Randori Live Briefing on CVE-2021-3064

August 17, 2021

Getting Started with Threat Exposure Management  

By: Ian Lee

Share on facebook
Share on twitter
Share on linkedin

A new approach to identifying, prioritizing, and managing exposures in a quick and logical way

Threat Exposure Management (TEM) is a new approach to security designed to help organizations identify, prioritize and manage unexpected risks or exposures. This approach differs from standard threat management practices in that it takes a contextual view of threats, focusing on establishing a process for how information is collected and integrated together to inform better and faster decision making. 

Though the term threat exposure management is new, the concepts behind it are not. Threat exposure management is about combining an organization’s existing asset and vulnerability management capabilities with a new suite of tools. This process is designed to close gaps and develop a process for determining attackability and reducing risk in a quick and logical way. This starts with understanding what’s exposed. 

 

What Are The Key Components of a Threat Exposure Management Program?

External Attack Surface Management (EASM) 

External Attack Surface Management (EASM) is the continuous discovery, inventory, classification, prioritization, and monitoring of an organization’s attack surface from an external attacker’s perspective. ASM platforms help organizations identify internet and attacker-exposed IT assets and monitor them for unexpected changes and vulnerabilities (i.e., blind spots, misconfigurations, process failures) that increase the risk of attacks. 

Attack surface management prioritizes these threats, so your patching resources are used to reduce risk and attackability as efficiently as possible. Meanwhile, ASM continually monitors an organization’s entire attack surface to report new threats and identify areas that can be reduced.

Cyber Asset Attack Surface Management (CAASM) 

Cyber asset attack surface management (CAASM) expands beyond the limited scope of traditional asset management by enabling the easy aggregation of multiple sources of visibility, including EASM, traditional asset management, cloud providers, and XDR solutions. Once an organization has the foundational sources of visibility in-place, CAASM can be highly effective by enabling the consolidation of multiple sources of visibility into a single repository, organizations can strengthen the foundation of their security programs by providing a single source of truth. 

Risk-Based Vulnerability Management (RBVM) 

Risk-based vulnerability management (RBVM) is a latest evolution of traditional vulnerability management and seeks to help security teams better prioritize remediation of vulnerabilities by leveraging a broader set of inputs to assess the real-world risk they pose to your organization.  

Threat Intelligence Platform (TIP)

Context into the latest tools, techniques and procedures threat actors are using and what credentials or other information about your organization is being circulated on the dark web can be extremely helpful. Threat Intelligence Platforms automatically collect, reconcile and organize data from various threat sources and formats – providing security teams with a sanitized and current source of threat intelligence they can leverage to enhance detection and response efforts, vulnerability prioritization, threat modeling, or other activities 

Penetration Testing

Pen testing is a security practice involving using limited attacks to target a company’s perimeter and discover areas on the attack surface that could be easily penetrated. The catch with pen tests is that they do not exploit past the perimeter. This means it does not discover paths through the network, but entry points only. For the defender, this means they only have one area to fix, whereas the best place to harden security might be deeper into the kill chain. What’s more, pen testing is done by an external team and most companies only have the resources to perform such an endeavor once a year, which leaves the network security outdated most of the year.  

Breach and Attack Simulation (BAS)

Breach and Attack Simulation (BAS) solutions use choreographed and predefined sets of operations and assumptions to see how well your cybersecurity program holds up against simulated attacks. 

Security Rating Services (SRS)

Security Rating Services (SRS) are relatively basic risk assessment systems that provide a scorecard-like rating on an organization based on publicly available information. These can be useful because of the concrete severity scores, but they deliver rudimentary data and provide little to no insight into how to act on the information they provide to secure your system.

How Can I Start Adopting a Threat Exposure Management Approach?

Step 1 – Discover (Ensure External Visibility)

With 40% of exposed assets estimated to be unknown to IT and vulnerability exploitation now overtaking phishing as the #1 attack vector in the most recent IBM X-Force report, knowing what corporate assets are exposed should be your priority. While Asset Management solutions only tell you what you already know, EASM solutions provide insight into unknown risks, helping you quickly close the visibility gap caused by Shadow IT. Once you have a firm understanding of your assets, you can use EASM solutions to augment or replace existing investments — like security rating services — which provide only a surface-level assessment of third-party risk. Learn more about how to implement EASM.

Step 2 – Unify (Establish a Single Source of Truth)

With EASM and Asset Management in place for visibility into known and unknown assets, the next step is to unite them into a single source of truth. While security teams have traditionally relied upon IT asset management solutions for this, the democratization of IT has driven a need for a more flexible and adaptive asset management model. Protecting only that which is known to IT is no longer sufficient. 

To effectively manage exposures, security teams need both visibility and context. EASM closes the external visibility gap, but context requires security teams to have a source of truth that unites on-prem, cloud, IoT, SaaS, and third-party assets into a single place. Gartner calls this emerging category, led by Axonious and Sevco Security, Cybersecurity Asset Attack Surface Management (CAASM). When fed with the proper visibility, CAASM solutions help ensure all security verticles (VM, threat intel, security operations, pentest, etc.) are working off the same inventory. 

Step 3 – Contextualize (Adopt A Risk-Based Approach to Vulnerability Management)

Now comes the fun part! While ensuring proper visibility and a unified asset inventory can be tedious, it’s critical to higher-level work. With those solutions in place, you are now ready to begin prioritizing exposures with vulnerability management. 

Vulnerability exploitation is now the #1 attack vector for breaches, but fewer than 5% of known vulnerabilities are ever exploited in the wild. Vulnerability management is a never-ending job that can eat security resources if not properly managed. Adopters of Threat Exposure Management recognize that not all assets and not all vulnerabilities are created equal and leverage a risk-based approach to help their teams prioritize which vulnerabilities to patch (and which not to) and how quickly.  

RBVM builds upon traditional vulnerability management by enriching vulnerability data with context into the likelihood and impact of a vulnerability if exploited. It goes beyond CVE/CVSS scores which focus on the severity of the vulnerability by answering questions such as: 

  • How difficult is it for an adversary to know we’re vulnerable?
  • What information and access would an adversary need to exploit this system successfully? 
  • Is this vulnerability being exploited in the wild? 
  • What would be the impact on the business if this asset was exploited? 

Armed with the right inventory, necessary business context, and reliable vulnerability intelligence, a TEM approach to vulnerability management can dramatically increase the real-world effectiveness of your VM program WITHOUT adding bodies or work. 

 Step 4 – Enrich (Enhance Visibility & Prioritization with Threat Intel)

While even the most basic RBVM implementation will increase the effectiveness of an organization, vulnerabilities are just one type of exposure. Misconfigurations, weak passwords, and data leaks must be considered. Threat intelligence, when combined with existing EASM and VM capabilities, can help put these increasingly common exposures into context and drive effective and rapid action by answering questions like: 

  • What types of threat actors are targeting my industry? 
  • What information about my company do hackers have access to? 
  • What TTPs are these adversaries leveraging most? 
  • Are there emerging attacks in the news that my team needs to prioritize? 

Threat intelligence platforms, such as Anomali or Recorded Future, provide real-time insight into the tools, techniques, and procedures threat actors are using and the data leaking on the dark web. Threat Intelligence can help you and your team understand the weapons and tools at your enemy’s disposal so they can better anticipate threats and take action. These tools let you know which threat actors target your industry or when your finance team’s passwords have leaked online. This information can be automatically fed into a security team’s prioritization process to improve their effectiveness further. 

Step 5 – Validate (Trust but Verify) 

While Threat Exposure Management focuses on optimizing the ways security teams identify, prioritize and manage exposures – understanding and confirming the impact of those actions should be a critical component of any security program. It’s how we learn what worked and improve next time. 

While many security teams today are forced to blindly trust that their work matters, new and emerging offensive security solutions are making it possible for organizations to verify the impact of their work. 

Leveraging solutions such as Breach & Attack Simulation (BAS), Next-Generation Penetration Testing (NGPT), and Continuous and Automated Red Teams (CART) in conjunction with a TEM program can be a great way for executives to benchmark the effectiveness of their TEM programs over time. Combining these tools within a security posture supercharges the security program by providing consistent real-time metrics into the impact of TEM activities, contributing to a culture of continuous learning and improvement. 

Begin leveraging Threat Exposure Management to improve your team’s effectiveness today: 

Sign Up for A Free Exposure Audit of Your External Attack Surface

Reduce Your Risk Today

Uncover your true attack surface with the only ASM platform built by attackers. Stay one step ahead of cyber-criminals, hacktivists and nation-state attackers, by seeing your perimeter as they see it.