CTEM Validation and Prioritization Metrics

CTEM Validation and Prioritization Metrics are the core components of the Continuous Threat Exposure Management (CTEM) program, designed to answer the crucial question: "Which exposures are most likely to be exploited right now, and how severe would the impact be?"

This process transforms the raw, overwhelming data of discovered vulnerabilities and misconfigurations into a short, actionable list of risks, ensuring security efforts are aligned with actual threat intelligence.

Validation Metrics

Validation focuses on confirming the exploitability of a discovered exposure from an attacker's perspective. It moves the metric from potential risk to confirmed risk.

1. Exploitability Confirmation (The "Can an Attacker Get In?" Metric)

This is the most critical validation metric. It confirms if a control has failed and if the exposure provides a clear attack path.

• Test Outcome: The result of a safe, simulated attack or security check (often using Breach and Attack Simulation or automated penetration testing).

• Metric: A binary (Yes/No) or percentage score indicating whether a simulated attack chain, using the exposure, was successful. For example, a validation of "Public Access Confirmed" or "Leaked Credential Validated."

2. Security Control Efficacy

This metric validates the organization's defense mechanisms against a confirmed threat.

• Metric: Measures how effectively existing security tools (e.g., SIEM, firewall, Endpoint Detection and Response) detected or blocked the validated attack simulation. A score of "0% Detection" for a critical attack chain indicates a massive validation failure that requires immediate attention.

3. MITRE ATT&CK Mapping

Validation should map the exploited exposure to standard adversary behavior, giving the exposure context.

• Metric: The specific Tactic and Technique (T-ID) from the MITRE ATT&CK framework that the validated exposure enables. For example, a discovered exposed administrative portal maps to Initial Access (T1190 – External Remote Services).

Prioritization Metrics

Prioritization uses the validated findings and layers them with external and internal context to assign a risk score that dictates the remediation order. The goal is to maximize risk reduction with minimal effort.

1. Threat Intelligence Metrics (The Likelihood Metric)

These metrics measure the external probability that a validated exposure will be targeted.

• Known Exploited Vulnerabilities (KEV) Status: A binary metric (Yes/No) indicating whether the vulnerability is currently known to be actively exploited in the wild (as tracked by agencies like CISA). Exposures with a "Yes" KEV status are always the highest priority.

• Exploit Prediction Scoring System (EPSS) Score: A probabilistic metric (0 to 1) estimating the likelihood that a vulnerability will be exploited in the next 30 days. This metric moves prioritization beyond static severity.

• Threat Actor Targeting: A metric based on specific intelligence showing that a tracked ransomware gang or APT group is actively targeting the particular vulnerability, industry, or region.

2. Business Context Metrics (The Impact Metric)

These metrics measure the potential damage if the validated exposure is exploited.

• Asset Criticality Score: An internal metric (often High/Medium/Low) defining the importance of the asset (e.g., a customer-facing e-commerce server is critically essential; an internal testing server is lower).

• Regulatory/Compliance Impact: A binary metric indicating whether the exploitation of the exposure would result in a direct violation of compliance frameworks (e.g., HIPAA, GDPR, PCI DSS), resulting in immediate financial or legal penalties.

3. Exposure Risk Score (The Final Output)

The final prioritization metric is a consolidated, risk-based score derived from the above inputs (Likelihood x Impact).

• Metric: A simplified, qualitative rating (e.g., Critical, High, Medium) or a quantitative score (e.g., 0 to 100) that is used to drive ticketing and remediation workflows. An exposure validated as exploitable (Validation) with a high EPSS score (Likelihood) and running on a mission-critical server (Impact) will receive the highest score.

ThreatNG is highly effective in executing the CTEM Validation and Prioritization Metrics phases by providing the external, threat-centric data needed to quantify risk and confirm exploitability from an adversary's perspective. It validates exposure with concrete findings and then prioritizes them using advanced intelligence, ensuring remediation efforts are focused on the highest-impact threats.

ThreatNG's Role in Validation Metrics (Confirming Exploitability)

ThreatNG’s capabilities validate risk by proving that an attacker has a viable path to an asset, fulfilling the Exploitability Confirmation metric.

• External Assessment (Exploitability Confirmation): This capability performs external checks that directly confirm the status of security controls.

  • Example of ThreatNG Helping: The assessment finds that the organization has high Subdomain Takeover Susceptibility. This finding validates the exploitability of the exposure by confirming the DNS record points to an unclaimed external resource, proving that a control failure has occurred and an attacker has a clear path to hijack the domain.

  • Example of ThreatNG Helping: It validates the risk of Cyber Risk Exposure by confirming that a Sensitive Port (such as an exposed private IP) is accessible from the internet, proving that network boundary controls have failed.

• Investigation Modules (Evidence Gathering): The Reconnaissance Hub and its modules provide the definitive evidence required for validation metrics.

  • Example: An analyst uses the Sensitive Code Exposure module to confirm that a public repository contains a plaintext Database Credential (a Sensitive Code Exposure finding). This is the highest form of validation, as it provides the actual key an attacker would use, immediately confirming the exploitability metric.

ThreatNG's Role in Prioritization Metrics (Quantifying Risk)

ThreatNG uses its vast intelligence repositories to quantify the likelihood and impact of validated exposures, generating the final risk score.

• Intelligence Repositories (Threat Intelligence Metrics): The DarCache Vulnerability repository is the core source for prioritization metrics, moving beyond simple CVSS.

  • Example of ThreatNG Helping: ThreatNG uses DarCache to overlay the KEV Status (Known Exploited Vulnerabilities) onto every discovered CVE. Any validated exposure with a "Yes" KEV status is automatically prioritized as "Critical," regardless of its base severity, and the most important threat intelligence metric is directly applied.

  • Example of ThreatNG Helping: ThreatNG uses DarCache Ransomware intelligence to confirm that a specific ransomware gang is actively exploiting the vulnerability found on the organization's network. This threat actor targeting metric overrides all other factors, ensuring that the exposure is instantly marked as the top priority.

• External Assessment & Reporting (Business Context and Final Score): These features convert external findings into clear business metrics.

  • Example of ThreatNG Helping: If a validated exposure is found on an asset that is also flagged by Sentiment and Financials (e.g., an asset belonging to a subsidiary mentioned in an SEC Form 8-K regarding risk), ThreatNG can automatically elevate its Asset Criticality Score based on the external financial impact metric.

  • Example of ThreatNG Helping: The External GRC Assessment Mappings report uses the validated findings to determine if they constitute a violation of a specific framework (a Compliance Impact metric). This helps security leaders prioritize fixes that carry both technical and regulatory risk.

Cooperation with Complementary Solutions

ThreatNG's validated and prioritized output drives action in complementary solutions, ensuring resources are mobilized to address the validated, highest-priority exposures.

• ThreatNG and a Security Information and Event Management (SIEM) Solution:

  • Cooperation: ThreatNG provides external validation and prioritization data (e.g., a list of high-risk IOCs) to the SIEM solution.

  • Example: When ThreatNG’s Dark Web Presence module validates a Compromised Credentials leak and assigns it a "Critical" prioritization score, the credential list is sent to the SIEM. The SIEM can then use these validated IOCs to immediately monitor internal logs for any login attempts using those specific credentials, validating the external threat against internal activity in real-time.

• ThreatNG and a Vulnerability and Patch Management (VPM) Tool:

  • Cooperation: ThreatNG provides a highly prioritized and validated list of exploitable vulnerabilities to the VPM tool.

  • Example: ThreatNG validates the exploitability of a vulnerability on a public-facing asset and prioritizes it using a high EPSS score from DarCache. The VPM tool uses this validated, risk-based prioritization to bypass the standard, time-consuming vulnerability management queue and immediately schedule the patch deployment for only that specific asset, ensuring that remediation resources are immediately deployed to close the most dangerous validated exposure.