Navigating the Cyber Threat Landscape with Continuous Threat Exposure Management

Continuous Threat Exposure Management is an emerging approach to cybersecurity that continuously monitors and manages security exposures, focusing on reducing the attack surface of an organisation.

In the beginning there was software. This software was written by humans who are rarely perfect. There were always errors in this code, often termed bugs which often represented vulnerabilities in the operating systems or applications they ran. Next, technically curious individuals started to search and write code against these vulnerabilities. Thus, exploits entered the IT sphere with publicly available exploits being particularly dangerous depending on the vulnerability they focused on. Naturally, humans are still involved and are still making mistakes that encompass network configurations, server configurations and misusing their very own laptops and identities.

Move up to the 2020’s and most software vendors now announce their vulnerabilities to the hacker community every month allowing them to reverse engineer the ‘patch’ to produce their own exploit packages. These exploit packages have value as most machines remain unpatched for days or even years against known vulnerabilities.

Two statistics and an observation to play with:

• 80%+ of breaches first occur on unknown or unmanaged devices
• An active exploit is on average patched 279 days after the patch is available.
• Very few companies remain on top of patching their IT estate, the minority are treading water, the majority are drowning.

A new approach is needed, one that:

• Morphs vulnerabilities with accidental errors and misconfigurations. We will call these exposures.
• Rather than investigating or even measuring these exposures once a week or more likely once a month lets continuously monitor these exposures.
• To track these exposures, we need to know what our IT estate is made up of. We cannot manage equipment we don’t know we have.
• Finally, the goal is not to patch every device known, but rather to focus limited resources on reducing the attack surface of our organisation. Month by month a handful of changes will consistently make improvements that can be measured and reported on.

Welcome to the emerging world of continuous security exposure management. A world where security operational data can be centralised and then used to identify, track, hunt and report on exposure levels. A world where AI can be utilised to interrogate ever growing data stores to find the threats, the unusual relationships, the correlations that allow for a faster time to detect and remediate exposures. Digging a little deeper we can reshape this AI engine to help find our critical assets and even to model how an attacker could compromise our IT infrastructure to help prioritise where to focus IT resources to improve our continuously monitored threat exposure levels.

This world has started to form. Quorum Cyber has recently revamped its vulnerability management service into a Continuous Threat Exposure Management (CTEM) offering. This combines the following:

• Defender for EASM (External Attack Surface Management) – a tool that shows what an attacker can see, or indeed anyone when investigating your organisation. These finding are categorised into CVE scores, OWASP, CWE tables and known exploits to help determine their risk level.
• Defender for Endpoint (MDE) a tool used to both monitor the hosts this service runs on but also acts as a reconnaissance tool, discovering and inventorying all other assets connected to the same network segments as the enrolled Windows themed boxes. On modern Windows devices there is no agent to install and manage, its part of the operating system.
• Defender for Server, similar to MDE above and can collect more vulnerability data depending on the licenses purchased.
• Other vulnerability scanning tools such as Qualys and Rapid7 to augment the feeds generated by the Microsoft defenders.
• Quorum Cyber Brand & Credential Monitoring service. Looking into the darker corners of the Internet, in the more unsavoury forums, Pastebin.com, leaked and stolen passwords (and hashes) and requests for more targeted information can give early indication of an attack. Augmenting this with our Threat Intelligence analysts gives our customers an increased chance of detecting and mitigating vulnerability threats included the zero day flavoured ones.

Using the tools above informs us around a couple of critical concerns:

1. Visibility

Which assets exist within our environment and if available, what operating system and software are they running and any potential vulnerabilities found.

2. Identify

Which assets are critical to your organisation. A key web commerce site, the Chief Financial Officers identity, their laptop, any of your Domain Controllers as a few examples.

3. Prioritise

Now we know what we have and how important each component is we can start to prioritise the assets and services which increase our risk posture the greatest. There maybe some instances when patching whole legions of laptops and servers are necessary but for day to day, the goal is to incrementally increase your risk posture with manageable tasks your IT team can perform without drowning them.

Quorum Cyber offers a number of services to both detect, respond and mitigate attacks. This evolution of threat management services allows for an opportunity to invest in defence measures before an attack occurs, an active defence approach.

The service therefore complements our MDR service which concentrates on post breach and augments our MXDR approach which itself plays in both reactive services but also secure configurations and controls used in customers environments. The service is well complemented by our Threat Intelligence services which gives greater visibility of impending attacks and harder to detect vulnerabilities (such as the CFOs password has just leaked online).

Together this suite of services seeks to make it much harder to become successfully targeted, to know both what assets exist and their importance to your organisation, to swiftly detect when you are under attack and of course to help mitigate these attacks as quickly as possible by using automations and even our Incident Response team when required.

This service is continuing to evolve with additional features in development already including:

• Defender for Cloud, to increase visibility in other cloud platforms such as AWS, GCP, GitHub and Azure Devops.
• Microsoft Exposure Management (currently in preview) for attack path analysis and critical asset management.

Further afield there are early glimpses of using AI bots to increase the speed and effectiveness of the attack path analysis feature, imagine an army of AI bots constantly probing your enterprise to see how attackers could compromise your environment and helping you mitigate any weaknesses found!