How Do You Validate Security/Risk?

The Five Steps of CTEM, Part 4

Welcome to the fourth installment of our five-part journey through Continuous Threat Exposure Management (CTEM).

In 2022, Gartner unveiled the CTEM framework to support security teams in examining networks, systems, and assets. The primary goals of the framework: improving the identification of exposures and reducing the risk of their exploitation by malicious actors. To accomplish this, CTEM employs a five-stage methodology (Scoping, Discovery, Prioritization, Validation, Mobilization) that enables organizations to minimize their attack surface and strengthen their cyber resilience through the integration of threat intelligence, vulnerability assessment, prioritized risk management, and automated incident response.

In this blog, we’ll take a deep dive into CTEM Stage 4: Validation.

What Does “Validation” Refer to in Cybersecurity?

Security validation, as implied by its name, refers to procedures or technology that validates assumptions regarding the actual security status of your environment, device or infrastructure ecosystem.

Validation is a crucial process aimed at confirming the effectiveness of security measures and ensuring the reliability of your systems, networks, or applications. It involves thorough testing and assessment to verify your security controls, configurations, and protocols are functioning as intended and providing the necessary level of protection.

Effective validation verifies the accuracy and relevance of threat intelligence data and the efficacy of incident response plans. It’s also a key element of proactive risk management – allowing organizations to stay ahead of evolving cyber threats and adapt their security measures accordingly.

How Does Cybersecurity Validation Work?

Cybersecurity validation is a comprehensive process that involves assessing and confirming the efficacy of security measures within your organization’s digital ecosystem. The objective, of course, is to ensure that assumptions made about the security posture are accurate and that defenses are robust.

Traditionally, cybersecurity validation has been focused on vulnerability validation – which generally involves trying to exploit each cyber weakness, often with tools that mimic hacker tactics, like pentesting or Breach and Attack Simulations (BAS). Yet approaches toward cybersecurity validation are evolving – because vulnerabilities do not necessarily represent exposures:

• Vulnerabilities are weak spots that could be harmful to computer systems, like coding errors or CVEs. 
• Exposures are specific instances where a vulnerability or combination of vulnerabilities in an organization’s ecosystem can be exploited by a threat actor.

The thing is, knowing that a vulnerability exists is kind of like knowing that a fire alarm is going off somewhere in your office. Security-sensitive organizations need to know what this alarm represents exactly – is it a massive conflagration or just some burnt toast, or is your detector malfunctioning? That’s why Gartner (and XM Cyber) are focusing on exposure validation as opposed to just vulnerability validation. 

So What is Validation in CTEM?

Validation in the CTEM process looks at how attacks can occur and the likelihood of their occurrence. This step leverages a variety of tools, with the goal of assessing if the assertions of the previous steps are accurate and validated.

Basically, validation puts the findings of CTEM Discovery to the test – confirming which of the exposures discovered is truly dangerous to the organization in question.

Validation aims to achieve three key goals:

1. Confirming exploitability – Validation verifies if attackers can truly exploit the identified weaknesses, separating critical issues from false positives. 
2. Identifying attack paths – Validation maps out all potential routes hackers might use to exploit the vulnerability, giving a complete picture of the attack landscape. 
3. Testing response effectiveness – Validation assesses if the organization’s current security controls and incident response procedures are sufficient to stop real attacks targeting these weaknesses. 

By validating exposures, CTEM helps ensure that resources are directed at fixing vulnerabilities attackers can truly exploit. 

How to Create a CTEM Validation Process?

A robust CTEM validation process strengthens your organization’s security posture by focusing on real threats and proactively addressing exploitable exposures. 

To get started, it’s first crucial to clearly define the scope and goals of your CTEM validation process, including identifying critical assets and systems to better focus validation on the most critical assets and systems within your organization – the systems that would have the most significant impact if compromised. Also, make sure to establish clear objectives for your validation process. Are you aiming to prioritize high-risk exposures, test specific attack scenarios, or achieve a combination of both?

Next, choose the validation techniques right for your organization’s unique security posture and ecosystem. Traditional approaches to CTEM validation include:

• Automated tools – Automated vulnerability scanners, pentesting and Breach & Attack Simulation (BAS) tools can help you identify exploitable weaknesses within your systems. 
• Manual testing – For complex exposures or to gain a more comprehensive understanding of your security posture, manual testing like penetration testing or red teaming can be effective.
• Attack path modeling – Tools like those from XM Cyber discover how vulnerabilities discovered can be combined by threat actors to create a successful attack path. By mapping these attack paths, you can anticipate how attackers might exploit a combination of weaknesses to reach critical systems.

Once you have a plan in place, put your validation process into action by testing or simulating attacks. Choose carefully between pentesting, BAS, and attack simulation – each offers distinct advantages and drawbacks:

• Pentesting offers a highly targeted approach, mimicking real attacker tactics and uncovering complex vulnerabilities. However, it can be resource-intensive and time-consuming, with a limited scope that only provides a one-time snapshot of your security posture.
• BAS providesbroad attack coverage, making it a cost-effective solution. However, it might miss zero-day vulnerabilities and be limited in scope in order to protect the most sensitive systems. It may also leave breadcrumbs, or Indicators of Compromise (IoCs) on machines, which attackers can then leverage to move further into networks.
• Attack Path Modeling allows for continuously running customizable scenarios and tests of your security posture holistically, across your hybrid environment. However, it does not actively attack your organization. 

The ideal approach often involves a combination of these methods. For example, leverage pen testing for in-depth analysis of your most critical systems, and conduct attack path modeling to continuously test your overall security posture.

Effective validation and prioritization can dramatically streamline the final stage of CTEM: mobilization (coming up soon in the final installment of this series). Simply put, the better you can identify exact threats, the more efficiently you can remediate them.

When to Run CTEM Validation?

While CTEM defines validation as the fourth step, after prioritization and before mobilization, one could argue that validation should actually run alongside these steps. 

Prioritizing exposures that may not be valid within YOUR environment based on architecture and security controls, is a futile effort. Having your team spend cycles on analyzing the potential impact of an exposure that is not exploitable is frustrating and inefficient. That’s why XM Cyber runs validation alongside prioritization. As we generate the attack graph analysis, we analyze exploitability and impact to critical assets.

Mobilization also requires validation that the right fixes have actually reduced your risk level. Not validating remediation leads to a disconnect between teams and could create a false sense of resilience. Remediation validation should also happen post mobilization to establish confidence and ensure risk reduction.

The Bottom Line

CTEM isn’t just about identifying vulnerabilities, it’s about understanding which truly pose a threat. Validation, the fourth stage of CTEM, acts like a security drill, testing if discovered weaknesses can be exploited. This separates critical issues from false positives, ultimately focusing resources on fixing vulnerabilities attackers can truly leverage.

By confirming exploitability, analyzing attack paths, and monitoring security controls, CTEM validation ensures you’re addressing real threats, not minor inconveniences. The better you understand your exposures, the more efficiently you can address them and improve your overall cyber resilience.