Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Temporal Risk Analysis

Temporal Risk Analysis

Section titled “Temporal Risk Analysis”

5 automated security scanners

Credential Aging Assessment

Section titled “Credential Aging Assessment”

Purpose: The Credential Aging Assessment Scanner is designed to identify and assess risks associated with password reuse, inactive accounts, weak passwords, credential exposure, and potential threats indicated by various indicators. It aims to provide insights into the security posture of an organization’s digital assets by analyzing historical data and patterns in credential usage.

What It Detects:

  • Password Reuse Detection: Identifies repeated use of the same passwords across different accounts or systems, which can lead to unauthorized access if a password is compromised elsewhere.
  • Inactive Account Identification: Detects accounts that have not been used for an extended period, suggesting potential compromise and highlighting the need for immediate action to rotate credentials.
  • Weak Password Patterns: Recognizes commonly used or easily guessable passwords based on known patterns, which are vulnerable to brute force attacks and password spraying techniques.
  • Credential Exposure Indicators: Searches for indicators of credential exposure in threat intelligence feeds and dark web data sources, helping organizations understand the potential risks associated with leaked credentials.
  • Threat Indicator Matching: Matches known threat indicators from CVE, malware, and other security databases to identify potential vulnerabilities and malicious activities related to compromised accounts or systems.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com). This input is essential for directing the scanner’s analysis towards specific organizational domains to assess password practices and historical usage patterns.

Business Impact: The improper management of credentials can lead to significant security breaches, data theft, and financial losses. Effective credential rotation policies are crucial for maintaining a secure digital environment where unauthorized access through compromised passwords is minimized.

Risk Levels:

  • Critical: Findings that directly indicate the compromise of critical systems or exposure of sensitive information that could lead to severe consequences such as identity theft or national security threats.
  • High: Risks associated with high-profile accounts, such as executive and administrative credentials, which if compromised, can significantly impact business operations and reputation.
  • Medium: Vulnerabilities in less critical systems where unauthorized access might lead to moderate risks like data leakage but does not pose a direct threat to operational integrity.
  • Low: Informal findings that may suggest suboptimal password practices or outdated security measures but do not currently indicate significant risk.
  • Info: General information about potential improvements in password policies, such as recommending stronger passwords or more frequent rotations for less sensitive accounts.

If the README doesn’t specify exact risk levels, infer them based on the scanner’s purpose and impact.

Example Findings:

  • A user has reused the same password across multiple systems, which increases the risk of a single compromised password affecting multiple accounts.
  • An inactive account with credentials last used over two years ago could indicate potential compromise and should be promptly rotated to enhance security.

Time-Window Exploitation

Section titled “Time-Window Exploitation”

Purpose: The Time-Window Exploitation Scanner is designed to detect fraud during critical periods such as payroll processing dates and holidays by analyzing threat intelligence feeds to identify potential vulnerabilities and malicious activities that could be exploited.

What It Detects:

  • Payroll Date Vulnerabilities: Identify CVEs and known exploits published around payroll processing dates, monitor suspicious domain/IP activity related to payroll systems.
  • Holiday Breach Timing: Detect malware, ransomware, or trojan activities timed around holidays, look for command and control (C2) server communications during holiday periods.
  • Threat Intelligence Indicators: Search Shodan API for exposed services and vulnerabilities, check VirusTotal API for domain/IP reputation, verify CISA KEV for known exploited vulnerabilities, assess AbuseIPDB for IP reputation, and lookup NVD/CVE database for vulnerability details.
  • Real-Time Exposure Alerts: Monitor for exposure indicators such as “exposed,” “leaked,” or “breached” data, detect unauthorized access attempts and data dumps.
  • Malicious Activity Patterns: Identify patterns like malware, ransomware, trojan, command and control (C2) activities, and search for phishing or credential harvesting attempts.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com).

Business Impact: This scanner is crucial for organizations to proactively identify potential threats during critical periods that could lead to significant financial losses, data breaches, and reputational damage. It helps in securing payroll operations and preventing malicious activities around holidays that might exploit known vulnerabilities.

Risk Levels:

  • Critical: Findings include CVEs with direct exploits or those timed around sensitive dates, indicating immediate attention is required.
  • High: Detection of malware, ransomware, trojan activities during critical periods suggests a high risk of data compromise and financial loss.
  • Medium: Indicators such as suspicious domain/IP activity might not directly lead to severe consequences but could be precursor indicators for potential future threats.
  • Low: Informational findings may include exposure indicators that are generally safe, requiring monitoring rather than immediate action.
  • Info: Provides general information about the health and security posture of a system, useful for ongoing risk assessment without high urgency.

Example Findings:

  1. A critical vulnerability (CVE-2021-44228) identified on an IP address 192.168.1.1 around payroll dates could indicate active exploitation attempts.
  2. Detection of a trojan activity during a holiday period suggests potential unauthorized access and data exfiltration, posing a high risk to the organization’s security.

Historical Vulnerability Impact

Section titled “Historical Vulnerability Impact”

Purpose: The Historical Vulnerability Impact Scanner is designed to assess the risk associated with aging Common Vulnerabilities and Exposures (CVEs) that have not been addressed over time, potentially leaving a domain vulnerable for extended periods. This tool aims to identify vulnerabilities in systems that may be susceptible to prolonged exploitation risks.

What It Detects:

  • Aging CVE Detection: Identifies CVEs associated with the domain that are older than a specified threshold (e.g., 2 years) without corresponding patches, which can indicate significant exposure and potential risk.
  • Patch Deployment Timing: Analyzes the timeline of CVE disclosures and patch releases to determine if patches have been deployed within a reasonable timeframe, highlighting any delays that could suggest systemic issues in vulnerability management.
  • Known Exploited Vulnerabilities (KEV): Cross-references identified CVEs against the CISA Known Exploited Vulnerabilities list to highlight vulnerabilities that are currently being exploited, which is crucial for immediate attention and remediation.
  • Domain/IP Reputation: Evaluates the reputation of the domain and associated IPs using VirusTotal and AbuseIPDB to identify potential exposure risks, helping in understanding the overall risk landscape.
  • Exposed Services and Vulnerabilities: Utilizes Shodan API to scan for exposed services and vulnerabilities on the domain’s infrastructure, detecting patterns that may indicate security weaknesses or exposures.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com). This input is essential for all detection processes as it defines the scope of the analysis.

Business Impact: Addressing aging CVEs and patch delays can significantly impact a security posture by reducing exposure to known vulnerabilities that could be exploited, thereby mitigating potential data breaches and system compromises. It also enhances compliance with security standards and best practices, which is crucial for maintaining trust and confidence in digital services.

Risk Levels:

  • Critical: CVEs older than 2 years without patches are considered critical as they represent unaddressed vulnerabilities that could be actively exploited.
  • High: Delays in patch deployment or significant reputation risks identified through external threat intelligence sources indicate high severity, highlighting immediate attention is required.
  • Medium: Vulnerabilities with known exploitation activity but not yet critical can still pose a medium risk if left unattended, especially if they are part of actively exploited CVEs from the CISA KEV list.
  • Low: Informational findings such as exposed services without significant vulnerabilities may be considered low risk unless there is evidence of active exploitation or imminent threat.
  • Info: These include general indications of exposure and reputation checks that provide a baseline understanding but do not necessarily indicate immediate action required.

Example Findings:

  • A CVE identified as “CVE-2019-1234” was published in 2019 and is still unpatched, indicating a critical risk due to prolonged exposure without remediation.
  • An IP address associated with the domain has been flagged by VirusTotal for multiple malware indicators, suggesting a high risk of system compromise through malicious activities.

Signal Age Decay

Section titled “Signal Age Decay”

Purpose: The Signal_Age_Decay Scanner is designed to detect old credential value assessments and historical breach relevance by analyzing the age of credentials and their exposure history. This tool helps in identifying potential security risks associated with outdated or compromised credentials, ensuring a proactive approach to safeguarding sensitive information.

What It Detects:

  • Credential Age Analysis: Identifies credentials that have not been updated for an extended period using regex patterns to detect mentions of credential ages.
  • Historical Breach Relevance: Checks for historical breach data related to the domain, detecting mentions of past breaches and their relevance to current security posture.
  • Exposure Indicators: Identifies patterns indicating exposure or leakage of credentials through the use of regex patterns like “exposed,” “leaked,” and “breached.”
  • Threat Indicator Detection: Scans for known threat indicators such as CVEs, malware, and command-and-control references using specific regex patterns.
  • Vulnerability Indicators: Detects mentions of vulnerabilities and exploits relevant to the domain, utilizing relevant regex patterns.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com). This parameter is essential for directing the scanner’s analysis towards a specific domain or website.

Business Impact: The primary business impact of this scanner lies in its ability to proactively identify potential security risks associated with outdated credentials and historical breaches, enabling organizations to take immediate action to mitigate these risks and protect their sensitive information from exploitation by malicious actors.

Risk Levels:

  • Critical: Conditions that would lead to a critical risk include the discovery of unpatched vulnerabilities directly affecting critical systems or services within the domain.
  • High: High-risk findings involve significant exposure of credentials, such as widespread leakage or breach history indicating high potential for data misuse.
  • Medium: Medium-risk conditions pertain to moderate exposure and vulnerability levels that could be exploited with some effort but pose a notable risk if not addressed promptly.
  • Low: Low-risk conditions are those where vulnerabilities are minimal, exposures are contained, and the overall impact on security posture is relatively low.
  • Info: Informational findings include general indications of potential issues or areas for improvement that do not currently pose significant risks but could become problematic in the future if left unaddressed.

Risk levels are inferred based on the severity of detected issues and their potential impact on system integrity and confidentiality.

Example Findings:

  • Credential age analysis might flag credentials last updated 3 years ago, indicating a possible compromise or lack of renewal protocols.
  • Historical breach relevance could reveal a data breach from 2018, suggesting the need for enhanced security measures to prevent future breaches.

Ephemeral Infrastructure

Section titled “Ephemeral Infrastructure”

Purpose: The Ephemeral Infrastructure Scanner is designed to identify short-lived attack platforms and temporary Command and Control (C2) servers by analyzing domain reputation, exposed services, and known vulnerabilities. This tool helps in identifying transient malicious infrastructure that may be used for brief but effective attacks, contributing to the overall security posture of an organization.

What It Detects:

  • Domain Reputation Analysis: Checks the VirusTotal API to assess the reputation of domains, flagging those identified as malicious or suspicious.
  • Exposed Services Detection: Utilizes the Shodan API to discover exposed services and vulnerabilities associated with a domain, including open ports and outdated software versions.
  • Known Exploited Vulnerabilities: Cross-references findings with the CISA KEV (Known Exploited Vulnerabilities) list, highlighting domains using software with known exploits.
  • IP Reputation Evaluation: Uses AbuseIPDB to evaluate the reputation of IPs associated with a domain, identifying malicious or suspicious IP addresses.
  • CVE Lookup: Queries the NVD/CVE database for vulnerabilities related to a domain, highlighting specific CVEs that could be exploited by attackers.

Inputs Required:

  • domain (string): The domain to analyze (e.g., acme.com)

Business Impact: This scanner is crucial for organizations looking to proactively identify and mitigate the risks associated with ephemeral infrastructure used in brief but potentially harmful attacks. By detecting malicious domains, exposed services, and known vulnerabilities early, it helps prevent potential data breaches and maintains the integrity of digital assets.

Risk Levels:

  • Critical: The scanner flags domains using software with known exploits or where the IP reputation is extremely low (e.g., above a certain threshold on AbuseIPDB).
  • High: The scanner identifies domains with high exposure to vulnerabilities that could be exploited, such as open ports and outdated software versions found through Shodan.
  • Medium: The scanner highlights domains with moderate risk, typically where the domain reputation is low but not critical, or where specific CVEs are identified.
  • Low: Informational findings indicating potential risks, such as domains with a neutral VirusTotal reputation that do not immediately raise flags for malicious activity.
  • Info: Minimal impact findings, which may include domains with high exposure to vulnerabilities but no immediate exploitation vectors.

Example Findings:

  1. A domain associated with numerous open ports and outdated software versions on Shodan, indicating a potential risk of exploitation.
  2. A domain flagged as malicious by VirusTotal due to its association with known malware or suspicious activities.