This repository includes data from NVD (National Vulnerability Database), EPSS (Exploit Prediction Scoring System), and KEV (Known Exploited Vulnerabilities). For a newly discovered vulnerability, a security professional can validate the threat by checking the EPSS score to see the likelihood of it being exploited shortly, and checking the KEV data to see if it is actively being exploited in the wild.
Compromised Credentials (DarCache Rupture): This repository contains information on compromised credentials. A security team can validate a dark web presence finding by checking if the compromised credentials are still active or if they have been used in other breaches.
Dark Web (DarCache Dark Web): This repository tracks organizational mentions on the dark web. If an initial discovery flags a dark web presence, a security analyst can use this repository to validate the threat by investigating the specific mentions or compromised credentials found.
Complementary Solutions
ThreatNG's capabilities can be used in tandem with other solutions to provide a more comprehensive threat validation workflow:
ThreatNG and a SIEM (Security Information and Event Management): ThreatNG's continuous monitoring could identify a newly exposed sensitive port on an external server and report it as a high-risk finding. The security team could then use this information to correlate it with log data in their SIEM to see if there have been any unusual connection attempts or traffic spikes on that specific port. This validates the finding as not only a potential vulnerability but one that may be actively targeted.
ThreatNG and a SOAR (Security Orchestration, Automation, and Response) Platform: ThreatNG's Code Secret Exposure module could discover a hardcoded API key in a public code repository. A SOAR platform could be configured to ingest this finding and initiate an automated workflow. This workflow could include creating a ticket for the development team, rotating the exposed API key, and performing a scan of the internal network for any other instances of that key. This validates the threat and immediately starts the remediation process.
ThreatNG and a Pentesting Service: ThreatNG’s external assessments can identify subdomains vulnerable to takeover. This finding could then be passed to a third-party pentesting service. The pentesting team would use this specific, validated finding as a starting point for their testing to confirm exploitability and assess the potential impact of a successful takeover.
