Certificate Transparency
Certificate Transparency (CT) is a public logging system that addresses vulnerabilities in digital certificate issues and use, enhancing the security and trustworthiness of the Internet's HTTPS ecosystem.
Here's a more detailed explanation:
Public Logs: CT requires Certificate Authorities (CAs) to publish details about the TLS/SSL certificates they issue to publicly accessible logs. These logs act as an auditable record of certificate issuance.
Increased Visibility: By publicizing certificate information, CT enables website owners, domain holders, browser vendors, and security researchers to monitor certificate issuance. This increased visibility makes it significantly harder for CAs to issue unauthorized or fraudulent certificates without detection.
Detection of Malicious Certificates: CT helps detect malicious or mistakenly issued certificates. If a certificate is issued without the website owner's authorization, it will likely be discovered in the CT logs. This allows for prompt action to mitigate potential harm.
Improved Security: CT contributes to internet security by reducing the risk of man-in-the-middle attacks and other attacks that rely on fraudulently obtained certificates.
Browser Enforcement: Modern web browsers increasingly require websites to present certificates logged in CT. This enforcement ensures website owners and CAs adhere to CT standards, strengthening the system's effectiveness.
While the provided document doesn't explicitly mention "Certificate Transparency Logs" by that exact phrase, ThreatNG's capabilities strongly suggest incorporating CT data analysis into its comprehensive approach to certificate security. Here's how ThreatNG's features align with and support the principles of Certificate Transparency:
How ThreatNG aligns with Certificate Transparency:
ThreatNG focuses on providing external attack surface management, which inherently involves validating and monitoring externally facing assets. Certificate Transparency is critical to that validation, as it provides the necessary audit trail for certificates. ThreatNG's emphasis on certificate status, subdomain analysis, and overall cyber risk necessitates using CT data to ensure a complete and accurate assessment.
Here's a breakdown of how ThreatNG's features likely interact with Certificate Transparency concepts:
ThreatNG's external discovery is crucial for identifying all the organization's web assets that rely on TLS/SSL certificates. This aligns with CT by ensuring that ThreatNG is aware of all certificates that should be present in CT logs. Any discrepancies (certificates not logged) can be flagged.
ThreatNG's external assessment capabilities greatly benefit from Certificate Transparency data:
Cyber Risk Exposure: By incorporating CT data, ThreatNG enhances the accuracy of its Cyber Risk Exposure assessment. For instance, if ThreatNG detects a valid certificate that is not present in CT logs, it can indicate potential security concerns and increase the risk score.
Subdomain Takeover Susceptibility: CT logs can help verify the legitimate issuance of certificates for subdomains. ThreatNG's assessment of subdomain takeover susceptibility is strengthened by cross-referencing certificate information with CT logs to identify unauthorized certificates that might facilitate a takeover.
Certificate Validation: ThreatNG's "SSL certificate statuses" assessment is more robust than CT's. It goes beyond basic checks (expiration, issuer) to verify the certificate's presence and validity within CT logs, adding another layer of trust and security validation.
ThreatNG's reporting becomes more comprehensive and insightful with the integration of CT data:
Technical Reports: These reports can include details about a certificate's presence in CT logs, any CT logging failures, or discrepancies found.
Prioritized Reports: Threats related to certificates not complying with CT standards can be prioritized based on their potential impact.
Security Ratings Reports: Factoring in CT compliance improves the overall security rating, providing a more accurate reflection of the organization's security posture.
ThreatNG's continuous monitoring capabilities are enhanced by incorporating CT log monitoring:
Unauthorized Certificate Detection: ThreatNG can continuously monitor CT logs to see if new certificates have been issued for an organization's domains. This helps detect unauthorized certificates that might be used for malicious purposes.
CT Compliance Monitoring: ThreatNG can monitor whether newly issued certificates are correctly logged in CT, ensuring ongoing compliance and security.
ThreatNG's investigation modules can use CT data to provide deeper insights:
Certificate Intelligence: This module can be extended to include CT log information, providing a complete view of a certificate's lifecycle and validity.
For example, the "Certificate Intelligence" module could show when a certificate was issued, by whom, and in which CT logs it appears.
IP Intelligence: This module can correlate IP addresses with certificates and their CT log status, aiding in the identification of potential anomalies.
Working with Complementary Solutions
ThreatNG's integration of CT data enhances its ability to work with other security tools:
Security Information and Event Management (SIEM) Systems: ThreatNG can feed CT log anomalies and certificate discrepancies into a SIEM, enabling correlation with other security events and improved threat detection.
Example: ThreatNG detects a certificate for a subdomain not in any CT logs and sends an alert to the SIEM. The SIEM correlates this with unusual network activity to that subdomain, indicating a potential attack.
Browser Security Tools: ThreatNG's findings on CT compliance can be used to validate browser-based security warnings or errors related to certificates.
In conclusion, while the document doesn't explicitly say "ThreatNG examines Certificate Transparency Logs," its capabilities strongly imply that it uses and benefits from CT data to provide a more comprehensive and accurate assessment of certificate security.
