Discovering Cyber Exposures Across Your Environment

The Five Steps of CTEM, Part 2

Welcome to the second installment of our five-step journey through Continuous Threat Exposure Management (CTEM).

In July 2022, Gartner unveiled CTEM. Since then, the framework has transformed into a cybersecurity rock star, widely adopted by security and other teams to examine their networks, systems, and assets. The program helps security professionals identify risk through the haze of vulnerabilities and minimize the potential for malicious actors to exploit weaknesses. Comprising a five-step methodology (Scoping, Discovery, Prioritization, Validation, Mobilization), CTEM assists organizations of all sizes to shrink their attack surface and bolster their cyber resilience – seamlessly integrating threat intelligence, vulnerability assessment, risk prioritization, and automated incident response.

In today’s blog, we’ll take a deep dive into CTEM step 2: Discovery.

What Does “Discovery” Refer to in Cybersecurity?

In the realm of cybersecurity, “discovery” refers to the process of identifying and gathering information about assets, resources, vulnerabilities, and potential threat exposures within a network or system. Discovery is generally conducted to gain situational awareness for a new role or project, assess security measures, understand business requirements, investigate an incident, respond to a specific threat, and more.

This discovery phase involves actively seeking and mapping out the components of an organization’s digital infrastructure. Discovery aims to provide a comprehensive understanding of the environment, including devices, software, configurations, and potential entry points that could be exploited by threat actors. This information is crucial for security professionals to assess the overall organizational security posture, identify potential risks, and implement effective protective measures.

What is Discovery in CTEM?

In the context of the CTEM framework, “discovery” plays a pivotal role in comprehensively assessing and understanding an organization’s digital landscape. The primary objective of the discovery phase within CTEM is to unearth and evaluate entities along with their associated levels of risk.

A common stumbling block to implementing a CTEM program is the confusion between scoping and discovery. As discussed in the previous installment of this series, in the scoping phase, security teams identify the infrastructure segments to be included in the program. Basically, scoping helps organizations decide what matters most to their business and then adapt the subsequent stages of their CTEM program accordingly.

The Discovery Process is the link between Scoping (Stage I) and Prioritization (Stage III). Discovery in the CTEM framework goes beyond mere identification of assets and vulnerabilities. It encompasses a broader spectrum, including the detection of misconfigurations in assets and security controls, as well as exposures to identity and access threats such as exposed credentials and over permissions.

If the discovery step is limited in scope, then your security program has inherent blind spots in it and all the steps that follow will leave your IT environment exposed to cyber threats. Here are a few considerations to a comprehensive discovery to avoid common blind spots.

Discovery across your hybrid environment

Many security solutions will focus on finding issues either on-prem or in a cloud environment. These tools may provide good coverage for a specific segment of your environment, but will miss out on exposures that enable attacker’s lateral movement from your on-prem breach point into sensitive data and resources in your cloud environment. Ensure exposures across your hybrid environment are discovered and prioritized in order to block attack paths that compromise critical assets on-prem and in the cloud.  

Discovery from external attack surface to internal critical assets

Attackers see the full picture. They identify the potential breach point, either by finding a public-facing vulnerable asset, or by leveraging leaked and stolen credentials, and then research how to move across your environment to accomplish their goal. To stop them you need to be able to discover the potential breach points before they do, and to also discover exposures they would use to compromise your critical assets. Keep in mind that even if external attack surface management was able to stop all breaches, including social engineering, 20% of breaches in 2023 According to the Verizon Data Breach Investigation report 2023, included insider participation. Therefore each one on its own is insufficient, and you should ensure discovery of exposures end-to-end – from the external attack surface to the internal environment.  

Discovery across attack techniques

Exposure discovery goes beyond vulnerabilities. Since many of the exploited exposures are over-privileges and misconfigurations, especially in cloud environments, leaving them undiscovered is a major security risk. Some of the well-known breaches over the past 2-3 years were based on stolen credentials and over-permissive configuration of security controls. Make sure your discovery runs across different attack techniques to block attacks before they impact your business.  

Continuous discovery

Finally, discovery at a point-in-time could be misleading. Your environment and the threat landscape keep changing and today could pose threats that were undiscoverable yesterday. Therefore, continuous discovery would be the most comprehensive and provide better protection from attackers. 

To summarize, the discovery stage of the CTEM framework should be planned carefully to avoid blind spots. The number of assets and vulnerabilities discovered is not success in itself. You need to make sure your discovery is comprehensive across environments, attack techniques, and timeline to idetnify the exposures that have the most significant impact on your critical assets, and should be fixed immediately.