Mar 12, 2024The Hacker NewsCTEM / Vulnerability Management

In a world of ever-expanding jargon, adding another FLA (Four-Letter Acronym) to your glossary might seem like the last thing you’d want to do. But if you are looking for ways to continuously reduce risk across your environment while making significant and consistent improvements to security posture, in our opinion, you probably want to consider establishing a Continuous Threat Exposure Management (CTEM) program.

CTEM is an approach to cyber risk management that combines attack simulation, risk prioritization, and remediation guidance in one coordinated process. The term Continuous Threat Exposure Management first appeared in the Gartner ® report, Implement a Continuous Threat Exposure Management Program (CTEM) (Gartner, 21 July 2022,). Since then, we have seen that organizations across the globe are seeing the benefits of this integrated, continual approach.

Webinar: Why and How to Adopt the CTEM Framework

XM Cyber is hosting a webinar featuring Gartner VP Analyst Pete Shoard about adopting the CTEM framework on March 27 and even if you cannot join, we will share an on-demand link, don’t miss it!

Focus on Areas With the Most Risk

But why is CTEM popular, and more importantly, how does it improve upon the already overcrowded world of Vulnerability Management?

Central to CTEM is the discovery of real, actionable risk to critical assets. Anyone can identify security improvements in an organization’s environment. The issue isn’t finding exposures, it’s being overwhelmed by them – and being able to know which pose the most risk to critical assets.

In our opinion, a CTEM program helps you:

1. Identify your most exposed assets, along with how an attacker might leverage them
2. Understand the impact and likelihood of potential breaches
3. Prioritize the most urgent risks and vulnerabilities
4. Get actionable recommendations on how to fix them
5. Monitor your security posture continuously and track your progress

With a CTEM program, you can get the “attacker’s view”, cross referencing flaws in your environment with their likelihood of being used by an attacker. The result is a prioritized list of exposures to address, including ones that can safely be addressed later.

The Five Stages of a CTEM Program

Rather than a particular product or service, CTEM is a program that reduces cyber security exposures via five stages:

1. Scoping – According to Gartner, “To define and later refine the scope of the CTEM initiative, security teams need first to understand what is important to their business counterparts, and what impacts (such as a required interruption of a production system) are likely to be severe enough to warrant collaborative remedial effort.”
2. Discovery – Gartner says, “Once scoping is completed, it is important to begin a process of discovering assets and their risk profiles. Priority should be given to discovery in areas of the business that have been identified by the scoping process, although this isn’t always the driver. Exposure discovery goes beyond vulnerabilities: it can include misconfiguration of assets and security controls, but also other weaknesses such as counterfeit assets or bad responses to a phishing test.”
3. Prioritization – In this stage, says Gartner, “The goal of exposure management is not to try to remediate every issue identified nor the most zero-day threats, for example, but rather to identify and address the threats most likely to be exploited against the organization.” Gartner further notes that “Organizations cannot handle the traditional ways of prioritizing exposures via predefined base severity scores, because they need to account for exploit prevalence, available controls, mitigation options and business criticality to reflect the potential impact onto the organization.
4. Validation – This stage, according to Gartner, “is the part of the process by which an organization can validate how potential attackers can actually exploit an identified exposure, and how monitoring and control systems might react.” Gartner also notes that the objectives for Validation step includes to “assess the likely “attack success” by confirming that attackers could really exploit the previously discovered and prioritized exposures.
5. Mobilization – Says Gartner, “To ensure success, security leaders must acknowledge and communicate to all stakeholders that remediation cannot be fully automated.” The report further notes that, “the objective of the “mobilization” effort is to ensure the teams operationalize the CTEM findings by reducing friction in approval, implementation processes and mitigation deployments. It requires organizations to define communication standards (information requirements) and documented cross-team approval workflows.”

CTEM vs. Alternative Approaches

There are several alternative approaches to understanding and improving security posture, some of which have been in use for decades.

• Vulnerability Management/RBVM focuses on risk reduction through scanning to identify vulnerabilities, then prioritizing and fixing them based on a static analysis. Automation is essential, given the number of assets that need to be analyzed, and the ever-growing number of vulnerabilities identified. But RBVM is limited to identifying CVEs and doesn’t address identity issues and misconfigurations. Furthermore, it doesn’t have information required to properly prioritize remediation, typically leading to pervasive backlogs.
• Red Team exercises are manual, expensive, point-in-time tests of cyber security defenses. They seek to identify whether or not a successful attack path exists at a particular point in time, but they can’t identify the full array of risks.
• Similarly, Penetration Testing uses a testing methodology as its assessment of risk, and it provides a point-in-time result. Since it involves active interaction with the network and systems, it’s typically limited with respect to critical assets, because of the risk of an outage.
• Cloud Security Posture Management (CSPM) focuses on misconfiguration issues and compliance risks solely in cloud environments. While important, it doesn’t consider remote employees, on-premises assets, or the interactions between multiple cloud vendors. These solutions are unaware of the full path of attack risks that cross between different environments—a common risk in the real world.

It is our opinion that a CTEM program-based approach offers the advantages of:

• Covering all assets—cloud, on-premises, and remote—and knowing which ones are most critical.
• Continuously discovering all types of exposures—traditional CVEs, identities, and misconfigurations.
• Presenting real-world insights into the attacker view
• Prioritizing remediation efforts to eliminate those paths with the fewest fixes
• Providing remediation advice for reliable, repeated improvements

The Value of CTEM

We feel that the CTEM approach has substantial advantages over alternatives, some of which have been in use for decades. Fundamentally, organizations have spent years identifying exposures, adding them to never-ending “to do” lists, expending countless time plugging away at those lists, and yet not getting a clear benefit. With CTEM, a more thoughtful approach to discovery and prioritization adds value by:

• Quickly reducing overall risk
• Increasing the value of each remediation, and potentially freeing up resources
• Improving the alignment between security and IT teams
• Providing a common view into the entire process, encouraging a positive feedback loop that drives continuous improvement

Getting Started with CTEM

Since CTEM is a process rather than a specific service or software solution, getting started is a holistic endeavor. Organizational buy-in is a critical first step. Other considerations include:

• Supporting processes and data collection with the right software components
• Defining critical assets and updating remediation workflows
• Executing upon the right system integrations
• Determining proper executive reporting and an approach to security posture improvements

In our view, with a CTEM program, organizations can foster a common language of risk for Security and IT; and ensure that the level of risk for each exposure becomes clear. This enables the handful of exposures that actually pose risk, among the many thousands that exist, to be addressed in a meaningful and measurable way.

For more information on how to get started with your CTEM program, check out XM Cyber’s whitepaper, XM Cyber on Operationalizing The Continuous Threat Exposure Management (CTEM) Framework by Gartner®.

An in-depth look into a proactive website security solution that continuously detects, prioritizes, and validates web threats, helping to mitigate security, privacy, and compliance risks.

[Reflectiz shields websites from client-side attacks, supply chain risks, data breaches, privacy violations, and compliance issues]

You Can’t Protect What You Can’t See

Today’s websites are connected to dozens of third-party web apps, trackers, and open-source tools like pixels, tag managers, and JavaScript frameworks. Some of these elements are stored on public CDNs, while others are loaded from third-party web servers that may be unfamiliar. These external web components and data items are not always visible to standard security controls, and they often expose you to security threats such as supply chain risks, client-side attacks, and vulnerabilities in your online software. This means that these serious challenges will frequently go unnoticed. Moreover, security and privacy regulations like GDPR, the Cyber Resilience Act, and CCPA have become stricter, creating compliance issues that can lead to costly fines and reputation damage.

The Result: Your web threat exposure is larger than you think.

No More Blind Spots

Reflectiz’s sandbox solution continuously monitors all first-, third-, and fourth-party web apps, external domains, and data items. It detects vulnerabilities and risks in your online environment, providing complete visibility over your web threat exposure, to reveal things like forgotten tracking pixels that are still collecting users’ data long after they should have stopped, or malicious e-skimmers running in iFrames that quietly harvest credit card details. The platform then effectively prioritizes and remediates these security threats and compliance issues.

The Reflectiz solution is executed remotely, requiring no installation. It does not impact your website performance and provides visibility over web components and data items that traditional web security tools may overlook. The platform’s intuitive user interface does not require any technical expertise.

Reflectiz’s Automated Detection Cycle –

Proactive Security is Crucial for Managing Sophisticated Security Threats

In today’s sophisticated threat environments, security teams need to effectively scope, identify, prioritize, and address a wider range of threats imposed on their online businesses, shifting from merely fixing vulnerabilities to exposure management. Unlike traditional security tools, a proactive approach solution enables teams to continuously combat sophisticated web-based cyber threats, achieve enhanced visibility of their entire web exposure, and mitigate security and privacy risks before actual damage has been done.

Want to try the Reflectiz platform? Sign up for a 30-day free trial here.

Analyzing the Web Risk Factors

Reflectiz has developed a unique proprietary browser that explores each webpage on a website, running it dynamically like a regular user. This allows it to analyze and monitor everything that happens on a webpage, including loaded components’ behaviors, Javascript execution, and network requests. This creates a broader view on your website’s immediate risks and threats.

• The browser acts like a super client-side proxy, ensuring that no activity on a given webpage goes undetected.

• The browser collects millions of events that Reflectiz processes, allowing the platform to perform root cause analysisand map the entire supply chain.

• All web components and their activities are monitored and analyzed for behavior changes, including scripts, iFrames, tags, pixels, cookies, and http-headers.

• The browser has no limitations and can see all activities on any webpage, including iFrames, non-origin content, and first-party components

Reflectiz’s Unique WWW Approach

Dedicated dashboards for websites and subdomains offer extensive data and details based on Reflectiz’s WWW approach—WHO are your third-party vendors? WHAT are they doing on your websites? WHERE do they send the data they collect? The combination of the answers for each element allows Reflectiz to accurately assess the activity of any web app, domain, or data item, and immediately alert security teams.

For example, Reflectiz recently discovered sophisticated Magecart web skimming attacks involving counterfeit shops on the popular Shopify platform. By utilizing its WWW approach and analyzing browser activity from the outside, Reflectiz promptly identified the malicious activity and mitigated the attackers’ tactic.

For further insights read the Shopify Magecart attack case study.

Exposure Rating

Modern websites carry inherent risks. For instance, a financial website cannot function without user login and financial transaction capabilities, and an e-commerce platform is rendered useless without purchasing functionalities. But these vulnerable areas are precisely where risks are most likely to occur.

Have you ever wondered how secure your website is compared to your competitors? Have you ever thought that knowing would be a competitive advantage? Reflectiz recently introduced an innovative rating system to answer that question.

Reflectiz continuously monitors thousands of websites every day and has now developed the capability to analyze the data gathered and communicate web risk exposure levels in a simple metric.

Leveraging an extensive database, every Reflectiz client can now determine exposure rating for various categories, including web apps (1st-, 3rd-, and 4th-party), external domains, and website structure.

Every website receives an exposure rating based on an A-F scale, benchmarked against industry leaders. This score indicates your level of web threat exposure to web risks. Clients use it not just to see how they compare, but as a tool to guide their efforts to improve.

Complete Inventory

The foundation of exposure rating lies in Reflectiz’s comprehensive inventory of web apps, open-sources, domains, and data items across all websites. This includes global search and filtering options, making it easy to locate any data item within any web environment and allowing users to delve into different elements of risk.

• Applications – a complete list of all first-, third-, and fourth-party vendors’ applications running on your website. It includes details such as scripts, locations, hierarchy, and more. Additionally, clients can get access to the pages themselves or the code of each script, along with the current risk factors associated with each application.

• Domains – a comprehensive inventory of external and owned domains communicating with third parties. This information includes SSL certificate data, domain Whois records, cyber-reputation tests, and more.

• Data – This section contains analyzed records of all active data items on the website, covering inputs, network parameters, trackers, and pixels. It connects these items to the bigger story of the WWW [Who? What? Where?], including related applications and domains. Furthermore, it identifies which third parties are accessing each data item.

• Alerts – This section displays all alerts generated by the system, along with detailed information and recommendations for each one. The information is presented in understandable language to ensure all users can make informed decisions.

Deeper Exploration of Specific Risk

Reflectiz aggregates all scripts into a single web app or data item view, along with the current risk factors for each, allowing you to easily identify problematic applications and take immediate actions. The list is dynamic, enabling you to view new third-, fourth-, and nth-party applications and scripts that are added, including those through tag managers or other means.

Managing of specific data items provides the following:

• Identification of remote web servers connected to data items, including the applications that load them and those they load. For example, when integrating a third-party web app like Google Tag Manager into your website, you also integrate fourth-party web apps that already exist on it, such as Meta pixel or TikTok pixel. These elements often go unnoticed by standard security controls and may be exploited.

• Utilization of business intelligence statistics like global popularity rank, which informs you if a specific data item is commonly used by others, and site coverage rate, where you can observe the spread of a certain data item across your web pages. For example, Google Tag Manager boasts an 80% global popularity rank, indicating widespread adoption, whereas the SnapChat pixel lags behind at 10%. This means that 80% of modern websites use Google Tag Manager, while only 10% incorporate the SnapChat pixel. Armed with this information, security teams can assess the necessity of integrating less popular elements like the SnapChat pixel, thereby reducing overall risk.

• Investigation of risk factors for each data item involves addressing questions such as whether it has access to sensitive information or communicates with unsecure locations. For example, Reveal.js, a framework for creating attractive presentations using HTML, can exhibit several risk factors, including low popularity ranking, execution outside of trusted domains, loading from an open CDN, and access to sensitive inputs. The combination of these risk factors results in a high alert severity level.

Management Panel

The high-level management panel enables decision-makers to obtain a comprehensive overview of their web security status for all their websites in one place. This is achieved by providing a summary of alert severity levels and categories, such as malicious detections, privacy concerns, misconfigurations, and more. Additionally, it includes geographic and workflow displays, allowing managers to observe detected anomalies in their web environment over the past three months.

Addressing PCI DSS v4 New Web Requirements

Reflctiz has recently introduced an add-on feature: a dedicated PCI Dashboard.

The current version of PCI DSS is set to expire by the end of March 2024. With the new PCI DSS 4.0 requirements coming into effect in Q1 2025, Reflectiz enables clients to ensure compliance with mandates such as 6.4.3, by demonstrating how you monitor and manage all payment page scripts executed in the consumer’s browser, and 11.6.1, by showing how you activate a change and tamper detection mechanism for prompt alerts on unauthorized modifications.

The Reflectiz PCI Dashboard also facilitates the generation of compliance reports essential for audits by the PCI’s Quality Security Assessor (QSA). Reflectiz’s PCI compliance solution operates remotely, eliminating the need for installations and providing security teams with immediate real-time visibility into the online ecosystem. This means staying in compliance without imposing a heavy resource burden.

Beyond PCI compliance, the dashboard empowers you to monitor third-party web apps and data items accessing payment and credit card data, while maintaining a comprehensive inventory of all third- and fourth-party scripts. Experience watertight web security that exceeds PCI standards with Reflectiz and take advantage of a free 30-day trial of our PCI DSS Dashboard to seamlessly meet the latest v4.0 requirements.

Establish a Security Baseline

So, how do you start with Reflectiz? The first step for every client is to create a security baseline that aligns with the organization’s risk appetite for approved third-party web apps, marketing pixels, open-source activities, and more. It ensures safe execution and continuous monitoring of all actions.

The security baseline also helps identify any new items that bypass your allow list or detect anomalies in behavior. By design, it reduces the number of alerts and keeps track of changes.

For example, if an unapproved cookie or marketing pixel collects user data without consent, an immediate alert will be issued. You can then approve or unapprove the specific cookie or pixel behavior according to your business context. If choosing to eliminate the risk, Reflectiz will provide mitigation steps to resolve the issue quickly by removing or blocking the specific rogue web app or data items.

About Reflectiz

Reflectiz is a cybersecurity company specializing in web exposure management. Years of research by infosec experts have gone into the creation of their cutting-edge platform, which global companies now rely on to keep their websites safe. Reflectiz offers a suite of powerful cybersecurity tools gathered within a user-friendly dashboard. It empowers online businesses to continuously monitor both their websites and the web apps they rely on, so they can quickly identify and resolve security threats and privacy issues before they can become a problem.

Want to try the Reflectiz platform? Sign up for a 30-day free trial here.

Mar 05, 2024NewsroomAttack Surface / Exposure Management

Startups and scales-ups are often cloud-first organizations and rarely have sprawling legacy on-prem environments. Likewise, knowing the agility and flexibility that cloud environments provide, the mid-market is predominantly running in a hybrid state, partly in the cloud but with some on-prem assets.

While there has been a bit of a backswing against the pricing and lock-in presented when using cloud infrastructure, cloud is still the preferred provider for the majority of SMBs.

As a result, external attack surfaces are increasingly complex and distributed and, therefore, harder to monitor and secure. This expanded attack surface gives hackers plenty of blind spots and gaps to exploit. Security teams are on the back, reacting, often too slowly, to changes in their own attack surface as engineering teams continuously spin up and expose new systems, services, and data to the internet.

This is compounded by the fact that the threat landscape is always changing. Thousands of new vulnerabilities are discovered every month, including vulnerabilities that allow an attacker to gain total control over systems that have to be internet-facing and are meant to support security teams or facilitate secure connections (take the spate of Citrix and Ivanti vulnerabilities that have recently emerged). How can you react to a new critical vulnerability that’s being exploited by ransomware gangs if you don’t even know if your organization is using that technology and exposing it to the internet?

One of the reasons that security teams struggle is because processes are reactive and knowledge about the organization’s attack surface is siloed in the heads of those people who are spinning up those cloud systems. Security teams rely on a sprawl of solutions that generate loads of fragmented data that’s difficult to understand, prioritize, and take action. This is where exposure management fits in as an extension of external attack surface management.

What is exposure management in cybersecurity?

As environments evolve and become more complex, so do the tools and techniques needed to secure and protect them. Exposure management aims to reduce that complexity by giving you visibility of all points within your attack surface that an attacker could use to breach your organization and ultimately pose a risk to the business.

Exposure management aims to provide a prioritized list of exposures, with context for each so that you can make an informed decision on what to tackle first and how to tackle it to reduce your business risk.

“Organizations who implement a continuous exposure management program will be three times less likely to be breached by 2026” (Gartner)

Exposure management can also help increase visibility of your entire attack surface, including data assets such as code repositories like GitHub and GitLab, so you can more accurately find opportunities for an attacker and shut them down before they pose too great of a risk to your business.

This means you can better understand the risks you face, and prioritize the attacks that are not just more likely, but more serious. At a time when security teams are overwhelmed with data – over 25,000 vulnerabilities were published in 2022, and we saw that increase to over 26,500 in 2023 – having a clear picture of where to focus your time and effort is becoming essential.

Exposure management vs attack surface management

While both have the same goal, there are important differences between the two. External Attack Surface Management (ASM) is the ongoing process of discovering and identifying assets which can be seen by an attacker on the internet, showing where security gaps exist, where they can be used to perform an attack, and where defenses are strong enough to repel an attack. If you can scan for it using vulnerability scanning then it generally falls within attack surface management.

Exposure management takes this a step further to include data assets, user identities, and cloud account configuration, which helps you understand your exposure and reduce it where necessary.

Here the attack surface includes any of the SaaS products you use. If one of these gets compromised or one of your accounts in your SaaS provider gets compromised, they have information that can be used to facilitate other attacks. So it shouldn’t be forgotten when assessing risk to the business.

Visualize and minimize your exposure with Intruder

Remember what was said about a large attack surface being harder to defend? You can reduce yours by continuously monitoring for changes with an automated vulnerability management tool like Intruder. Get complete control of your vulnerability management to:

• Discover assets: when new cloud services are spun up and exposed to the internet, Intruder will kick off a scan to find any vulnerabilities so you can fix them faster
• Know what’s exposed: get complete visibility of your network perimeter, track active and unresponsive targets, identify changes, monitor expiring certificates, and see any ports, services or protocols that shouldn’t be exposed to the internet
• Detect more: Intruder uses multiple scanners to identify vulnerabilities and exposures across your attack surface giving you the greatest visibility
• Focus on the big issues: get results prioritized based on context, so you can focus on the most pressing problems without wasting time sifting through the noise

‍Intruder continuously monitors and automatically scans your environments as new vulnerabilities emerge

Premium and Vanguard customers can also boost their exposure management with bug hunting, where Intruder’s testers look for the weaknesses and exposures that automated scanners can miss. Get started with a 14-day free trial today.

‍