Putting CTEM Into Practice: The Five Key Steps
ctem
  • Table of contents

The author

user_image
Gemma Goldstein
Marketing Manager
Share on LinkedIn

I love to get stuck in and let the creative juices flow. My strengths lie in idea generation, development and execution. Over 5 years experience in B2B cybersecurity. I reign supreme when my imagination and creativity can run wild.

Table of contents

Related Articles

the benefits of multiple ioc feeds
Other

The Benefits of Multiple IOC Feeds – Why More Can Be Better 

Aug 21, 2024
Learn more
b1ack stash
Other

B1ACK’S STASH: A Comprehensive Analysis of the Free 1 Million Card Leak 

Is B1ACK STASH's 1 Million card lead real? The Cyberint team analysed the leak and...
Jun 26, 2024
Learn more
Other

Putting CTEM Into Practice: The Five Key Steps

Jan 18, 2024

Cyber threats are like microbes: They’re constantly evolving, and the defenses that worked against them yesterday may no longer work today. Just as a vaccine crafted for an earlier iteration of a virus may not be effective anymore, the cybersecurity tools and processes that shut down risks in the past might not be enough to keep your business safe today.

Source: https://www.gartner.com/en/articles/how-to-manage-cybersecurity-threats-not-episodes

That’s why Continuous Threat Exposure Management, or CTEM, is a critical component of any cybersecurity strategy. 

What is Continuous Threat Exposure Management, and why does it matter?

CTEM is the use of real-time data to detect and react to constantly changing threats on a continuous basis. Attack Surface Management (ASM) – meaning the process of identifying which potential attacks your organization faces and which parts of the IT estate they may impact –  is just one part of it.

Source: https://www.gartner.com/en/articles/how-to-manage-cybersecurity-threats-not-episodes

CTEM plays a central role in keeping businesses safe by helping them to adjust to changes in their attack surface. New vulnerabilities or exploit techniques can change an organization’s attack surface at any time, unless you continuously monitor for emerging threats using CTEM, you will struggle to defend against them before threat actors actually carry out attacks.

Putting CTEM into practice

Here’s what it takes to put Continuous Threat Exposure Management into practice.

Scoping

Scoping means determining the scope of the assets that your company owns, and that may be subject to cyberattacks. For example, scoping allows you to identify which domains, subdomains, IP addresses etc. your organization manages.

Scoping can also extend to non-standard assets that might expose you to attack, such as social media accounts or third-party technologies you depend on – a critical consideration given that attack surfaces have become much larger and more complex. As Microsoft notes, today’s “broader, more dynamic environment results in an expanded set of attack surfaces.” See the image below for Cyberint’s definition of an organization’s attack surface.

 

Scoping is essentially a form of ASM; an ASM tool actively mapping and tracking company assets is key to effective scoping. Attempting to track your asset scope manually isn’t realistic in most cases because assets change too quickly. You need software that can continuously map assets as your attack surface evolves.

Discovery

Once you have a list of your assets, you can move onto discovery, which means identifying threats that may impact them. Typical ASM tools don’t discover threats like lookalike domains, phishing sites, fraudulent social media pages and leaked Dark Web data, but these threats are critical. It’s crucial to test all your assets in relation to Mitre attack scenarios.

 

“By 2026, organizations prioritizing their security investments based on a continuous exposure management program will be three times less likely to suffer from a breach.”  

Gartner

 

 

Prioritization

Not all threats pose the same level of risk, which is why prioritization is an important part of CTEM. Prioritization allows you to determine which threats to address first, based on both how likely they are to trigger an attack and how much damage a potential attack could cause.

Prioritization is important because it helps organizations employ limited cybersecurity resources to maximum effect. 

Unfortunately, many ASM tools don’t offer true prioritization. They may help prioritize threats for traditional types of assets, but they are not designed for rapidly growing attack surfaces. To achieve effective threat prioritization for modern IT estates, you need to factor in all threats against all assets then assign risk scores based on factors like the following:

 

  • The severity of the risk.
  • Which vulnerabilities threat actors are most commonly targeting. You can get this information from threat intelligence tools.
  • Mentions of assets on the Deep and Dark Webs, an indication that threat actors may be planning an attack.
  • Whether there are any publicly available Proof-of-Concept exploits and CVEs related to a threat. These show that active exploitation is likely underway.
  • Data about whether your industry and/or country is being targeted by any specific attacks or threat actor groups.

 

By pairing ASM with threat intelligence and vulnerability intelligence, you can generate effective prioritizations for all threats.

Validation

Validation means confirming that security controls you’ve implemented to defend against threats actually work. This is where practices like penetration testing and Red Team exercises come in. They help you validate that the protections you’ve put in place will effectively stop attacks when threat actors attempt to carry them out.

Mobilization

The final step in CTEM is mobilization, which means correcting risks. Given the broad scope of modern attack surfaces and the highly dynamic nature of threats, the ability to optimize risk correction processes is essential. Playbooks can help in this regard by providing clear mitigation flows for your team to follow.

CTEM with Cyberint

From continuous asset mapping to ongoing mitigation, Cyberint has you covered at all stages of the CTEM process:

  • Scoping: Cyberint’s Attack Surface Management, Supply Chain Intelligence and Brand Protection features ensure that you can not only map traditional assets, but also gain continuous visibility into your extended attack surface, such as lookalike domains that may be used for phishing and supply chain vendors that can place you at risk.
  • DiscoveryAttack Surface Management, Supply Chain Intelligence and Brand Protection functionality also highlights risks that affect your assets, providing a comprehensive list of problems that you must address.
  • Prioritization: Based on threat intelligence and vulnerability intelligence, Cyberint provides threats prioritizations, which our analysts review on an ongoing basis. Our goal is to ensure that you can determine which threats to prioritize with as little as thirty minutes spent on our platform each day.
  • Validation: Through attack simulation services, Cyberint makes it easy to validate security controls, even if you lack the in-house personnel to perform comprehensive validations yourself.
  • Mobilization: Cybeirnt integrates with a variety of SIEM and SOAR platforms to automate mitigation. In addition, integrated ticketing and integrations with ITSM platforms (like ServiceNow) make mobilization simple. Last but not least, we perform takedowns for our customers with just one click, and we complete more than 70 percent of takedowns within 72 hours.

 

Learn more about how Cyberint helps businesses operationalize CTEM by requesting a demo.

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start