Threat & Attack Surface Intelligence (ASI): See What Adversaries See and Stop Them in KNOW Time

Your IT and Security teams watch your network and web site 24/7. You invest thousands (conservatively) in firewalls, SIEMs, anti-malware, Intrusion Prevention/ Detection Systems (IPS/IDS), and other security tools that bombard you with alerts all day long.

Threat & Attack Surface Intelligence (ASI): See What Adversaries See and Stop Them in KNOW Time
Threat & Attack Surface Intelligence (ASI): See What Adversaries See and Stop Them in KNOW Time. Photo by Kaitlyn Baker on Unsplash

Yet attacks can still take you by surprise. In one recent example, the veteran hacktivist group Anonymous resurfaced to affect the massive BlueLeaks attack on U.S. law enforcement. If it can happen to them, can happen to most any company.

Staying a step or two ahead of risk requires broad threat actor insight:

  • What are adversaries up to? There are hundreds of ways to get news about emerging and ongoing attacks but it takes time and expertise to stitch all the data together into reliable, actionable threat intelligence.
  • What do they see when they target your brand? “Outside-in” perspective is the missing link for IT and security operations (SecOps) teams. Resource-intensive assessments such as penetration or “pen” testing, bug bounties, and Red Team exercises can deliver it, but only for one point in time.

Table of contents

Why Now?
Integrated Threat & Attack Surface Intelligence – A New Paradigm
ASI: The industry’s most actionable “outside-in” perspective
Use Cases
Knowledge NOW (KNOW) Threat Intelligence: Everything you need to know about threats, free in minutes

To find risk and prevent breaches, your security professionals need a new calibre of actionable threat and attack surface intelligence that equips them to:

  • Know first, and act fast
  • Become more proactive and preventative
  • Act on the most critical risks first
  • Continuously shrink your attack surface
  • Reduce cycles and alert fatigue
  • Optimize SecOps and IT
  • Demonstrate value

Netenrich uniquely delivers continuous adversary insight by integrating threat and attack surface intelligence to prevent risk, streamline operations, and bridge skills gaps—in less time, and without creating more work for your own team.

Why Now?

Cybersecurity Ventures projects five-year cybersecurity spending will exceed $1 trillion through 2025. The firm also predicts the annual cost of damage related to cybercrime will reach $6 trillion by 2021—a costly gap in the making.

Threat & Attack Surface Intelligence from Netenrich gives you a lasting advantage in bridging this gap by addressing the reasons attacks still succeed:

  • Fast-growing digital footprint: Your digital brand presence continues to grow exponentially, sometimes without IT knowing it. Your external attack surface may even grow at a faster rate than the SecOps team and security budget, creating dangerous skills and visibility gaps.
  • Fast-changing threat landscape: Threats keep coming. A company will fall victim to a ransomware attack every 11 seconds by 2021, and that’s just one form of attack. The COVID-19 pandemic also forced IT and SecOps to focus on accelerating digital transformation and supporting distributed workforces.
  • Skills/resource gaps: Today’s advanced attackers may be equally or better staffed and funded than most enterprise security departments. Investments in new tools often mean more data and alert no one has time to contend with. SecOps, SOC, and IT operations also may not be in alignment or able to keep pace with new challenges due to skills shortages, siloed communications, and lack of a central or common platform for collaborating and sharing data.
Source: Ponemon Institute, Improving the Effectiveness of the Security Operations Center, 2019
Source: Ponemon Institute, Improving the Effectiveness of the Security Operations Center, 2019

In the face of spending constraints . . .

Gartner projects the growth in cybersecurity spending will decline to just 7% by 2023 (compared with 12% in 2018) with boards pushing back and asking IT to justify the spend.

At the same time, cyber risk and challenges continue to grow. As of 2019:

  • The average cost of a data breach was $3.92M Security Intelligence
  • More than $3.5B was lost to cybercrime globally Hashed Out, The SSL Store
  • Average time to identify a breach was 7 mos. (IBM)
  • The average lifecycle of a breach was @ 11 mos. from breach to containment (IBM)

Demonstrating Value. In addition to the usual challenges, Gartner writes:

Gartner clients are reporting that after years of quarterly reporting on cybersecurity to their boards, their boards are now pushing back and asking for improved data and understanding of what they have achieved after years of such heavy investment. Outcome-driven metrics (ODM) for technology risk are an abstraction of tools, people and processes to reflect how well an organization is protected, not how it is protected. ODM can be used to enable more effective governance over cybersecurity priorities and investments.

This trend shows a clear and growing need to demonstrate the value of security investments. Ongoing threat and attack surface management can show such improvements and inform higher-value spending strategies.

To SOC or not to SOC?

According to Ponemon Institute, more than two-thirds of large enterprises with substantial investments in building their own SOC deem their SOC ineffective for multiple reasons that can be addressed by threat and attack surface intelligence.

Integrated Threat & Attack Surface Intelligence – A New Paradigm

You can’t control everything on the public Internet, or beyond your firewall, but you can still act first to protect your brand. Businesses can respond faster and become steadily more efficient and proactive by adopting a new approach driven by outcomes and action.

Two areas of specialization have emerged to meet the challenge:

  • Attack surface management (ASM) is the continuous discovery, investigation, prioritization, and mitigation of external digital risk. The dynamic, continuous discovery shows how your brand may be exposed on the public Internet, in public clouds, and Shadow IT. A growing priority for CIOs, CISOs, IT and security teams, ASM looks at the stuff that exists outside your firewalls and perimeter security, beyond IT’s visibility and complete control.
  • “Threat intelligence” refers to information about cyber threats and threat actors that helps mitigate and prevent cyberattacks and improve your security posture. Sources typically include open source, social media, analysts, bloggers, and intelligence from the deep and dark web.

Netenrich uniquely combines ASM and threat intelligence into one integrated solution to deliver complete Resolution Intelligence for preventing attacks, reducing digital brand exposure, bridging skills gaps, and streamlining SecOps. Led by AI and driven by analysts, Integrated Threat & Attack Surface Intelligence from Netenrich delivers intelligent context and a clear path to action, without creating more work for your own analysts.

The suite consists of Knowledge NOW (KNOW) free threat intelligence and Attack Surface Intelligence (ASI). Together KNOW and ASI integrate to deliver actionable resolution intelligence greater than the sum of its parts.

ASI: The industry’s most actionable “outside-in” perspective

ASI from Netenrich lets you see what adversaries see as they target your digital brand with continuous coverage to steadily reduce risk. After zero-effort onboarding, ASI performs automated attack surface scans to discover critical areas of risk – brand exposure, misconfigurations, threat correlation, and vulnerabilities – with a focus on delivering actionable, personalized context.

Machine-led discovery scours billions of data points to identify all digital assets and shadow IT associated with your company brand. This covers a wide range of port, protocol, and service exposure including:

  • Domain exposure including subdomains and those that might be used for lookalike or typosquatting attacks
  • Digital exposure from code repositories, public cloud
  • Vulnerabilities
  • Compromised email addresses
  • IP addresses / open ports
  • Expiring or abandoned certificates
  • Abandoned servers, sites, pages

ASI’s actionability advantage derives from AI-led discovery, rich context, and security experts evaluating findings, prioritizing risk, and delivering high touch remediation strategies. Flexible DIY subscriptions and Concierge Service complement your own resources.

ASI displays your attack surface status with risk indicators per category. Issues are identified by technical checks performed for each category with three levels of risk indicated. Assessments can serve as a benchmark for audits of issues to demonstrate successful and continuous mitigation. In this example Service Exposure is putting the organization under high risk that needs immediate and ongoing attention.
ASI displays your attack surface status with risk indicators per category. Issues are identified by technical checks performed for each category with three levels of risk indicated. Assessments can serve as a benchmark for audits of issues to demonstrate successful and continuous mitigation. In this example Service Exposure is putting the organization under high risk that needs immediate and ongoing attention.

Beyond basic discovery, Netenrich ASI adds:

Analysis: Activity includes correlating and identifying false positives and performing risk-checks to assess the overall attack surface status. Analysis is AI-led with Netenrich experts adding rich insight and context.

The evaluation includes validating data as legitimate and correlating against insight from Netenrich’s Knowledge NOW (KNOW) global threat intelligence. Analysis sets the stage for deep-dives by your security experts.

Prioritization: Security experts vet AI-driven suggestions adding exponential value in promoting rapid action to address the most dangerous risks first.

Remediation: The final goal of intelligence should always be a resolution. ASI features high-touch analyst consultation and detailed reporting of affected assets, technical details, context, and technical remediation advice.

ASM helps IT and SecOps proactively prevent a wide variety of cyberattacks and activities including:

  • Ransomware
  • Command and control
  • DDoS
  • DNS hijacking
  • Brute force
  • Email-based attacks
  • Phishing
  • Typosquatting / lookalike attacks

“What does that tell you?”

ASI answer the questions:

  • How does my business look from a hacker’s perspective?
  • How vulnerable is our digital presence today and in the future?
  • Do we have exposed assets we don’t know about?
  • Which risks should we mitigate first?
  • Is our external security posture getting better?

Use Cases

Use Case I: Brand Exposure

Protection of the company brand is a top concern for management and growing priority for security teams. Brand exposure spans a wide range of issues such as whether your organization has been part of a breach, leaked credential dumps, or is being targeted by typo-squatting your domain.

A total of 21 domains were associated with this brand. For each, ASI captures discovered sub-domains, DNS records, registrar organization, expiration dates, hosting and discovered dates. Each discovery features quick indicators such as how many domains have expired, or are about to expire that might impact risk.
A total of 21 domains were associated with this brand. For each, ASI captures discovered sub-domains, DNS records, registrar organization, expiration dates, hosting and discovered dates. Each discovery features quick indicators such as how many domains have expired or are about to expire that might impact risk.

Inadvertently or accidentally leaving company assets exposed — having code available in public repositories or accessible via public cloud storage — contributes to risk.

Use Case II: Misconfigurations

DivyCloud reports over 33 billion records were exposed in breaches during 2018 and 2019 due to cloud misconfigurations, costing companies some $5 trillion. The company says, “The rush to adopt cloud services has created new opportunities for attackers — and attackers are evolving faster than companies can protect themselves.

Why do misconfigurations account for more than 20% of breaches every year? For one thing, network and security architectures continue to change creating a dynamic shift in attack surface. Administrative tasks such as managing expiring certificates, enforcing authentication (usually on nonproduction sites), and minor configuration steps may also fall to the wayside.

These mistakes account for a large portion of the first stage of an attack with savvy adversaries turning oversights into entry points. While security tools may not find such errors, ASI sheds light on the things that must be addressed.

Use Case III: Threat Correlation

Identifying public-facing assets is a great step toward creating a better security posture. Correlating assets to active or recent nefarious activity takes you a major step further. ASM helps in understanding how your public IP space may be used to launch attacks or serve malware:

  • Have domains been subverted for phishing or command and control?
  • Has your infrastructure been compromised and resources siphoned off for coin-mining or as a pit-stop in the fraud chain?
  • Are company assets linked to malware?
Netenrich ASI correlates your infrastructure to threat intelligence to identify malicious activity.
Netenrich ASI correlates your infrastructure to threat intelligence to identify malicious activity.

Fast, automated discovery combined with built-in threat intelligence is key to successful threat correlation.

ASI vs. Pen Testing: 24/7 coverage. 75% lower cost.

Bi-weekly pen testing or in-depth quarterly assessments can easily run $250K per year. And you only get snapshots that could change the next day.

ASI provides continuous coverage, often at 50-75% lower cost.

Use Case IV: Vulnerability Insight

Which vulnerabilities are trending? Are they currently being weaponized by bad actors? Which can cause the most damage?

Finding and researching vulnerabilities in your system is an age-old security problem compounded by a fast-changing attack surface. Depending on your architecture or where systems live, scanning may not always be an option.

Aggregating data for prioritization proves essential to any hope of successful patching. ASI integrates with real-time threat intelligence to reduce cycle and make it even easier to prevent breaches and combat alert fatigue.

Knowledge NOW (KNOW) Threat Intelligence: Everything you need to know about threats, free in minutes

You can find news about threats in lots of places, but someone still needs to decide what’s important, and what to do about it. Knowledge NOW (KNOW) real-time threat intelligence from Netenrich brings you closer to action by answering:

  • What happened and why?
  • What are experts saying about it?
  • What should we be following? What changed since yesterday?
  • Is this IP or IoC good or bad?
  • What should we address first? How do you do it?

KNOW puts what you need to follow threats — news, trends, search, scores and context — in one place, for free. KNOW adds actionable context and insight to take users from “heads up” to “what to do” in minutes. The KNOW TODAY newsletter sends the day’s top stories to your inbox so you can keep current without searching elsewhere. Log into KNOW to research the news and gain actionable context up to 15X faster than you could with Google News.

KNOW curates data from worldwide threat feeds, industry coverage, and Netenrich’s global ops intelligence centre to bring breaking news and context together in one view. Rather than rely on public CVE (common vulnerability and exposure) scores, KNOW adds context based on threat levels, recent activity, risk associations, historical data, expert insights, and industry coverage. Deep context gets vetted by analysts to help everyone from your CEO and CISO to SOC and SecOps professionals find exactly what they need.

Better intel at KNOW cost. KNOW delivers deeper insight and more actionable context than many free and paid threat intelligence services with analysts vetting contextual tags, risk scoring, and more.
Better intel at KNOW cost. KNOW delivers deeper insight and more actionable context than many free and paid threat intelligence services with analysts vetting contextual tags, risk scoring, and more.

Rather than rely on public CVE (common vulnerability and exposure) scores, KNOW adds context based on threat levels, recent activity, context, risk associations, historical data, expert insights, and industry coverage. KNOW automatically feeds updates into ASI so your security analysts can take the next logical next step and research relevant threats discovered.

Threat Intelligence Use Cases

Use threat intel to streamline learning and day to day efforts:

  • Breach alerts: Near-real-time alerts on breaches helps to immediately identify trends and techniques being actively leveraged and accelerate hunting activity.
  • Tracking third-party risk: Find out fast when vendors or suppliers incur major security incidents. Saving searches on relevant terminology ensures you receive relevant alerts as they happen, a must for proactive investigation.
  • Stack alerts: Monitor for zero-day attacks, trends in vulnerabilities, malware, and other potential targeting of systems in your environment that are critical or at risk because they cannot be patched.
  • Vulnerability insight: Prioritize patching efforts with detailed information on vulnerabilities that are trending, associated with active threats or threat actors, or affiliated with malware.

You can’t afford not to KNOW!

Act on threats in KNOW time

  • Free newsletter highlights Top Stories of the Day
  • Constantly updated and curated
  • Free Intelligence Portal
  • Dashboard highlights news, updates, trends, advisories, recent activity, related topics
  • Follow trends
  • Save searches
  • “Bring your own IoCs”
  • Analyst-vetted context
  • See associations with IPs, domains, hashes, vulnerabilities, threat actors, malware, and companies—in one screen

Together, KNOW and ASI deliver reliable, ongoing data that helps reduce noise, false positives, and alert fatigue. SecOps and IT teams can act faster, become more proactive, and devote more time to high-priority activities such as deploying new technologies, threat hunting, and incident response.

Benefits of Integrated Attack Surface & Threat Intelligence

Know

Know first: Daily newsletter puts top stories in your inbox

Act fast – save time and streamline SecOps:

  • Day’s top stories with no search time
  • Search time 2-30 minutes vs. 4 hours per alert
  • Research IoCs, threats 15X faster
  • Analyst-vetted Threat Criticality scores help prioritize risks
  • Prioritize threats, patches, updates faster
  • Less time chasing false positives

Personalized intelligence:

  • Research IOCs of interest, industry, geography, types of attacks, trusted sources
  • “Threats You Follow”

Continuous Coverage: Continuously updated by Netenrich Global Threat Intelligence Center and Internet sources

Actionability:

  • Analyst-vetted tags guide threat research
  • Data automatically correlated with relevant intelligence (trend data, recent activity, etc.)

ASI

Know first: Find your digital brand exposure before bad actors do

Act fast – save time and streamline SecOps:

  • 3-4x faster discovery
  • 24/7 coverage (vs. 1-3-wks. for point-in-time risk assessment)
  • Expert-vetted remediation strategy w/in 48 hours

Personalized intelligence:

  • Attack surface scans and analyst recommendations track your unique attack surface
  • Custom dashboards

Continuous Coverage: Increased value vs. pen testing, Red Team exercises and other point-in-time solutions

Actionability:

  • The intuitive dashboard makes it easy to drill down
  • High-touch reports feature expert analysis and proposed mitigation strategies

Source: Netenrich

Lisa Turnbull Published by Lisa Turnbull

, always been a Windows lover since her childhood days. I have always been enthusiastic about emerging technologies, especially Artificial Intelligence (AI), Data Science and Machine Learning. I am working as a freelancer on numerous technical projects.