Standards risk-based Methodology, Transparent Grading
Know exactly where your data comes from.
Non-intrusive & Passive Scan
Designed for Accuracy
Non-intrusive scans using open-source intelligence (OSINT) techniques collect data from 400+ OSINT resources from a span of internet-wide scanners, without ever touching the target.
As an authorized IP zone transferer with one of the largest IP & Domain Whois databases, we hold more than one billion (1B) historical items. The asset-discovery engine identifies every company-related IP address and domain names.
Standard scoring models eliminates false positives, such as the MITRE Cyber Threat Susceptibility Assessment (CTSA), Common Weakness Risk Analysis Framework (CWRAF), Common Weakness Scoring System (CWSS), Common Vulnerability Scoring System (CVSS), and Factor Analysis of Information Risk (FAIR).
Data is analyzed and compiled into a simple, readable report with letter-grade ratings to identify and mitigate potential security risks as well as convert technical data into business concepts.
Establish Assessment Scope
The first step in CTSA is to establish the scope of the evaluation, which can be characterized in terms of:
- The set of system assets being evaluated
- The range of attack TTPs being considered
- The types of adversaries
Black Kite establishes the assessment scope during the asset discovery process, which discovers all publicly visible accessible domains, subdomains, IP/CIDR ranges, etc.
Identify Candidate TTP
Once the scope of CTSA is established, the next step is to evaluate the cyber asset’s architecture, technology, and security capabilities against TTPs in the Mission Assurance Engineering (MAE) Catalog. Unclassified sources of adversary TTPs in the catalog include MITRE-hosted resources such as Common Attack Pattern Enumeration and Classification (CAPEC), Common Weakness Enumeration (CWE), and Common Vulnerability Enumeration (CVE). CAPEC is a compilation of attack patterns derived from specific real-world incidents. CWE is a catalog of software weaknesses and defects that adversarial TTPs may exploit. CVE catalogs vulnerabilities found in Commercial off-the-shelf (COTS) hardware and software products.
Eliminate Implausible TTPs
This initial set of candidate TTPs undergoes a narrowing process to eliminate TTPs considered implausible. Several factors can make a TTP an implausible method of a cyber attack. Many TTPs have prerequisites or conditions that must hold true in order for that TTP to be effective.
Apply Scoring Model
Candidate TTPs that cannot be eliminated are ranked using a scoring model. The TTP scoring model assesses the risk associated with each TTP relative to the other 10 plausible TTPs considered in the assessment. This ranking helps set priorities on where to apply security measures to reduce the system’s susceptibility to cyber-attack. CAPEC severity levels, CVSS scores, and CWE severity ranks are the main parameters to calculate the TTP risk scores.
Construct a Threat Matrix
CTSA produces a Threat Matrix, which lists plausible attack TTPs ranked by decreasing risk score and their mapping to cyber assets as a function of adversary type. Black Kite has over 500 TTPs (APPSEC001, APPSEC002, … DNS001, DNS002,… etc.) with different risk scores.
The Black Kite threat matrix is calculated by using the Common Weakness Scoring System (CWSS™) that provides a mechanism for prioritizing software weaknesses in a consistent, flexible, open manner. It is a collaborative, community-based effort that is addressing the needs of its stakeholders across government, academia, and industry. When used in conjunction with the Cyber Threat Susceptibility Assessment (CTSA) or Common Weakness Risk Analysis Framework (CWRAF™), organizations are able to apply CWSS to those CWEs that are most relevant to their own specific businesses, missions, and deployed technologies.
Our Risk Management Methodology Grading Scale
The category grades are calculated once assessments on all the categories are completed. Each category has a different weight in the overall grade as shown below.
|Category Name||Weight (Total 100)||Category Name||Weight (Total 100)|
|Digital Footprint||0/100||IP Reputation||7/100|
|DNS Health||6/100||Hacktivist Shares||5/100|
|Email Security||6/100||Social Network||3/100|
|SSL/TLS Strength||6/100||Attack Surface||4/100|
|Application Security||9/100||Brand Monitoring||3/100|
|DDoS Resiliency||4/100||Patch Management||10/100|
|Network Security||6/100||Web Ranking||2/100|
|Fraudulent Domains||5/100||Information Disclosure||3/100|
|Fraudulent Apps||3/100||Website Security||6/100|
|Credential Management||9/100||CDN Security||3/100|
Black Kite vs. Competitors
Key players in the Security Rating Services (SRS) market (Black Kite, BitSight, SecurityScorecard, RiskRecon, and UpGuard) focus on publicly accessible, external data sources when performing vendor assessments. Although each player has a different approach, all providers in the SRS market use similar resources and techniques to collect data.
However, not all SRS providers are equal in terms of usability, analytics, compliance, technical depth, and threat intelligence capabilities. Compare Black Kite’s Cyber Risk Rating with other SRS products in the market to help you make a better-informed decision.
Limited and Accurate
Near Real-Time Alerts
Benchmark and Reporting
Prioritization of Assets & Findings
Easy to use (UI / UX)
Shared Responsibility (Edit Mode)
Action Plan to be “A” Grade
# of Control Items
# of Risk Categories
Instant Result for Any Company
Time to Add a New Vendor
3rd / Nth Party Auto Discovery
Subsidary (subdomain) Scan Option
Open FAIR™ Model for Vendor Risk Analysis
Continuous Monitoring per Vendor Cost
Estimated Compliance Report
Shared Assessments’ SIG Integration
Mobile App Security
Attack Surface Detection
Passive Vulnerability Scan
SSL/TLS Strength Check
Email Security Control
Dark Web Search
Social Network Monitoring
Fraudulent / Bogus Domains
Employee Sec. Awareness
Cloud Delivery Network Security
Fraudulent Mobile Apps
Geo Risk / DDoS Detection
Tailored Threat Intelligence
FREQUENTLY ASKED QUESTIONS
What is our Methodology?
Cyber Threat Susceptibility Assessment (CTSA) is a methodology for evaluating the susceptibility of a system to cyberattacks developed by MITRE. CTSA quantitatively assesses a system’s inability to resist a cyberattack over a range of cataloged attack Tactics, Techniques, and Procedures (TTPs).
To generate the cyber risk rating, Black Kite only needs the company domain. The engine collects information from VirusTotal, Passive DNs servers, web search engines, and other Internet-wide scanners, as well as Black Kite’s proprietary databases, which hold more than 10 billion historic items. The engine searches the databases to find all IP address ranges and domain names that belong to the company. Black Kite uses what is called Open Source Intelligence (OSINT) to gather information. The following map shows how hackers can leverage their attack vectors by using OSINT resources like hacker forums, social networks, Google, leaked database dumps, paste sites, or even legitimate security services like VirusTotal, Censys, Cymon, Shodan, or Google Safe Browsing.
Black Kite compiles this data into a simple, understandable report with letter-grade scores to help identify and mitigate potential security risks. The platform identifies the risks (CVE/CWE), the risk score of the corresponding vulnerabilities/weaknesses (CVSS/CWSS) and attack patterns (CAPEC/FIPS-199 impact level). Black Kite also classifies the findings into FISMA Cyber Security Framework Area and Maturity Level, NIST 800-53 Control Family, FIPS-200 Area, and NIST 800-37 Process Step. Black Kite does all of this without scanning or modifying any of the organization’s business assets.
What is Third-Party Risk Management?
Third-party management is the process whereby companies monitor and manage interactions with all external parties with which it has a relationship. This may include both contractual and non-contractual parties. Third-party management is conducted primarily for the purpose of assessing the ongoing behavior, performance and risk that each third-party relationship represents to a company. Areas of monitoring include supplier and vendor information management, corporate and social responsibility compliance, Supplier Risk Management, IT vendor risk, anti-bribery/anti-corruption (ABAC) compliance, information security (infosec) compliance, performance measurement, and contract risk management. The importance of third-party management was elevated in 2013 when the US Office of the Comptroller of the Currency stipulated that all regulated banks must manage the risk of all their third parties.
How Does Black Kite Score Vendors?
Black Kite aggregates hundreds of data sources from open-source intelligence (OSINT). We then utilize the MITRE CTSA as a foundational scoring matrix to map all vendors in our system using a golden industry standard.
Why is Continuous Monitoring Important?
Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organization’s financial and operational environment. The financial and operational environment consists of people, processes, and systems working together to support efficient and effective operations. Controls are put in place to address risks within these components. Through continuous monitoring of the operations and controls, weak or poorly designed or implemented controls can be corrected or replaced – thus enhancing the organization’s operational risk profile. Investors, governments, the public and other stakeholders continue to increase their demands for more effective corporate governance and business transparency.
Why Black Kite?
Black Kite is the right choice for cyber risk rating services because of our unique 3D Vendor Risk @ Scale. We offer comprehensive assessments from a cyber, compliance and financial perspective. Tying in various levels of automation, open standards and a comprehensive list of data control points allows us to scale to the needs our customers require. The choice is simple!
What is a Passive Scan?
Black Kite uses non-intrusive assessments to scan the cyber risk posture for any organization at any given moment in time. We don’t use intrusive vulnerability scanners like Nessus, Netsparker, Acunetix, Nexpose, nmap, openvas, and others. Our passive scan does not touch the target company’s assets. Instead, we find the required data from the internet, including search engine caches, archive[.]org, internet-wide scanners, VirusTotal, PassiveTotal, hacker sites, paste sites, deep/dark web, etc.
Do I Need Permission to Scan a Vendor?
No. Black Kite’s data sources are all external/open-sourced and require no internal access from a vendor or supplier.
What Is the Cost?
Request a demo with one of our representatives.
Looks Great, How Do I Test Drive?
Black Kite offers free trials in the form of a proof of concept.
What is OSINT?
Open-source intelligence (OSINT) is data collected from publicly available sources to be used in an intelligence context. Both hackers and legitimate security companies continuously scan social media websites and networks for information on vulnerabilities, and publish their findings on the internet. The map below shows how hackers can leverage their attack vectors by using OSINT resources, namely hacker forums, social networks, Google, leaked database dumps, paste sites, and even legitimate security services like VirusTotal, Censys, Cymon, Shodan, and Google Safe Browsing. Black Kite’s Risk Assessment gathers data from all these sources and performs contextualization and analysis to convert data into risk intelligence.
What is OPEN FAIR?
Open FAIR is an open-source framework for quantifying risk in financial terms This model allows businesses to speak in one language concerning their overall risk when it comes to third parties. Black Kite uses the FAIR model in a unique way to quantify probable financial risk dynamically and at scale.
What Regulations and Frameworks Are Covered in the Compliance Module?
Black Kite’s Compliance module helps you streamline the compliance of a vendor you are engaged with. We have a myriad of standards and frameworks in our platform currently such as : NIST 800-53, ISO27001,GDPR, CIS CSC-20, NIST 800-17. Black Kite also has a built in integration with Shared Assessments SIG questionnaire to further help organizations leveraging this toolset.
How Do You Validate Findings?
Black Kite has a built-in case management system to make interacting with your vendors a breeze. Vendors can easily review findings assigned to them and ensure data points are remediated appropriately. We can also directly integrate with ServiceNow to provide this same set of features from your existing case management system.
What Information Do You Provide to Improve My Vendor’s Score?
Black Kite provides an automated remediation plan for each one of your vendors. In our Strategy Report, we highlight the vendor’s current posture and outline a set prescriptive steps that are designed to advise them on increasing their cyber risk and reducing financial risk.