Cyber threat hunting is a multi-step process. It absolutely includes pen testing and other red team activities, but more often than not, it’s the consistent work of monitoring your internal and external attack surface.
Track your growing attack surface
Your business is always changing and so is your attack surface, or the digital footprint your organization owns on the web and internally. Every time an employee posts on LinkedIn or you add a new device to your network, that’s an added detail or endpoint for an attacker to take advantage of. Attack surface growth increases risk, but it’s also necessary for a healthy business.
Notice attack patterns and boundary testing
Monitoring your external attack surface highlights where and how threat actors test your boundaries. If you’re a transportation business that uses a web-connected API sign in for frontline truckers, a threat actor might try a brute force attack to access the API. External attack surface management tooling gives your security team visibility into boundary testing patterns and the location from which the malicious contact came.
Lower vulnerability risk
If you’re not using cyber threat intelligence to inform your risk tolerance and threat hunting, Microsoft’s Defender for EASM is a good first step. EASM highlights areas of your infrastructure that an attacker could take advantage of. Paired with an awareness of CVEs (common vulnerabilities and exposures) and recommended patches, EASM helps security teams identify where and how devices are vulnerable and provides a simplified means to research relevant intelligence specific to each CVE.
Protect against human error
At Ascent, we believe people should inform process and technology decisions for a business. But people aren’t omniscient. Human practitioners need technological support. Enter EASM. Alerting and monitoring handled by a SOC is an active response to true-positive alerting, but EASM scans are pre-emptive. Initial boundary testing that could be dismissed as a false-positive by the SOC has another chance to be caught by EASM. That double-net approach allows the SOC’s superpower—analyst critical thinking—to stay laser focused on active security incidents.
Find shadow IT
Technology your organization doesn’t monitor will be used to access your network. Shadow IT use by your employees is a given, but you can (and should) know which devices or programs are being used. EASM scanning allows you to assess shadow IT as an insider threat enabler or as benign. Whether or not your employees are witting or unwittingly using shadow IT to share information outside of the organization, knowing if an opensource document sharing system is used instead of the company-recommended option allows security to identify potential risk.
Add protection beyond the firewall
Most organizations do use a firewall and may or may not monitor network activity with a tool like Microsoft’s Web Application Firewall (WAF). Whether or not you have a network access monitoring tool, EASM allows tracking from a different angle. The metrics EASM pulls take you beyond the firewall to assess available access points before they’re taken advantage of.
Maximize the security tools you already own
EASM’s insight from the outside looking in allows you to optimize the security tools you’re already using. Do you have Azure (now Entra ID) but you’ve never turned on Web Application Firewall? Let’s add boundary testing to your SOC alerting list and verify its efficacy with EASM. Are you monitoring access to your HR and Recruiting software or admin accounts? Analyze the software you’re using with EASM. Do you know if your company’s infrastructure is secured at the developer level? Find vulnerabilities before Patch Tuesday. If you answered no to any of those questions, consider adding another control to reduce your business risk.
Security is a constant evolution.
As your business grows, so does your cybersecurity risk. It’s crucial for your security team to be proactive instead of waiting for the actors who will threaten your business’ security. If you’re interested in threat and vulnerability management as a service, reach out to us at firstname.lastname@example.org.