The Intersection of ASM, Cyber-Threat Intelligence, and DRP
Organizations are rapidly adopting a converged cybersecurity strategy.
Breaches are increasing in frequency and cost every year. External attack surface management (EASM) lays the foundation for a rapid evolution from a reactive posture to a proactive defense in response.
To deliver the necessary visibility that a digitally transformed business requires, an effective EASM solution needs seamless integration into parallel security and business processes, including sophisticated AI and predictive analytics for proactive security measures. This has led many organizations to adopt a converged strategy, combining EASM and a digital risk protection service (DRPS). Many organizations are going further—incorporating EASM, DRPS, and cyber-threat intelligence (CTI) to create a fully realized security layer over their external attack space.
The external attack surface is growing and represents a consistent risk exposure.
Not long ago, few organizations put much effort into attack surface discovery and management. Fast forward to 2024, and CISOs have made the attack surface management (ASM) lifecycle a priority. Why? Survey respondents claim their organization is pursuing attack surface discovery to:
- Calculate risk
- Apply the right controls
- Prevent ransomware
- Adhere to regulatory compliance
ASM also helps organizations gain a better understanding of their assets and the posture of those assets. And with lots of activity around digital transformation, the attack surface is constantly changing, creating new vulnerabilities that could expose firms to cyberattacks.
Attack Surface Growth Components
Sixty-two percent of organizations claim that their attack surface grew over the past two years.
What’s driving this growth and change? Security professionals point to factors like:
- Increased IT connections with third parties
- The growing use of IoT/OT technologies
- Public cloud infrastructure services proliferation
- Sensitive data growth
- Shadow IT
CISOs know that these and other factors will only increase in the future, making strong ASM an enterprise requirement.
Cyberattacks Emanating From an Exposed Asset
The research revealed another dynamic driving ASM—more than three-quarters of organizations have experienced a cyberattack due to the exploitation of an unknown, unmanaged, or poorly managed internet-facing asset. This could be anything from misconfigured software to open ports to assets with default passwords. Exploitation of an internet-facing device starts a kill chain progression, where an adversary can gain persistence, move laterally across the network, and discover and exfiltrate sensitive data.
With the attack surface in a constant state of growth and change, it can be extremely difficult for forensic analysts to track cyberattacks back to the source. Thus, an exposed internet-facing asset could act as an open door for various adversary groups and attack campaigns.
The external attack surface is extremely dynamic, making management challenging.
The research reveals that just discovering the attack surface takes more than 80 person-hours at 48% of enterprise organizations.
JON OLTSIK, DISTINGUISHED ANALYST AND FELLOW, ENTERPRISE STRATEGY GROUP
While organizations realize they need to improve ASM, this has proven to be easier said than done, as current ASM efforts require a lot of time and resources. The research reveals that just discovering the attack surface takes more than 80 person-hours at 48% of enterprise organizations. Adding to this complexity, nearly one-third (32%) of organizations review data from more than 11 different data sources to gather the right asset information as part of attack surface discovery.
It’s worth noting that attack surface discovery is a first step. Once the attack surface is discovered, security teams need to analyze the data, develop risk scores for vulnerable assets, suggest priority remediation actions, and then work with IT operations to mitigate critical cyber-risks.
Security Asset Management Challenges
With the current state of ASM, overall security asset management can be extremely challenging. Security asset management processes are designed to answer two basic questions:
1) What assets does the organizations have?
2) What is the state of these assets?
As previously stated, security teams must piece together these answers on a tool-by-tool basis, resulting in an incomplete or imprecise picture. Security pros also point to other challenges, like:
- Establishing and maintaining the relationship between asset types
- Coordinating activities of assets across hybrid IT
- Rectifying data integrity issues among different data sources
Clearly, organizations are struggling to keep up with security hygiene and posture management across the external and internal attack surface. With the attack surface continually growing and changing, status quo approaches or small incremental changes can’t keep up, putting organizations at an increasing level of cyber-risk. Alternatively, CISOs need to think more creatively about scalable, intelligent, and automated approaches to ASM.
CTI is symbiotic with the external attack surface.
It’s clear that external and internal ASM is both critical and extremely difficult. In fact, even organizations with advanced cybersecurity programs may never be able to address all potential vulnerabilities and changes on their attack surface in a timely manner. How can they then address cyber-risk efficiently? Through a threat-informed defense.
This strategy aligns cyber-risk management and defenses directly with adversary behavior and the tactics, techniques, and procedures (TTPs) they use within their threat campaigns. Rather than try and address all attack surface vulnerabilities, a threat-informed defense focuses on remediating the vulnerabilities exploited by cyber-adversaries.
Thus, a threat-informed defense aggregates and analyzes ASM, vulnerability, and threat intelligence data to determine which assets are present, which are vulnerable, and which are actively being exploited in the wild.
Why Organizations Need CTI Programs
In examining the primary reasons for creating a CTI program, the intersection with ASM is evident. For example, security pros claim that their organization created a CTI program as part of a broader digital risk protection (DRP) effort in areas like brand reputation, executive protection, and deep/dark web monitoring.
This type of DRP can be critical for a threat-informed defense, as it helps security teams track adversary behavior and incorporate this intelligence into risk mitigation and cyberdefense decisions. Similarly, CISOs established CTI programs as a precaution after experiencing a targeted cyberattack. Once forensic investigations reveal the root cause of an attack, advanced security teams seek to reinforce attack paths present on the attack surface. The combination of CTI, DRP, and ASM provides foundational data for analytics and decision-making.
CTI Program Challenges
With the wide range of data sources, technologies, processes, and skills needed for a CTI program, there are bound to be many program challenges. In fact, security professionals report challenges spanning the threat intelligence lifecycle, such as:
- Overly technical reports for the business (i.e., the dissemination and feedback phase of the CTI lifecycle)
- A focus on supporting security operations (i.e., the planning and direction phase of the CTI lifecycle)
- A generation of lots of noise (i.e., the collection, processing, and analysis phases of the CTI lifecycle)
Addressing these challenges isn’t easy—especially in light of the global cybersecurity skills shortage: There simply aren’t enough qualified threat intelligence analysts available. This explains why 61% of organizations use managed services “extensively” to help them with threat intelligence analysis, while another 38% do so on a limited basis. Leading CTI service providers offer focused threat intelligence analysis based on an organization’s location, industry, and size. Furthermore, CTI services help organizations align and optimize activities like ASM, vulnerability, and exposure management.
Digital risk protection includes EASM.
Organizations should understand that DRP coverage will add many dimensions to their already broad CTI programs. Important DRP functions are wide-ranging, including vulnerability exploit intelligence, takedown services, leaked data monitoring, malicious mobile application monitoring, and brand protection. Even attack surface discovery and monitoring, once considered a standalone function, is merging quickly into DRP services.
DRP extends even further into areas like fraud protection, phishing detection, executive protection, and third-party risk management.
A comprehensive DRP program will discover assets and exposures well beyond those security and IT operations teams are tracking. Organizations should approach DRP with a process mindset. Beyond digital risk discovery, security teams must be prepared to prioritize risks based on their potential for business disruption. Additionally, intelligence teams must integrate DRP into their intelligence lifecycle phases. Those lacking staff and skills for DRP should seek out services experts to augment their programs.
Alignment of CTI and DRP Programs
As previously mentioned, many organizations established a CTI program to get ahead of DRP. DRP can include activities like:
- Brand protection
- Social media protection
- Executive protection
- Account takeover detection (ATD)
- Physical security threat monitoring
- Misinformation/disinformation monitoring
In most instances, DRP and CTI are closely aligned—more than half (55%) of organizations claim that CTI and DRP programs are managed by one organization with dedicated data sources and tools, while 41% say that programs are managed by one organization with common data sources and tools.
Organizations will invest in EASM as part of CTI and DRP.
Enterprise Strategy Group research indicates that organizations continue to invest in their threat intelligence programs. In fact, 63% of firms will increase CTI program investments “significantly.” Priorities include sharing intelligence reports internally, investing in DRP services, and integration with other security technologies.
ASM fits in here as well. Leading ASM offerings will provide shareable intelligence for vulnerability management, SOC, and IT operations teams. ASM data can also be integrated into security tools like VM tools, SIEM, and ticketing systems.
A Forward-Looking Approach to Managing Digital Risks for Enterprise Organizations
When weaving DRP services, ASM, and/or CTI programs together, CISOs should emphasize:
- Addressing dynamic threats and future-readiness. The ever-changing nature of external threats necessitates a keen focus on predicting and understanding them in real time. Foresight achieved in combining these three solutions in a cohesive manner is fundamental in closing exposures before attackers can take advantage of them.
- Adapting to evolving landscapes. The landscapes of EASM, DRPS, and CTI are not static; they are expected to transform significantly. It’s imperative for organizations to remain agile and adapt their strategies to counteract these shifting threats and exposures effectively.
- Adopting a proactive cybersecurity culture. The foundation of robust external cybersecurity lies in continuous monitoring, evaluation, and improvement. Establishing a culture that prioritizes proactive action is critical for maintaining resilience against external threats.
- Embracing strategies to enhance resilience. The analyses provided are more than research-based insights; they are practical, actionable intelligence for organizations aiming to future-proof their external cybersecurity approach.
To apply these insights effectively, organizations should seek detailed answers to questions like:
- Which specific external threats are likely to emerge, and how can your organization contextualize those threats to proactively prepare for them?
- In what ways can EASM, DRPS, and CTI be customized to align with the anticipated shifts in the threat landscape for your specific organization?
- What concrete actions can your organization take to foster a proactive approach to cybersecurity defense?
Answers here will guide ASM, CTI, and DRP adoption, helping organizations establish a threat-informed defense, mitigate cyber-risks, and improve defenses.
Download the guide to get more information and the complete findings from the research.
See and secure critical external assets
The industry's leading digital risk protection, now with robust External Attack Surface Management. Complement ZeroFox’s industry-leading digital risk protection to discover, analyze, and prioritize remediation for vulnerabilities across your most critical internet-facing assets.
Forrester has recognized ZeroFox as a leader in Digital Risk Protection with best-in-class takedown services.
Read this Forrester Total Economic Impact study to see how ZeroFox delivers a 267% Return on Investment.