CTEM step-by-step guide | Stage one: Scoping
Welcome to our blog series on Continuous Threat Exposure Management (CTEM), where we dig into the five essential stages of implementing a robust CTEM program. Coined by Gartner in 2022, CTEM is a powerful process that can help continuously manage cyber hygiene and risk across your online environment. It’s also a lot to think about when you’re starting out, so it helps to break things down. Our series begins with the crucial first stage: Scoping.
Scoping is about defining the boundaries of the assets within your CTEM program. This stage is about getting visibility over your IT assets, but also deciding which are critical to the business and should be within scope of your CTEM process. This initial scope should also help to prove the value of the CTEM program to stakeholders. Of course, CTEM is an ongoing process, so decisions made here don’t have to be set in stone forever. This scope isn’t static; it’s expected to grow as the attack surface expands, the program matures, and as more insights are gained. Scopes can shift and evolve.
What does successful CTEM scoping look like?
Accurate scoping based on business risk and potential impact is crucial for the success of the CTEM process. It’s vital for security teams to align their efforts with what is critical to the business, focusing on the most severe impacts that could warrant collaborative remedial actions. This requires understanding of what’s important to business counterparts and identifying impacts severe enough to warrant collaborative remediation efforts. The goal is to keep the focus on what is important to the business and to take the ‘attacker’s view’ beyond common vulnerabilities and exposures (CVEs).
By taking an attacker’s perspective, the scoping exercise aims to prioritize vulnerabilities that could be most detrimental to the business. This might begin with a focus on external attack surfaces or the security posture of your various Software-as-a-Service (SaaS) platforms. This is especially relevant to modern organizations who rely on SaaS and have remote and hybrid workers. Scoping goes beyond traditional vulnerability management by considering an extended set of assets, including:
- Traditional devices
- Cloud applications
- Corporate social media accounts
- Online code repositories
- Integrated supply chain systems
Scoping is crucial for setting up the rest of the CTEM process because it helps define and refine the scope of what’s important to your organization. This keeps the focus on key areas to the business, which is different to simply discovering a large number of assets and vulnerabilities. This initial step sets the stage for the subsequent steps of discovery, prioritization, validation, and mobilization, ensuring that the CTEM program is aligned with what’s most valuable to an organization.
What are the risks of not scoping correctly?
If an organization failed to define a proper scope, it could significantly impact the rest of the CTEM process in several ways:
- Confusion between scoping and discovery: Improper scoping can lead to confusion in the second CTEM phase (discovery). You could end up with a large number of assets and vulnerabilities being explored without a clear understanding of their business risk and potential impact.
- Scope creep: Without a defined scope, the CTEM process could become difficult to manage, with assets and vulnerabilities being removed or added during future steps and complicating the process.
- Burden on prioritization: Scope creep shifts the burden onto the prioritization step (step three of CTEM), necessitating additional efforts to cut through the noise and focus on what truly matters. It’s easier and more time-effective to do this at the start of the scoping step.
- Compromised assessments: The effectiveness of vulnerability assessments and threat intelligence gathering is compromised, as the focus may be misdirected towards less critical areas rather than high-value assets that pose significant risks to the organization.
- Overall inefficiency: The entire CTEM process can become inefficient and less effective, potentially leaving critical vulnerabilities unaddressed and the organization at risk.
Which tools should you use for CTEM scoping?
There are several tools that can be helpful for scoping. These include tools to inventory and categorize assets and vulnerabilities, and tools to simulate or test attack scenarios. This work is essential for identifying the initial scope of the CTEM program, which not only helps in proving the value of the program to stakeholders but also sets a foundation for its expansion as the program matures.
External Attack Surface Management (EASM) should be highlighted for playing a crucial role in the scoping process by automating the discovery of assets and domains across the entire attack surface. It identifies both known and unknown assets, providing a comprehensive view of the attack surface. This helps in ensuring that all relevant assets are considered to be included in the scope for further analysis and protection, instead of new assets constantly cropping up later on. AI assisted domain discovery can also assist here to help organizations quickly identify the domains belonging to them.
EASM’s ability to continuously update and identify risks makes it an essential tool for maintaining an accurate and up-to-date scope in the CTEM process. Interested to see how EASM works? Book a free attack surface analysis with Outpost24’s EASM solution (part of the Outpost24 Continuous Threat Exposure Management Platform).
How to use EASM for scoping
One of the deliverables of EASM is to provide insights into unknowns. In this sense, we can say that the EASM Platform works like a live attack surface mapping tool. And all its findings are collected under the scope — the range of the external attack surface of the company. Consequently, all vulnerabilities found within, including the forgotten, unknown, or unattended domains, technologies, websites, etc. are gathered in one place for further analysis.
EASM uses a zero-knowledge approach. This means the Platform starts mapping and scanning external IT assets with limited data, for example, a company name or primary domain information. The onboarding process is super quick and easy.
Nevertheless, it’s crucial to maintain a thorough and precise scope definition to always stay a step ahead of bad actors. This proactive approach guarantees that the Platform is continuously providing accurate and relevant information for effective risk management.
The good news is that you don’t have to spend much time adjusting your scope at any time. EASM Platform has a powerful automatic Domain Discovery module looking for everything you own (or possibly own) online.
Below, you can find a summary of all the options you can choose from that keep your scope up to date.
Add primary domains
This is a default option. As soon as the EASM Platform receives information about at least one of your primary domains, it enables the search engine to map and inspect the company’s digital surface.
Alternatively, it is also possible to add IP ranges.
Add IPs/IP ranges
The use of this feature isn’t mandatory. It may be helpful, for example, if you would like to scan only specific IP ranges associated with a particular project.
Add subdomains
Specifying subdomains isn’t necessary since they will be automatically discovered. Manual addition is available should specific subdomains be missing in the scope.
Add a cloud integration
You can add an integration with Amazon Web Services (AWS) and/or Microsoft Azure to regularly retrieve Route 53 and DNS Zone data. Thanks to that, you can boost findings and keep track of your domains.
Brand protection keywords
Brand-related keywords boost the Platform to discover even more domains, that either belong to your company or can pose a domain squatting threat. You’ll benefit from this feature if you want to protect your company’s brand from phishing and other harmful activity and to complete your scope definition.
Domain Discovery
Outpost24’s EASM tool has an AI-powered domain discovery module designed to find everything you own online. This module detects primary domain candidates and delivers a verified list of look-a-like domains with an “Ownership” and “Suspicious” qualification level. What’s more, you can see a screenshot of the domain, and of course, there are a couple of options, to decide what to do with this discovery (dismiss, monitor, add to your primary domains, or add to a potential primary domains).
Four key pieces of advice for a successful CTEM scoping
- Consider all assets: Don’t only look at traditional assets but also external attack surfaces, SaaS security postures, devices, apps, corporate social media accounts, online code repositories, and integrated supply chain systems.
- Initial scope and value proving: Start with a manageable scope that demonstrates value to stakeholders, focusing on critical business risks and impacts rather than just the entire list of discovered assets, domains and vulnerabilities.
- External attack surface management (EASM): Implement EASM to automate the discovery of both known and unknown internet-facing assets across your entire attack surface. This gives you the perfect starting point to start narrowing down the scope.
- Pilot initiatives: You can always test your CTEM program on a smaller scale with pilot initiatives before rolling it out across the entire organization, particularly in areas like external attack surfaces and SaaS security, which are crucial in the context of remote work and cloud-based business operations.
Moving into step two: Discovery
Scoping sets you up for success in the discovery step of CTEM by ensuring that the focus is on areas of the business that are important and relevant. This targeted approach ensures that the discovery process is aligned with business priorities and reduces the likelihood of confusion or disagreement down the line. Precise scoping is crucial for more than just uncovering a high volume of assets – it’s about pinpointing real risks.
Keep an eye on our blog, where we’ll be posting a new CTEM step each month, helping explore strategies and solutions to avoid common CTEM pitfalls and establish a robust foundation for your program. Next, we’ll dive into the discovery step. This is where you’ll start to discover vulnerabilities that exist within the assets in scope of your CTEM program: CTEM step-by-step guide | Stage two: Discovery.
Learn more about Outpost24’s Threat Exposure Management platform here.