CTEM Operation

The attack surface isn't what it once was and it's becoming a nightmare to protect. A constantly expanding and evolving attack surface means risk to the business has skyrocketed and current security measures are struggling to keep it protected. If you've clicked on this article, there's a good chance you're looking for solutions to manage this risk.

In 2022, a new framework was coined by Gartner to address these challenges - Continuous Threat Exposure Management (CTEM). Since then, putting this framework into action has become a priority across many organizations for the profound improvement it is expected to make toward maintaining a high level of security readiness and resilience.

"By 2026 organizations that prioritize their security investments based on a continuous exposure management program will be three times less likely to suffer a breach." Gartner, "How to Manage Cybersecurity Threats, Not Episodes," August 21, 2023

CTEM provides a continuous and comprehensive view of the attack surface and the exposures within it, testing whether security controls are effectively blocking the potential exploitation of exposures, and then streamlining the mobilization towards remediating the selected vulnerabilities.

Adopting CTEM can quickly become overwhelming as it involves the orchestration of many disparate and moving parts. Pulling together digital assets, workloads, networks, identities, and data across the enterprise. Therefore to simplify this, we have broken down the framework to its pillars, providing manageable steps that guide you through this process of making exposure management - manageable.

Pillar #1: Expand your Visibility of the Attack Surface

Asset management is an essential step at scoping the entire environment, and getting a full inventory of digital assets and their relative sensitivity, however the ability to understand each asset’s exposure profile remains a challenge.

Organizations adopting CTEM gain a more realistic view of the exposure profile of each digital asset. CTEM imposes an attacker’s mindset, where instead of trying to get a comprehensive inventory, the aim is analysing the attack surface like an attacker would, assessing each asset in terms of its availability, integrity, and confidentiality.

The process starts by scoping the environment for digital assets in stages. We recommend an initial scope that includes either:

  1. Scoping the internal network, this is where the most critical parts of your network that if compromised, give attackers access to your "crown jewels".

  2. The external attack surface, which is typically supported by a large ecosystem of tools is also more vulnerable to attack, as malicious actors are constantly scanning and probing to find cracks in network perimeters.

At a second stage, consider expanding the scope to include digital risk protection, which adds greater visibility into the attack surface and SaaS tooling, which lends itself to an easier communication about risks, as SaaS solutions tend to increasingly host critical business data.

Once the scope is determined, organizations should determine their risk profiles by discovering exposures on high priority assets. It should also incorporate the misconfiguration of assets, especially as they relate to security controls, and other weaknesses, such as unmanaged assets or compromised credentials.

Pillar #2: Level up your Vulnerability Management

Vulnerability Management (VM) has long been the cornerstone of many organizations' cybersecurity strategies, focusing on identifying and patching against known CVEs. However, with the growing complexity of the IT environment and the enhanced capabilities of threat actors, VM alone is no longer enough to maintain the cybersecurity posture of the enterprise.

This is particularly evident when taking into account the escalating number of published CVEs each year. Last year alone, there were 29,085 CVEs and only 2-7% of these were ever exploited in the wild. This makes becoming patch-perfect an unrealistic goal, especially as this doesn't take into account non-patchable vulnerabilities such as misconfigurations, Active Directory issues, unsupported third-party software, stolen and leaked credentials and more, which will account for over 50% of enterprise exposures by 2026.

CTEM shifts the focus to prioritizing exposures based on their exploitability and their risk impact on critical assets as opposed to CVSS scores, chronology, or vendor scoring. This ensures that the most sensitive digital assets to the organization's continuity and objectives are addressed first.

Prioritization is therefore based on security gaps that are easily exploitable and simultaneously provide access to sensitive digital assets. The combination of both causes these exposures, which typically represent a fraction of all discovered exposures, to be prioritized.

Pillar #3 Validation Converts CTEM from theory to proven strategy

The final pillar of the CTEM strategy, validation, is the mechanism to prevent the exploitation of security gaps. To ensure the ongoing efficacy of security controls, validation needs to be offensive in nature, by emulating attacker methods.

There are four strategies for testing your environment like an attacker, each mirroring the techniques employed by adversaries:

  1. Think in graphs - While defenders often think in lists, be they of assets or vulnerabilities, attackers think in graphs, mapping out the relationships and pathways between various components of the network.
  2. Automate tests - Manual penetration testing is a costly process that involves third-party pentester stress testing your security controls. Organizations are limited in the scope they can test. In contrast, attackers leverage automation to execute attacks swiftly, efficiently and at scale.
  3. Validate real attack paths - Attackers do not focus on isolated vulnerabilities; they consider the entire attack path. Effective validation means testing the entire path, from initial access to exploited impact.
  4. Test continuously - Manual pentesting is typically done periodically, either once or twice a year, however testing in "sprints" or short, iterative cycles, allows defenders to adapt with the speed of IT change, protecting the entire attack surface by addressing exposures as they emerge.

CTEM: Invest Now - Continually Reap the Results

With all the different elements of people, processes, and tools in a CTEM strategy, it's easy to get overwhelmed. However, keep a few things in mind:

  1. You're not starting from scratch. You already have your asset management and your vulnerability management systems in place, the focus here is to simply extend their scope. Make sure your tools are comprehensively covering your IT environment's entire attack surface and they are continually updated with the pace of change.
  2. Consider this as a process of continual refinement. Implementing the CTEM framework becomes an agile cycle of discovery, mitigation, and validation. The job is never truly done. As your enterprise grows and matures, so does your IT infrastructure.
    3. CTEM Operation
  3. Put validation at the center of your CTEM strategy. This gives you the confidence to know that your security operations will stand up when put to the test. At any point in time, you should know where you stand. Perhaps everything checks out, which is great. Alternatively, a gap might be identified, but now you can fill that gap with a prescriptive approach, fully aware of what the downstream impact will be.

Learn more about how to implement a validation-first CTEM strategy with Pentera.


Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.