CTEM step-by-step guide | Stage two: Discovery

Welcome to our blog series on Continuous Threat Exposure Management (CTEM), where we dig into the five essential stages of implementing a robust CTEM program. Coined by Gartner in 2022, CTEM is a powerful process that can help continuously manage cyber hygiene and risk across your environment. It’s also a lot to think about when you’re starting out, so it helps to break things down.
We’ve already covered the crucial first stage (Scoping) in the first blog in the series and explored how important it is for setting your CTEM process up for success. This post covers the second stage: CTEM Discovery.

CTEM Discovery Phase

What does successful discovery look like?

The goal now is to identify all known and previously unknown assets within scope of the CTEM program and discover the vulnerabilities in each of these assets. Exposure discovery can also go beyond vulnerabilities alone – you might find other weaknesses such as counterfeit assets, weak passwords, or bad responses to phishing tests.

The discovery phase should prioritize business areas identified during the scoping process and aim for a comprehensive understanding of the organization’s attack surface, focusing on the quality and relevance of the findings rather than the quantity. Some additional ‘noise cutting’ will probably be needed, but this will be resolved in the prioritization stage that comes after discovery.

What are the risks of not carrying out discovery correctly?

The main hurdle to overcome is confusion between the scoping and discovery stages. Discovery could turn up a huge number of vulnerabilities, but this is less valuable if there wasn’t accurate scoping based on business risk. It’s about identifying the vulnerabilities that matter to the organization and could have a serious impact.

In general, improper discovery can negatively impact the prioritization step (stage three) of CTEM. It can cause an inaccurate understanding of the assets and vulnerabilities within an organization, leading to a prioritization process based on incomplete or incorrect data. This misalignment makes it difficult to accurately identify and address the threats most likely to be exploited. Consequently, the organization may focus on less critical issues while more significant risks remain unaddressed, reducing the overall effectiveness of the CTEM program.

Which tools should you use for discovery?

  1. Risk Based Vulnerability Management (RBVM): RVBM solutions such as Outpost24’s Outscan NX examine your entire attack surface, and help you pinpoint the most imminent threats for mitigation. There’s often a gap between the identification of vulnerabilities and the IT resource available to remediate them. Using a RVBM solution makes the process more streamlined and helps organizations to proactively address potential issues before they escalate. This approach helps maintain a proactive stance towards vulnerability and cloud security management.
  2. External Attack Surface Management (EASM): EASM tools like Outpost24’s Sweepatic offer continuous discovery, mapping, and monitoring of all internet-facing assets associated with your business. Automatic data gathering, enrichment, and AI-driven analysis modules analyze all your known and unknown internet-facing assets for vulnerabilities and attack paths.
  3. Web Application Security Testing: Testing tools such as Outpost24’s Pen Testing as a Service (PTaaS) solution specifically target vulnerabilities in web applications. It performs scans to detect common security issues such as SQL injection, cross-site scripting (XSS), and other threats that are prevalent in web environments. By pinpointing these vulnerabilities, the tool enables organizations to fortify their web applications against attacks and significantly reduce their overall attack surface.
  4. Active Directory Password Auditor: Many breaches start with stolen credentials. An audit can assess the strength and security of Active Directory passwords within your organization. It audits existing password policies and checks for adherence to security best practices and standards. Password auditors identify weak, reused, or compromised passwords, advocating for the use of strong, unique passwords to prevent unauthorized access and enhance security posture. Specops Software offer a free, read-only auditing tool available for download: Specops Password Auditor.

Advice for a successful CTEM discovery stage

  • Identify all known and previously unknown assets and determine which are in scope for the CTEM program using EASM
  • Use tools such as RBVM and PTaaS to discover vulnerabilities in each asset – remember to consider both on-premises and cloud environments
  • Prioritize discovering assets and their risk profiles based on the areas identified during the scoping process
  • Go beyond identifying vulnerabilities to include misconfigurations, counterfeit assets, and other weaknesses
  • Be prepared for the discovery process to extend beyond the initially stated scope, necessitating further prioritization to cut through the noise

Moving into step three: Prioritization

Following the advice for a successful discovery phase sets you up well for step three of CTEM, prioritization, by ensuring that all known and previously unknown assets and their vulnerabilities are comprehensively identified. This thorough identification allows organizations to accurately evaluate the risk associated with each asset and their potential impact on the business.

With a complete view of vulnerabilities, security teams can effectively use integrated Threat Intelligence data to prioritize the most critical risks. This prioritization ensures that limited resources are focused on addressing the vulnerabilities most likely to inflict significant damage on the organization, thereby enhancing the overall effectiveness of the CTEM program.

Keep an eye on our blog, where we’ll be posting a new CTEM step each month, helping explore strategies and solutions to avoid common CTEM pitfalls and establish a robust foundation for your program. Next, we’ll dive into the prioritization step. This is where you’ll evaluate the risk associated with each asset and their potential impact on the business.

Learn more about Outpost24’s Threat Exposure Management platform here.

About the Author

Marcus White Cybersecurity Specialist, Outpost24

Marcus is an Outpost24 cybersecurity specialist based in the UK. He’s been in the B2B technology sector for 8+ years and has worked closely with products in email security, data loss prevention, endpoint security, and identity and access management.