Pentesting, Red Teaming, BAS tools, RBVM, Exposure Management – The Many Options for Addressing Exposures

Pentesting, Red Teaming, Breach and Attack Simulation, RBVM, Exposure Management – Oh My! Your Guide to the MANY Options for Addressing Exposures

Here’s a question a lot of us have to think about on a daily basis – no, not how we’re going to spend our much-needed vacation in Bangkok, or even when child-number-one’s orthodontist appointment was supposed to be. In this line of work, more often the question that bores a hole at the back of our minds is: how easy is it for a malicious actor to get into our networks? And, perhaps more importantly, what is the best thing that can be done to actually prevent them from completing an attack?

Thing is, we already know that cyber attacks are growing steadily in number, strength, and variety. In parallel, even the most sophisticated actors are using surprisingly unsophisticated means to cause damage. There are simply LOADS of threats out there, and for the sake of simplicity (and because exposures are our jam), in this blog, I’ll look at different methodologies for reducing exposures.  

But in order to talk about exposures and how to address them, we need to start with vulnerabilities. The number of vulnerabilities to be addressed on a regular basis is always growing – kind of like how utility costs always seem to increase and never go down. But with thousands of CVEs, many with high severity CVSS scores, fixing all of them is impossible – and so, addressing issues via just CVSS scores is ineffective. Moreover, vulnerabilities only cover a small slice of the issues that put orgs at risk – they fail to include the misconfigs, identity issues and active directory, i.e., exposures, that we see regularly exploited in attacks.

So let’s have a look at some of the more common approaches used to understand and address exposures.

Common Methods to Address Vulnerabilities and Exposures

Risk based vulnerability management solutions augment vulnerability management, while Penetration testing, Red Team exercises, and BAS solutions find and validate that exposures can be exploited. Let’s look a little deeper:

Risk Based Vulnerability Management – Designed to improve prioritization of the many thousands of CVEs that exist in all but the smallest of businesses. They augment vulnerability data with analytics based on asset criticality and threat intelligence sources to prioritize those CVEs that have been known to be (KEV), or predicted to be (EPSS) exploited. But the results still yield an unmanageable list of issues to be dealt with. Moreover, just because something has been exploited in the wild, it doesn’t mean it can be exploited in every environment/configuration, or that an exploit opens up an attack path to a critical asset. In fact, most exposures are not on an attack path to critical assets.

Red Team Exercises – Red teaming is done to achieve specific goals, like accessing business-critical applications. According to IBM, Red teaming is “heavily focused on emulating an advanced threat actor using stealth, subverting established defensive controls and identifying gaps in the organization’s defensive strategy. The value of this type of engagement can be derived from a better understanding of how an organization detects and responds to real-world attacks.”

Penetration Testing – This methodology is used to assess an organization’s level of security, by simulating attacks. Pen tests assess if applications, networks, platforms, and systems can be breached, and are used to find issues that need to be addressed.

Pen testing can overlap with red team exercises and this may be a bit confusing to some people. It turns out that pen testers and red teams can be the same people, using different methods and techniques for different assessments. Like judo and karate, sumo and krav maga – one isn’t necessarily better than the other and some organizations may see value in both.

Breach and Attack Simulation – Breach and Attack Simulation (BAS) solutions offer a different approach for performing automated security testing. Some BAS tools challenge the existing security infrastructure, while others are designed to test existing security controls to ensure they are working as expected.

Both Breach and Attack Simulation and Pentesting/Red Teaming simulate attacks to hypothesize the outcomes of real-world scenarios. They are used to assess and find issues that need to be addressed. Their use, though, is limited by the operational risk they create, as running these live tests can put the security team at risk of creating performance issues, or worse outages, on production systems. Because they are used to find issues by testing the production environment, by design, they also create false positives and false negatives.

False positives occur when the test finds an issue that the SOC shouldn’t be concerned about. False negatives occur when the tool, or its user, chooses not to run all possible tests, for fear of creating the above-mentioned operational issues that come from testing production systems. Lastly, they often leave breadcrumbs for attackers. Not the tasty kind of breadcrumbs I like on my salad (aka Croutons), but the ones that only help attackers to move laterally in their attack progression, such as the cached credentials that get left behind when a BAS solution actively uses credentials they’ve harvested to test their exploitability.

Exposure Management – Focuses on identifying, evaluating, and remediating risks and continually improving security posture. It extends Vulnerability Management in a couple of ways.  

• Instead of just being focused on CVEs, it accounts for all other exposure types, including misconfigurations that open doors for attackers, identity and credential exposures, and Active Directory issues, to name a few.
• It incorporates the context that comes from an attacker perspective, to help security teams get clarity around how attackers could benefit from exposure exploitation, something that is very challenging and time consuming insight to gather manually. Often even more valuable, Exposure Management solutions provide clarity on those exposures that if exploited would NOT enable an attacker in their attack progression. Only by knowing this, can security and IT remediation teams confidently avoid wasting time assessing and remediating these exposures. It’s an ongoing effort that includes continuous monitoring to detect emerging vulnerabilities and threats as they arise and to provide a continuous quantification of the amount of risk inherent in and across an organization’s hybrid on-prem and cloud environments. 

Well, yeah, sure I may be a tad biased – but here’s what Gartner has to say about typical vulnerability management efforts (Gartner, 21 July 2022, Implement a Continuous Threat Exposure Management (CTEM) Program) “Testing attack feasibility with security posture validation initiatives improves score-based prioritization. However, prioritized lists alone are rarely enough to mobilize non security teams and remediate the issues due to insufficient business context and accountability considerations.” (If you want more nuggets like that, you can download the full report from our website at the link above.)   

Exposure Management is a proactive and methodical approach that enables risk reduction in the cost-efficient way possible. With Exposure Management, orgs can proactively address risks, minimizing financial losses, operational disruptions, and reputational harm. And the attacker insight it provides gives clarity to Security and IT teams on the risk reduction value of any given exposure remediation, so they can be confident that they are being most efficient with their limited time, with a means to regularly measure their progress in reducing risk.

Lastly, Exposure Management helps organizations concentrate first on those risks that have a substantial impact on overall security posture, based on validation on how exposures can be leveraged by attackers. For instance, a high-severity Common Vulnerabilities and Exposures (CVE) within an isolated non-critical system is less important than one in an Internet-facing mission critical finance system. The emphasis here is on addressing risks that genuinely impact security posture in a meaningful way – and in a sea of endless lists, knowing what actually matters is key.

The Wrap Up – Exposure Management for the Win

In short, Red Teams, pen testing and BAS solutions find security issues, while Exposure Management solutions help security and IT teams align on the remediation of exposures that reduce the greatest amount of risk, based on the automation it provides in discovering how any given exposure can be leveraged by an attacker. 

No one could ever claim to have a silver bullet, especially not when it comes to something quite so complex as cybersecurity and maintaining security posture. But from what I’ve seen, Exposure Management is showing significant promise in its ability to help organizations continually reduce risk in the most efficient and impactful way.