How Active Exploitation Fills the Security Gaps Left by VM and EM – Part 2
From VM to Threat Exposure Management, part one of the ‘How Active Exploitation Fills the Security Gaps Left by VM and EM’ series, is related to the limitations of vulnerability management (VM) and its growing inability to prioritize vulnerability patching according to the actual risk they pose. On the patching side, it looked at the specifics of CVE number exponential growth, the attempts to filter out the worst offenders with known exploitable vulnerability (KEV) scores, and the limits of that approach. It also looked at the attack surface growth in relation to the asset sprawl and the uniqueness of each organization’s system architecture.
In this post, we will look at threat exposure management (TEM), which is likely to gradually replace VM, and examine how adversarial exposure validation (AEV) and exposure assessment platforms (EAP), the latest exposure management technologies.
What is Threat Exposure Management (TEM)?
TEM is an entirely different concept from VM or KEV. Those look for risks from the inside out. They list vulnerabilities on known assets. TEM, on the other hand, looks at the attack surface from the outside in. It launches actual attacks emulating attackers’ techniques to test the digital infrastructure’s resilience. In other words, it attempts to breach through the digital armor by emulating attackers’ techniques.
The five steps of Gartner’s continuous threat exposure management (CTEM) framework add two non-technological elements to TEM. The CTEM’s five steps are:
- Scoping: Defining the boundaries of assessment
- Discovery: Identifying assets and potential exposures
- Prioritization: Ranking threats based on impact and exploitability
- Validation: Confirming exposure risk through testing
- Mobilizing: Assigning resources to perform remediation
The first and last stages of the cycle require direct human input based on cross-team communication and collaboration, with all the complications of dealing with humans.
Discovering, prioritizing, and validating, however, are technological processes and, as such, fundamentally easier to manage. Threat exposure management (TEM), or exposure management (EM) for short, is the technology that performs discovery, validation, and prioritization.
To start with, humans and machines work together to secure the attack surface.
Attack Surface Management (ASM)
The first thing to understand about the attack surface is that it is divided into internal and external components, each with different characteristics and exposure management needs.
The external attack surface is made of internet-accessible systems, such as:
- Public-Facing Web Applications: Websites, APIs, and other internet-accessible applications.
- Cloud Databases: Cloud-hosted databases or those managed by third-party vendors.
- External API Integrations: APIs that connect internal systems with third-party services.
Testing its resilience should be done from a black-box perspective, without any agents installed, as attackers typically need to gain an initial foothold without any inside help. Adopting an adversarial stance and launching attacks is a core element of managing the attack surface threat exposure.
The internal attack surface, on the other hand, is accessible to attackers only after they breach through the external attack surface. The targets on the internal surface are assets and vulnerabilities within the organization’s physical network. For example:
- Infrastructure: Workstations, servers, routers, and storage systems located on-site.
- Operational Technology (OT): Critical infrastructure, including industrial control systems and IoT devices.
- Local Data Centers: On-premises data storage, including backups and archives.
Automatically testing the internal attack surface resilience requires agent-based validation tools such as breach and attack simulation (BAS) or continuous automated red teaming (CART). That tool will evaluate the attack escalation and lateral movement and map their attack path. They will show how those attacks are slowed down or hampered by security control validation, identity access management (IAM), privilege access management (PAM), and other segmentation technologies in line with the zero-trust paradigm.
Choosing between internal or external attack surface management
When prioritizing resource allocation between protecting the external or the internal surface, the main factor to take into consideration is the relative benefit each would bring. Looking at the relative number of breaches starting from the external surface, this is a no-brainer.
80% of breaches result from attackers leveraging an unprotected entry point on the external attack surface.
The Cybersecurity Insiders 2024 Attack Surface Threat Intelligence Report states that a mere 33% of respondents have a mature external attack surface management program, even though 84% report that changes in their external attack surface contribute to security incidents.
Organizations with a mature cybersecurity infrastructure typically already have an external attack surface management (EASM) tool in place. Very logically, their next step is to secure the internal attack surface.
That, however, might be a mistake. It all depends on the capabilities of their external attack surface tool.
EASM tools were on the market long before vulnerability management began morphing into exposure management. So, before deciding what to prioritize, it is worth checking what the existing EASM actual capabilities are.
Not all EASM tools were created equal
Some EASM tools, like the open-source EasyASM or Qualys, and security assessment tools, like SecurityScorecard or Bitsight, focus exclusively on internet-facing asset discovery and on monitoring to detect changes, new vulnerabilities, or emerging threats. These limited capabilities of EASM and security assessment tools lack essential functions such as exploitability validation, contextually valid prioritization, and detailed remediation guidance. Even worse, legacy EASMs generate lots of false positives and are likely to ignore vulnerabilities with a low CVSS score but are highly critical in the organization-specific system’s context.
The next generation EASM added some capabilities, such as remediation guidance, more advanced asset discovery capabilities, or AI/ML integration that automates attack surface analysis and risk prediction. Yet, they remained based on passive discovery. Additions such as better integration with security ecosystems and IT operation workflows, increased scalability, and adaptability are always nice, but they fail to tackle the main issue.
Unless they include an active exploitability validation step, EASM passive detection solutions are ill-adapted to protect your external attack surface. The alerts they generate will include a disproportionate number of high-severity/low-impact alerts and false positives that contribute to alert fatigue and lead to misprioritizing remediation.
Testing the external attack surface resilience to actual attacks is the only way to focus mitigation efforts on exposures that attackers can actually break through. Instead of generating false positive alerts, external attack security platforms expose the gaps of automated detection, reduce reliance on theoretical risk assessments, and prevent false negatives.
They might create a misleading sense of security and send many alerts, but many are false positives and some exploitable exposures are likely to sneak under the radar.
To differentiate passive detection EASMs from advanced ones that validate exposure exploitability in context, Gartner has created two new tool categories that complement each other:
- Exposure Assessment Platforms (EAP)
- Adversarial Exposure Validation (AEV)
EAPs are, as their name indicates, platforms. In other words, they are tools. EAPs expand from traditional VM platforms to continuously identify and prioritize exposures across a broad range of asset classes.
AEV is a feature that should be included in EAPs to validate the exploitability of mapped assets through attacks.
Each serves a distinct yet complementary purpose: EAPs offer deep insights into potential exposures, while AEV validates whether those vulnerabilities can be exploited in the tested digital architecture. Together, they fully align with the CTEM framework.
| Exposure Assessment Platforms (EAPs) | Adversarial Exposure Validation (AEV) | |
| Definition | Continuously identify and prioritize exposures, such as vulnerabilities and misconfigurations, across a broad range of asset classes. They natively deliver or integrate with discovery capabilities and assessment tools. |
The process and supporting technologies that deliver consistent, continuous, and automated evidence of the feasibility of various attack scenarios.
AEV combines multiple simulations or real attack techniques. |
| Key Challenges Addressed | Be aware of what assets are known and unknown | Know which exposures are exploitable |
Element Security’s external attack surface security platform combines both EAP and AEV capabilities under a single umbrella.
It provides:
- External attack surface discovery through scanning and cataloging all known and unknown digital-facing assets
- Asset mapping to chart the connections between digital-facing assets that could be used to expand attacks
- Active exploitation through launching non-intrusive attacks to test assets actual exploitability
- Prioritization based on the severity of asset exploitability
- Detailed attack journal containing the complete attack chain and replicable steps