Dear CISA et al.,
In our current age, marked by the rapidly accelerating velocity and sophistication of cyber threats, it has become clear that traditional cybersecurity methodologies require a significant evolution. As the leaders at the forefront of national security, the urgency to not only adapt but also to proactively anticipate the evolving cyber threat landscape has never been more critical. It is within this context that I advocate for a pivotal strategic shift towards Exploitability and Exposure Management (EEM), anchored in the principles of Continuous Threat Exposure Management (CTEM). This shift promises to significantly bolster the proactive capabilities of federal agencies in preempting and countering the dynamic cyber threats of our time.
Exploitability and Exposure Management (EEM) is a strategic approach in cybersecurity that focuses on identifying and addressing the ways an attacker can enter or exploit a system (exploits) and the impact to the organization (exposures) if the attack is successful. EEM goes beyond traditional vulnerability management by not only recognizing known security gaps but also anticipating potential avenues of attack that have not yet been exploited.
The goal of EEM is to proactively harden systems against both known and unknown threats, reducing the likelihood of successful cyber-attacks by managing the areas within an environment where an attack could take place. This approach intentionally decouples a threat-driven mindset focused on tactics, techniques, and procedures (TTP) and Indicators of Compromise (IOC) from organizational KPIs. This helps organizations prioritize their security efforts on the most critical areas that could be leveraged by an adversary, not ones that already have, thereby enhancing their overall security posture and resilience against cyber threats.
At this juncture, it is both pertinent and necessary to acknowledge the commendable strides already being made by the Cybersecurity and Infrastructure Security Agency (CISA) in fortifying the cybersecurity defenses of the federal government and fostering robust partnerships with the private sector. The initiatives and achievements detailed in CISA’s FY2024-2026 Cybersecurity Strategic Plan lay a solid foundation upon which further advancements in our cybersecurity strategies can be built.
One of the standout achievements under CISA’s stewardship has been the development and maintenance of the CISA Known Exploited Vulnerabilities (KEV) catalog. This resource represents a critical tool in the cyber defense arsenal, providing agencies and private sector partners alike with actionable intelligence on vulnerabilities that have been actively exploited by threat actors. The KEV catalog exemplifies the type of forward-thinking, proactive approach that is essential in today’s cybersecurity landscape, where the speed and discretion with which threats evolve demand an equally dynamic and anticipatory response strategy.
Moreover, CISA’s strategic plan articulates a clear and compelling vision for securing the cyber ecosystem against emerging threats through a combination of innovation, collaboration, and leadership. By prioritizing the reduction of systemic risk, enhancing operational collaboration, and fostering a culture of collective defense, CISA is effectively setting the stage for a more resilient and secure digital future for all stakeholders within the national infrastructure.
EEM directly aligns with CISA's strategic goals, serving as a vital process in advancing cybersecurity on a national scale.
EEM goals:
This alignment ensures that as new technologies emerge, their associated risks are managed effectively, contributing to the development of a resilient national cyber workforce and safeguarding our digital ecosystem against the threats of tomorrow. An EEM strategy emphasizes not just the identification and mitigation of known vulnerabilities but extends to predicting and neutralizing potential exploit paths before they can be leveraged by adversaries, especially in the face of the adversarial misuse of artificial intelligence (AI) and machine learning technologies.
The landscape of cybersecurity is continuously evolving, with traditional practices centered around vulnerability and threat management increasingly proving to be fundamentally reactive. While these methods have served as the bedrock of our cybersecurity defenses, they often place us in a perpetual game of catch-up with our adversaries. The crux of the issue lies not just in the nature of the threats we face, but in the sophistication and adaptability of the actors behind them. Today, we find ourselves at a pivotal juncture where the utilization of AI by adversaries presents a profound escalation in cyber warfare capabilities.
Adversaries are looking to leverage AI to automate the discovery of vulnerabilities, orchestrate complex attacks, and mimic legitimate user behavior to evade detection. This AI-driven threat landscape enables adversaries to launch attacks at a pace and sophistication that traditional reactive cybersecurity measures cannot match. As AI technologies become more accessible, the potential for malicious use increases, allowing attackers to exploit vulnerabilities faster than they can be patched. This rapid evolution of threats underscores the necessity of transitioning to a proactive and predictive cybersecurity model.
The integration of EEM, underpinned by the CTEM lifecycle, offers a promising pathway forward. By adopting a risk-based process that prioritizes the anticipation and preemption of potential cyber exploits, we can shift from a posture of reaction to one of prevention. EEM and CTEM enable us to identify not just the vulnerabilities but to understand and mitigate the pathways and methods adversaries are likely to use, based on real-time threat intelligence and predictive analytics. This approach not only enhances our ability to defend against known threats but also against the novel and sophisticated exploits powered by AI.
Without embracing a risk-based process, we remain anchored to a reactive stance, always a step behind in the arms race of cybersecurity. The dynamic nature of cyber threats, compounded by the adversarial use of AI, demands a transformation in our cybersecurity strategy. By prioritizing the identification of threats before they are acted upon and focusing on the most critical vulnerabilities based on their potential impact, we can establish a more resilient and adaptive defense mechanism. This strategic evolution is imperative to stay ahead of adversaries and safeguard our digital infrastructure against the next generation of cyber threats.
In-depth analysis conducted through the Epiphany Intelligence Platform (Reveald's CTEM platform that analyzes security product data to identify material risks) on over 500,000 devices demonstrates the marked advantages of an Exploit and Exposure Management (EEM) strategy— resulting in eliminating thousands of devices from critical patching consideration—over traditional vulnerability management practices. This is further underscored by Reveald’s research across eleven distinct organizations, examining 145,204 unique CVEs affecting those same 500,000 devices. It revealed that, on average, only 29% of CVEs identified by vulnerability scanners are found on systems that are deemed critical assets, and of those, a mere 4.7% present a substantial risk of exploitation. Consequently, in a typical organization facing tens of thousands of CVEs, fewer than 2% are both exploitable and located on critical systems.
Such efficiency gains are particularly valuable considering the extensive patching requirements across major applications and operating systems within the vast ecosystem of the federal government. The resultant time savings could critically enhance the resilience of both agencies and the Defense Industrial Base (DIB) by allowing for a reallocation of efforts toward strengthening security postures.
Adopting an EEM approach does not compromise security; rather, it ensures that resources are precisely directed towards systems at genuine risk—those with potential attack exposure and technically exploitable vulnerabilities .Reveald’s experience, serving a diverse clientele across key sectors such as government, healthcare, and manufacturing, demonstrates that a paradigm shift toward EEM not only conserves valuable organizational resources but also significantly bolsters the effectiveness of cybersecurity measures in preventing severe breaches.
This shift towards a risk-based cybersecurity strategy is imperative. Without it, we risk remaining perpetually reactive in the face of rapidly evolving cyber threats, including those leveraging AI for malicious purposes. By proactively identifying and addressing threats based on their potential impact, we can cultivate a more resilient and adaptable cybersecurity framework. Such a strategic evolution is crucial to outpace adversaries and protect our critical digital infrastructure from the sophisticated cyber threats of tomorrow.
The imperative for transformation is unmistakable and pressing. Adopting a risk-based cybersecurity strategy, encapsulated by EEM and CTEM, transcends being a mere alternative; it is indispensable in an era dominated by AI-enhanced threats. We are stepping into a period where the capabilities for private entities to engage in cyber warfare, either independently or as surrogates for governmental forces, are outpacing the efficacy of traditional point-solution defenses. By embracing a proactive stance in risk management and mitigation, we can forge a cybersecurity infrastructure that is not just resilient in the face of current dangers but also nimble in responding to the evolving threats of the future.
- Proactivity and Predictive Defense: EEM, supported by CTEM's lifecycle, shifts the focus from reacting to known vulnerabilities to anticipating and mitigating potential exploit paths and exposure points focused on greatest net benefit to the organization. This paradigm enables agencies to implement defenses against threats before they manifest and know that their activities are always protecting their “crown jewels.”
- Optimized Resource Allocation: By identifying the most critical and likely points of exposure, EEM allows for a more strategic deployment of cybersecurity resources, ensuring that efforts are focused where they can have the greatest impact in protecting national interests. Mobilizing against exposure is about ideal resource allocation to achieve an acceptable risk result.
- Building Resilient Systems: The adoption of EEM within the CTEM framework fosters the development of inherently more secure systems. These systems are designed with an understanding of potential exploit vectors, making them less susceptible to attacks. The ideal environment is designed to understand that breaches will occur, but their impact can be minimal. To be resilient isn’t to be impermeable.
Applying the CTEM lifecycle and EEM principles to a federal agency or a company within the defense industrial base can profoundly enhance national security. Through the execution of CTEM's phases—beginning with scoping the digital environment, then discovering vulnerabilities and potential attack vectors, prioritizing based on threat impact, and validating resilience—organizations can establish a robust anticipatory defense mechanism.
When EEM is integrated, it amplifies this process by focusing on closing the most impactful exploitation opportunities and reducing exposure points, thus effectively shrinking the attack surface. Such a comprehensive approach ensures that vulnerabilities are not merely patched, but systematically managed and mitigated, significantly minimizing the risk of incidents that could jeopardize security.
By proactively addressing exposures with the insights garnered from CTEM, these organizations strengthen their resilience against sophisticated cyber threats, safeguarding critical national defense infrastructure and sensitive information integral to national security.
At its core, the CTEM model continuously cycles through these five phases:
By the time an organization reaches the Mobilization phase, it has a clear picture of its cybersecurity posture, an understanding of the adversary’s tactics, and a strategic plan for immediate and decisive action.
To operationalize this strategic shift, I propose:
In conclusion, the adoption of Exploitability and Exposure Management, guided by the Continuous Threat Exposure Management lifecycle, represents a forward-thinking approach to national cybersecurity. It promises not only to enhance our defensive posture but also to ensure that federal agencies remain agile and resilient in the face of an ever-changing cyber threat landscape. I urge CISA and its stakeholders to embrace this evolution with the urgency and commitment it demands, for the security and prosperity of our nation.
Sincerely,
Rob Bathurst
CTO, Reveald
Seasoned tech leader with over two decades of industry leadership spearheading several firms including Reveald and Epiphany Systems. In every role, he has left an indelible imprint of innovative approaches and instrumental technological advancements.
Welcome to the new age of predictive cybersecurity.
Leverage the power of AI to discover and prioritize cybersecurity risks, vulnerabilities and misconfigurations across your entire environment