STAGE 1 Scoping
This first stage encompasses understanding your attack surfaces and what is more important and what is less important to your business. The scope will naturally expand and shift as your program becomes more established.
When considering your attack surface, don’t forget to include your:
☐ External attack surfaces
☐ SaaS tools
☐ Newly acquired environments (via M&A/mergers)
☐ Third parties
☐ Open source repositories
☐ Information exposed on the darkweb
STAGE 2 – Discovery
This step digs in to uncover assets and their level of risk. When considering risk, it is CRUCIAL to note that risk extends beyond vulnerabilities
Make sure you account for:
☐ Misconfigurations
☐ Weak credentials
☐ Overly permissive identities
☐ Vulnerabilities
STAGE 3 – Prioritization
You’ll never be able to fix EVERYTHING – and you don’t need to. This step is all about identifying the most impactful issues – i.e., the ones with the greatest business impact and the greatest likelihood, or lack thereof, leading to critical assets – and creating a plan to fix those issues first.
Start by identifying your quick wins. These are the issues that can be fixed fast and will have the greatest impact:
☐ Low-complexity attack techniques
☐ Risky users
☐ Areas where multiple attack paths converge (choke points)
☐ Exposed cloud storage containing sensitive info
STAGE 4 – Validation
This stage looks at how attacks can occur and the likelihood of their occurrence. This step will leverage a variety of tools, with the goal of assessing if the assertions of the steps above are accurate and validated.
Tools/methodologies to use:
☐ Pentesting
☐ Attack path modeling and analysis
☐ Breach and attack simulation
☐ Security controls monitoring
STAGE 5 – Mobilization
This stage, which in a sense serves as the facilitating factor for the entire framework, is where you make sure everyone is on the same page and understands their role and responsibilities within the context of the program.
Make sure that:
☐ You have clearly defined your processes so they are easily understood
☐ These processes have been communicated to anyone relevant
☐ Everyone is aware of the risks and knows their role
☐ There is a feedback loop via which people can ask questions and get answers
There’s lots more to take into account when building your CTEM program. We recommend reading Gartner’s full report and then building a strategic plan to operationalize your adoption. But hopefully with this handy and efficient list, you’ll have a view of the most important highlights and get headed in the right direction.