Everything Starts With Scoping: CTEM Process - Part 2

Welcome to the second installment of our journey through Continuous Threat Exposure Management (CTEM).

In Part 1, we discussed what CTEM is and why we need it.

In this article, we focus on the process's cornerstone: scoping.

What is the Scope in terms of cyber security?

Scope is the answer to what you need to protect or test.

It can be a code base, domain, subdomain, an account for online services, an IP, you name it.

To provide a more reliable definition, scope refers to defining any device, application, or entity of an organization's IT environment that needs to be assessed and managed for security risks.

Importance of Scoping in CTEM

"you cannot protect what you do not know you have." Any Cybersecurity Expert

Imagine how much more challenging it would be to protect your organization's assets without properly defining what needs protection.

An average SME has hundreds of assets, and a large enterprise may have thousands.

Without scoping, you cannot accurately identify the systems that are critical or vulnerable.

Scoping in CTEM Process

Scoping the CTEM process refers to any digital entities that may lead an attack vector to organizations.

These can be;

• Any applications: mobile, web, IoT framework, or others,
• Social media accounts of organizations,
• Employes digital footprints,
• Software vulnerabilities.
• Network assets,
• E-mail addresses,
• Domains,
• Supply chain weaknesses, etc.

Where are we going with this?

CTEM is built on the concept that organizations must proactively identify and continuously assess their cyber threats.

To do this effectively, scoping should be a continuous process; it should not just happen once but should be regularly reviewed and updated as new assets or vulnerabilities emerge.

Based on the risk tolerance levels, organizations can choose to include or exclude assets from their CTEM scope.

The key is to understand that risk and vulnerability change rapidly, and just like a living organism continuously adapts to its environment, organizations should adjust their CTEM scope automatically.

How to Create a CTEM Scoping Process

With two magic words: Continuous and automated.

It must be continuous because cyber threats constantly evolve, and organizations must keep up with the pace. Also, the IT infrastructure of organizations is constantly changing, making it necessary to update the scope continuously.

It must be automated because manual scoping processes are time-consuming, prone to human error, and unrealistic when dealing with many digital assets.

Scoping process may contain lots of steps, including:

• Open-source intel methods to detect any asset related to the organization such as domain finders.
• Attack surface management methods to identify changes in the attack surface map.
• Network scanning tools to detect network-level services
• Crawlers to discover URLs and user inputs

These are just a few examples of steps that can be included in a CTEM scoping process. Organizations can choose the tools and processes that best suit their needs and risk tolerance levels.

Once all assets have been detected, organizations should identify any potential vulnerabilities through vulnerability scanning tools. These tools help to pinpoint weaknesses in the system, applications or network infrastructure.