Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Threat Monitoring

Threat Monitoring

Section titled “Threat Monitoring”

5 automated security scanners

Insider Risk Assessment

Section titled “Insider Risk Assessment”

Purpose: The Insider Risk Assessment Scanner is designed to identify potential insider threats by detecting unauthorized physical or logical access, analyzing anomalous user behavior, and identifying attempts to exploit known vulnerabilities within an organization. This tool helps organizations safeguard sensitive information from insiders who may pose a risk through proximity access indicators, behavioral anomalies, and access exploitation patterns.

What It Detects:

  • Proximity Access Indicators: Unauthorized physical or logical access to sensitive areas or systems, including unusual login times (e.g., late-night logins) and unexpected locations.
  • Behavioral Indicators: Anomalies in user behavior such as large file transfers or frequent uploads to external services that may indicate data exfiltration.
  • Access Exploitation Patterns: The use of known vulnerabilities or exploits within the organization, including attempts to escalate privileges or access restricted areas without proper authorization.
  • Threat Intelligence Feeds: Integration of data from Shodan, VirusTotal, CISA KEV, and other threat intelligence sources to identify potential threats related to known exploits and malware activities.
  • IP Reputation Analysis: Checking the reputation of internal and external IPs associated with user activity, flagging suspicious activities linked to malicious behavior or compromised systems.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com) - This parameter is essential for scanning network traffic and identifying potential threats related to the specified domain.
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”) - Used in reports and analysis to contextualize the findings within the organization’s broader context.

Business Impact: This scanner is crucial for maintaining the integrity and security of sensitive information within an organization. By identifying potential insider threats early, organizations can mitigate risks associated with data breaches, intellectual property theft, and other malicious activities conducted by insiders.

Risk Levels:

  • Critical: Conditions that directly lead to significant harm or exposure of sensitive information, such as unauthorized access to critical systems or widespread data exfiltration.
  • High: Conditions that pose a high risk of exposing sensitive information, including unusual activity patterns and potential exploitation of vulnerabilities.
  • Medium: Conditions that may indicate increased risk but do not directly lead to severe consequences, requiring monitoring and further investigation.
  • Low: Informative findings that require minimal action unless they escalate into higher risks.
  • Info: Minimal or purely informational findings that generally do not impact the security posture significantly.

If specific conditions for each risk level are not detailed in the README, it can be inferred that critical and high risks would typically involve immediate attention due to their potential severity, while lower risks might require ongoing monitoring.

Example Findings:

  • An employee accessed a restricted database at 3 AM from an unexpected location.
  • A user attempted to download unusually large amounts of data in the form of multiple small files rather than fewer larger ones, which could indicate data exfiltration.

Executive Threat Assessment

Section titled “Executive Threat Assessment”

Purpose: The Executive Threat Assessment Scanner is designed to detect targeted threats by analyzing domain and company-specific data from various threat intelligence feeds. It performs credibility analysis and intent assessment to identify potential security risks and malicious activities, helping organizations stay informed about the vulnerabilities and threats they may face.

What It Detects:

  • Threat Indicators: Identifies known vulnerabilities (e.g., CVE), malware, command-and-control (C2) activity, and phishing attempts.
  • Exposure Indicators: Looks for signs of data breaches, unauthorized access, and data dumps.
  • Domain/IP Reputation: Evaluates the reputation of the provided domain and associated IP addresses using VirusTotal and AbuseIPDB.
  • Known Exploited Vulnerabilities (KEV): Checks against CISA’s Known Exploited Vulnerabilities list to identify critical vulnerabilities that have been exploited in the wild.
  • Exposed Services: Scans for exposed services and potential entry points using Shodan.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: This scanner is crucial for organizations looking to proactively identify and mitigate potential security threats, ensuring that their systems are secure against known vulnerabilities and malicious activities. It helps in making informed decisions about the risks associated with specific domains and companies, which can directly impact the overall security posture of an organization.

Risk Levels:

  • Critical: The scanner identifies critical vulnerabilities that have been exploited in the wild, indicating a severe risk to the organization’s security.
  • High: The scanner detects high-risk malware or command-and-control activity that could lead to unauthorized access and data breaches.
  • Medium: The scanner flags potential phishing attempts or exposed services that may not be immediately critical but are still significant risks that need attention.
  • Low: Informational findings indicate less severe issues, such as known vulnerabilities that have been patched but require monitoring for any changes in their status.
  • Info: These are generally non-critical findings that provide general information about the domain’s and company’s online presence without immediate security implications.

If specific risk levels are not specified in the README, these inferred levels should be used based on the scanner’s purpose and impact.

Example Findings:

  1. The scanner identifies a known vulnerability (CVE-2021-44228) that has been exploited, indicating a critical risk to the organization’s systems.
  2. It detects unauthorized access attempts on multiple endpoints of the company’s network, highlighting a high-risk exposure indicator.

Protective Intelligence

Section titled “Protective Intelligence”

Purpose: The Protective Intelligence Scanner is designed to detect early warning indicators, pattern recognition, and behavior analysis to identify potential threats by leveraging threat intelligence feeds such as Shodan, VirusTotal, CISA KEV, and the dark web.

What It Detects:

  • Threat Indicators:
    • CVE Identifiers: Patterns like CVE-[0-9]{4}-[0-9]+ to identify known vulnerabilities.
    • Malware Terms: Keywords such as malware|ransomware|trojan to detect mentions of malicious software.
    • Command and Control (C2) References: Phrases like command\\s*(?:and|&)\\s*control|c2|c&c to identify command and control servers.
    • Phishing and Credential Harvesting: Terms such as phishing|credential\\s+harvesting to detect phishing attempts and credential theft.
  • Exposure Indicators:
    • Data Breach Terms: Keywords like exposed|leaked|breached to identify data breaches.
    • Unauthorized Access: Phrases such as unauthorized\\s+access to detect unauthorized access incidents.
    • Data Dump References: Terms like data\\s+dump to identify data dumps.
  • Vulnerability Indicators:
    • Shodan API Data: Detects exposed services and vulnerabilities using Shodan API.
    • VirusTotal API Data: Analyzes domain/IP reputation using VirusTotal API.
    • CISA KEV Data: Checks for known exploited vulnerabilities from the CISA KEV list.
    • AbuseIPDB Data: Evaluates IP reputation using AbuseIPDB.
    • NVD/CVE Database: Looks up vulnerabilities in the NVD/CVE database.
  • Behavioral Patterns:
    • Pattern Recognition: Identifies patterns and behaviors that may indicate potential threats or security issues.
    • Behavior Analysis: Analyzes behavior to detect anomalies and suspicious activities.
  • Dark Web Monitoring:
    • Dark Web Feeds: Monitors dark web sources for mentions of the target domain or company name, indicating potential threats or data leaks.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: This scanner is crucial for organizations looking to proactively identify potential security threats and vulnerabilities that could lead to data breaches, unauthorized access, or other malicious activities. By detecting early warning indicators and analyzing behavioral patterns, it helps in safeguarding critical infrastructure and sensitive information from potential cyber threats.

Risk Levels:

  • Critical: Conditions where the scanner identifies a high-severity vulnerability directly affecting system functionality (e.g., remote code execution through a known exploit).
  • High: Conditions where unauthorized access to sensitive data or systems is detected, posing a significant risk of data theft or disruption.
  • Medium: Conditions where potential vulnerabilities are identified but do not immediately affect critical functions, requiring immediate attention for mitigation.
  • Low: Informal findings that may indicate minor issues such as exposure in non-critical areas of the system.
  • Info: General information about the domain and its activities, which does not directly impact security but can be useful for broader intelligence gathering.

Example Findings:

  • A detected CVE identifier indicating a known vulnerability affecting multiple systems within the organization.
  • Evidence of unauthorized access attempts identified through behavioral analysis, suggesting potential phishing or credential harvesting activities.

Event Security Assessment

Section titled “Event Security Assessment”

Purpose: The Event Security Assessment Scanner is designed to detect and assess potential vulnerabilities in event venues related to security, attendee screening, emergency response protocols, and data exposure. Its purpose is to ensure robust safety and compliance for events by identifying and addressing security risks through advanced scanning and analysis techniques.

What It Detects:

  • Venue Security Vulnerabilities: Identifies exposed services using the Shodan API, scans for known exploited vulnerabilities listed in CISA KEV, checks domain/IP reputation via VirusTotal API, and evaluates IP reputation through AbuseIPDB.
  • Attendee Screening Inefficiencies: Detects patterns indicating inadequate attendee screening processes by searching for mentions of unverified or lax entry procedures and identifying potential gaps in background checks and ID verification.
  • Emergency Response Protocols: Looks for signs of insufficient emergency response planning, including outdated or non-existent emergency contact information and the presence and clarity of evacuation routes and safety instructions.
  • Data Exposure Indicators: Scans for patterns indicating data breaches or unauthorized access by identifying mentions of exposed, leaked, or breached data and detecting references to unauthorized access incidents.
  • Threat Intelligence Feeds: Integrates real-time threat intelligence from Shodan, VirusTotal, CISA KEV, and AbuseIPDB, analyzing NVD/CVE database for relevant vulnerability information.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com) - This is necessary to perform the scanning and analysis of the event venue’s online presence and services.
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”) - This helps in identifying relevant breach disclosure statements during the data exposure assessment phase.

Business Impact: The scanner is crucial for maintaining a secure environment at events, as it helps identify and mitigate potential security vulnerabilities that could lead to breaches of attendee information or disrupt event operations. Addressing these issues can significantly enhance an organization’s cybersecurity posture and compliance with regulatory requirements.

Risk Levels:

  • Critical: Conditions that directly impact the immediate safety and operational integrity of the event, such as unverified attendees entering through lax entry procedures or exposure of sensitive data without proper authorization.
  • High: Conditions that pose a significant risk to the security posture but do not immediately compromise safety, such as outdated emergency protocols or vulnerabilities in services exposed via Shodan.
  • Medium: Conditions that may lead to inefficiencies in event management or minor compliance issues, requiring attention for continuous improvement without critical consequences.
  • Low: Informative findings that provide insights into potential areas for enhancing security practices but do not indicate immediate risks.

Example Findings:

  • A Shodan scan identified an open SSH service on port 22, which could be a critical vulnerability if left unaddressed.
  • During attendee screening, the scanner detected mentions of “unverified attendees” in the /security section and “lax entry procedures” in the /newsroom, indicating potential inefficiencies that need improvement.

Protective Surveillance

Section titled “Protective Surveillance”

Purpose: The Protective Surveillance Scanner is designed to detect and analyze potential vulnerabilities, exposed services, and malicious activities by evaluating domain and company-specific threat intelligence feeds. It aims to enhance the overall security posture of organizations by identifying areas that may be vulnerable to surveillance detection, counter-surveillance, and other threats.

What It Detects:

  • Vulnerability Indicators: The scanner identifies known vulnerabilities marked by CVE Identifiers like CVE-[0-9]{4}-[0-9]+, detects malware and ransomware using terms such as malware|ransomware|trojan, and looks for Command and Control (C2) patterns including phrases like command\\s*(?:and|&)\\s*control|c2|c&c.
  • Exposure Indicators: It flags data breaches with keywords like exposed|leaked|breached, detects unauthorized access using terms such as unauthorized\\s+access, and identifies data dumps indicated by phrases like data\\s+dump.
  • Threat Intelligence Feeds Analysis: The scanner utilizes the Shodan API to identify exposed services and vulnerabilities, uses VirusTotal API to assess domain/IP reputation, relies on CISA KEV for known exploited vulnerabilities, and evaluates IP reputation with AbuseIPDB. It also looks up specific vulnerabilities in the NVD/CVE database.
  • Real-Time Monitoring: Continuously monitors specified domains for new threats and updates, alerting on suspicious activities or potential breaches.
  • Situational Awareness: Provides a comprehensive overview of the security landscape by integrating multiple threat intelligence sources, aiding in proactive threat management and response planning.

Inputs Required:

  • domain (string): The primary domain to analyze, such as acme.com.
  • company_name (string): Company name for statement searching, such as "Acme Corporation".

Business Impact: This scanner is crucial for organizations aiming to secure their digital assets by identifying and mitigating potential vulnerabilities that could be exploited by malicious actors. It helps in maintaining a vigilant security posture against both internal and external threats, ensuring the integrity and confidentiality of sensitive information.

Risk Levels:

  • Critical: Findings include critical vulnerabilities with no known workarounds or mitigations, directly impacting core functionality or data loss scenarios.
  • High: Vulnerabilities that could lead to unauthorized access, data breaches, or significant system disruptions without immediate mitigation steps in place.
  • Medium: Vulnerabilities that may be exploited but have available patches or configurations that can mitigate the risk if not immediately addressed.
  • Low: Informal findings that do not pose an immediate threat but should still be monitored and potentially mitigated over time, such as minor exposure to unauthorized access attempts.
  • Info: Non-critical information about potential exposures or vulnerabilities that are already known and managed within acceptable security practices.

Example Findings:

  • A critical vulnerability identified by the CVE Identifier CVE-2021-44228 indicates a severe risk to system integrity, potentially leading to unauthorized access if not patched immediately.
  • High exposure to unauthorized access attempts from IP addresses within the organization’s network highlights significant security risks that need immediate attention to prevent data breaches or other malicious activities.