Getting your Trinity Audio player ready...
|
It’s summer and I’m a baseball fan, so please excuse the extended metaphor.
Let’s start with some chilling stats: some 70% of companies suffered a breach last year alone, while 75% of exposures that organizations fix aren’t even on attack paths to critical assets.
Now, “keep your eye on the ball” is something every Little Leaguer is taught. What the above stats mean is that our IT and Security batters are only hitting three of every ten pitches that are in the strike zone. This is not because they’re not talented hitters or because their bats are faulty. It’s just that they’re collectively looking the wrong way three quarters of the time.
The fact is, none of us are actually able to keep our eyes on the ball. In this post, I’ll explain why this is – and how we can apply the principles of CTEM to rectify it.
Why are Attacks Going Undetected?
First off, any security professional knows that attackers are smart and getting smarter.
Today’s attacker knows how to bypass Endpoint Detection and Response (EDR) and other controls. A recent evaluation of 26 leading EDR solutions found that none could effectively handle attacker bypass techniques. An attacker can skirt around EDR and evade detection by injecting malicious code into legit apps or exploit a vulnerability to get admin privileges and simply disable security solutions. Or she can bypass EDR altogether by coming in through the supply chain – compromising a trusted vendor and using its integration to gain access. And when EDR alerts remain untriggered – attackers remain below the radar.
Attackers also multitask better than ever before. Today’s attacker doesn’t limit himself to a single exposure. Rather, he leverages a dangerous cocktail of vulnerabilities, misconfigurations, poorly provisioned permissions and other gaps to get at sensitive assets. These attack paths are hard to track with traditional tools and methodologies – leaving successful attackers free to operate undetected, sometimes indefinitely.
Finally, attackers excel at moving laterally across hybrid environments. They know that on-prem security models and controls haven’t quite caught up with cloud tech, and that the shift to the cloud has led to exponential growth in both accounts and identities. They’ve mastered the art of moving seamlessly between the dimensions of this bloated attack surface – which allows them to hide really well.
The final – and possibly most critical – reason that attacks continue to go undetected is internal. There is a wide and growing disconnect between IT and Security teams regarding vulnerability remediation. As of this writing, 18,077 vulnerabilities have been added to the list of CVEs in 2023. With vulnerabilities growing increasingly complex to resolve, Security is challenged to compellingly prioritize fixes – leaving IT hard-pressed to devote resources to fixing, especially if they’re in legacy systems. This toxic combination leaves companies in limbo – as likely to “accept risk” and not remediate as they are proactively going after vulnerabilities.
Why are Current Paradigms Falling Short?
Today’s leading exposure management paradigms are… ahem… dropping the ball.
Risk Based Vulnerability Management (RBVM) attempts to score vulnerabilities based on the business impact of asset compromise, Known Exploited Vulnerability (KEV), Exploit Prediction Scoring (EPSS). Yet RBVM projects are long and manual, often dependent on teams that may not fully understand the business and systems at hand, and reliant on already-overtaxed IT teams to document the systems under examination.
Even the best-managed RBVM project is a recipe for potential operational inefficiency on the long road to a list of poorly-prioritized vulnerabilities that might be relevant on the day it’s published – but not for long thereafter.
Automated penetration testing and Breach and Attack Simulation (BAS) were designed to extend traditional pen testing yet suffer from their own inherent limitations. But whereas attackers are multidimensional and creative in their search for attack paths – BAS and auto pen testing do what you tell them, and no more. These systems can’t take into account the lateral pivots that savvy attackers prefer. They’re challenged to effectively prioritize the many vulnerabilities they do detect, and – perhaps most egregiously – owing to operational friction and fear of downtime, they’re generally not run on critical production systems.
Clearly, we’re long overdue for a pinch hitter in the exposure management game. Applying the principles of CTEM with attack path management may be the answer.
Why are Current Paradigms Falling Short?
Today’s leading exposure management paradigms are… ahem… dropping the ball.
Risk Based Vulnerability Management (RBVM) attempts to score vulnerabilities based on the business impact of asset compromise, Known Exploited Vulnerability (KEV), Exploit Prediction Scoring (EPSS). Yet RBVM projects are long and manual, often dependent on teams that may not fully understand the business and systems at hand, and reliant on already-overtaxed IT teams to document the systems under examination.
Even the best-managed RBVM project is a recipe for potential operational inefficiency on the long road to a list of poorly-prioritized vulnerabilities that might be relevant on the day it’s published – but not for long thereafter.
Automated penetration testing and Breach and Attack Simulation (BAS) were designed to extend traditional pen testing yet suffer from their own inherent limitations. But whereas attackers are multidimensional and creative in their search for attack paths – BAS and auto pen testing do what you tell them, and no more. These systems can’t take into account the lateral pivots that savvy attackers prefer. They’re challenged to effectively prioritize the many vulnerabilities they do detect, and – perhaps most egregiously – owing to operational friction and fear of downtime, they’re generally not run on critical production systems.
Clearly, we’re long overdue for a pinch hitter in the exposure management game. Applying the principles of CTEM with attack path management may be the answer.
CTEM – Raising Security’s Batting Average
Continuous Threat Exposure Management (CTEM) is a framework designed to continuously assess vulnerabilities, prioritize risks, and adapt defenses accordingly. It’s a program, though, and not a tool. The right tool stack will help organizations implement the principles of CTEM, reducing the attack surface and enhancing overall resilience by integrating threat intelligence, vulnerability assessment, risk prioritization, and automated incident response.
And by zeroing in on attack paths, organizations can realize the full promise of CTEM. How so? Seeing the potential paths an attacker may take helps organizations understand the specific sequences of steps that could be used to compromise assets. By mapping out these attack paths and identifying what we call ‘choke points’ (from which attacks can be easily and effectively blocked), we can prioritize vulnerabilities based on the actual potential impact of a breach.
This not only changes the remediation equation, but also revolutionizes organizational cybersecurity. Because once we can focus our remediation efforts only on critical vulnerabilities, cybersecurity dramatically shifts from detection to proactive prevention. What’s more, attack paths offer a contextual understanding of threats that smooths the friction between IT and Security by aiding informed decision-making and – especially – remediation prioritization. This means that Security can clearly demonstrate the danger of any given vulnerability it prioritizes, allowing IT to allocate remediation resources in good conscience.
The Bottom Line
Seeing attack paths pinpoints the most critical vulnerabilities, just like (last one, I promise) a batter aiming for the ball. It’s about spotlighting the real threats and deciding which vulnerabilities to tackle first based on their potential impact. Within the context of CTEM, attack paths help us map out attackers’ moves and identify key points to block them. It’s truly win-win – moving from just finding problems to proactively stopping them, while making IT-Security collaboration even stronger