Putting CTEM Into Practice: The Five Key Steps

Cyber threats are like microbes: They’re constantly evolving, and the defenses that worked against them yesterday may no longer work today. Just as a vaccine crafted for an earlier iteration of a virus may not be effective anymore, the cybersecurity tools and processes that shut down risks in the past might not be enough to keep your business safe today.

That’s why Continuous Threat Exposure Management, or CTEM, is a critical component of any cybersecurity strategy. 

What is Continuous Threat Exposure Management, and why does it matter?

CTEM is the use of real-time data to detect and react to constantly changing threats on a continuous basis. Attack Surface Management (ASM) – meaning the process of identifying which potential attacks your organization faces and which parts of the IT estate they may impact –  is just one part of it.

CTEM plays a central role in keeping businesses safe by helping them to adjust to changes in their attack surface. New vulnerabilities or exploit techniques can change an organization’s attack surface at any time, unless you continuously monitor for emerging threats using CTEM, you will struggle to defend against them before threat actors actually carry out attacks.

Putting CTEM into practice

Here’s what it takes to put Continuous Threat Exposure Management into practice.

Scoping

Scoping means determining the scope of the assets that your company owns, and that may be subject to cyberattacks. For example, scoping allows you to identify which domains, subdomains, IP addresses etc. your organization manages.

Scoping can also extend to non-standard assets that might expose you to attack, such as social media accounts or third-party technologies you depend on – a critical consideration given that attack surfaces have become much larger and more complex. As Microsoft notes, today’s “broader, more dynamic environment results in an expanded set of attack surfaces.” See the image below for Cyberint’s definition of an organization’s attack surface.

Scoping is essentially a form of ASM; an ASM tool actively mapping and tracking company assets is key to effective scoping. Attempting to track your asset scope manually isn’t realistic in most cases because assets change too quickly. You need software that can continuously map assets as your attack surface evolves.

Discovery

Once you have a list of your assets, you can move onto discovery, which means identifying threats that may impact them. Typical ASM tools don’t discover threats like lookalike domains, phishing sites, fraudulent social media pages and leaked Dark Web data, but these threats are critical. It’s crucial to test all your assets in relation to Mitre attack scenarios.

Prioritization

Not all threats pose the same level of risk, which is why prioritization is an important part of CTEM. Prioritization allows you to determine which threats to address first, based on both how likely they are to trigger an attack and how much damage a potential attack could cause.

Prioritization is important because it helps organizations employ limited cybersecurity resources to maximum effect. 

Unfortunately, many ASM tools don’t offer true prioritization. They may help prioritize threats for traditional types of assets, but they are not designed for rapidly growing attack surfaces. To achieve effective threat prioritization for modern IT estates, you need to factor in all threats against all assets then assign risk scores based on factors like the following:

• The severity of the risk.
• Which vulnerabilities threat actors are most commonly targeting. You can get this information from threat intelligence tools.
• Mentions of assets on the Deep and Dark Webs, an indication that threat actors may be planning an attack.
• Whether there are any publicly available Proof-of-Concept exploits and CVEs related to a threat. These show that active exploitation is likely underway.
• Data about whether your industry and/or country is being targeted by any specific attacks or threat actor groups.

By pairing ASM with threat intelligence and vulnerability intelligence, you can generate effective prioritizations for all threats.

Validation

Validation means confirming that security controls you’ve implemented to defend against threats actually work. This is where practices like penetration testing and Red Team exercises come in. They help you validate that the protections you’ve put in place will effectively stop attacks when threat actors attempt to carry them out.

Mobilization

The final step in CTEM is mobilization, which means correcting risks. Given the broad scope of modern attack surfaces and the highly dynamic nature of threats, the ability to optimize risk correction processes is essential. Playbooks can help in this regard by providing clear mitigation flows for your team to follow.

CTEM with Cyberint

From continuous asset mapping to ongoing mitigation, Cyberint has you covered at all stages of the CTEM process:

• Scoping: Cyberint’s Attack Surface Management, Supply Chain Intelligence and Brand Protection features ensure that you can not only map traditional assets, but also gain continuous visibility into your extended attack surface, such as lookalike domains that may be used for phishing and supply chain vendors that can place you at risk.
• Discovery:  Attack Surface Management, Supply Chain Intelligence and Brand Protection functionality also highlights risks that affect your assets, providing a comprehensive list of problems that you must address.
• Prioritization: Based on threat intelligence and vulnerability intelligence, Cyberint provides threats prioritizations, which our analysts review on an ongoing basis. Our goal is to ensure that you can determine which threats to prioritize with as little as thirty minutes spent on our platform each day.
• Validation: Through attack simulation services, Cyberint makes it easy to validate security controls, even if you lack the in-house personnel to perform comprehensive validations yourself.
• Mobilization: Cybeirnt integrates with a variety of SIEM and SOAR platforms to automate mitigation. In addition, integrated ticketing and integrations with ITSM platforms (like ServiceNow) make mobilization simple. Last but not least, we perform takedowns for our customers with just one click, and we complete more than 70 percent of takedowns within 72 hours.

Learn more about how Cyberint helps businesses operationalize CTEM by requesting a demo.