Risk Management May 18, 2023
By Sue Poremba 4 min read

The cybersecurity industry is littered with acronyms. SIEM. EDR. APT. CISO. CISA. The list goes on and on.

So it wasn’t surprising that there were a lot of acronyms in RSAC 2023’s sessions and keynotes, as well as in the dozens of news items and studies released during the conference. The hottest acronym, by far, was AI, as everyone (literally everyone, including keynote speaker Eric Idle) had something to say about ChatGPT and the skyrocketing popularity of generative AI.

But there were a few other, less familiar, acronyms discussed at RSAC this year: HEAT and EASM. Neither are new terms, Andrew Barratt, vice president at Coalfire, pointed out in an interview.

“External attack surface management and detection, or previously just attack surface management (ASM), is a concept that has been around for a while. The aim is really to gain a better understanding of those initial points of attack that lead to the ‘initial access,’” Barratt said. “The HEAT definition is essentially a repackaging of our old friend, the Advanced Persistent Threat or APT.”

As web browsers become one of the most-used enterprise applications, they’ve become one of the most popular attack vectors for threat actors. It’s not surprising, then, that browser-based HEAT attacks have become a launching point for ransomware, advanced phishing and zero-day malware.

What is HEAT?

HEAT stands for Highly Evasive Adaptive Threats, which attack through web browsers and use a variety of techniques to avoid detection by the layers of technology in current security stacks.

“HEAT attacks work by understanding how organizations are likely to detect threats entering (technology such as URL reputation, sandboxing and HTTP analysis) and adapting the approach to evade detection,” said Mark Gunrip, senior director, cybersecurity strategy at Menlo Security, in an interview.

This type of attack is just one more step in attack evolution, and HEAT proves that evolving threats are a step ahead of security defenses. In this case, the attacks aren’t linear, and penetration tests don’t offer a clear view into what the attacker can see and how they can operate in your system.

HEAT is a Stealth Attack

“HEAT attacks are designed to be invisible to traditional security technologies, therefore, it’s important for an organization to try and understand their potential exposure to these techniques that can be used to introduce ransomware, keyloggers or other malware to the local browser,” said Gunrip. “It’s critical that the browser is treated as a separate entity as it relates to security controls and policy in order to have any insight into HEAT attacks that might be targeting the organization.”

This particular type of attack can move outside of the expected channels in order to evade detection. For instance, threat actors have shifted from email to collaboration tools like Slack or Teams to target victims. Even personal SMS messages can be compromised. This has expanded the attack landscape for threat actors to reach their victims. IT and security teams need to broaden the scope of their visibility to be able to detect a HEAT attack.

Defending Against HEAT

HEAT attacks only give a glimpse of a point in time at a single pivot or turn in an attacker’s path, according to Timothy Morris, chief security advisor for the Americas at Tanium. In most cases, successful attacks are elusive and multi-threaded.

The best approach to HEAT attacks is cloud-based browser security. This offers the necessary visibility inside the browser to identify HEAT characteristics and to do so in the cloud — and away from the endpoint — while displaying “clean” content to the end user. With this approach, a preventative stance can be taken against threats rather than relying on detection technology as the first layer of defense.

“A key element in implementing effective browser security is browser isolation which is extremely effective for preventing HEAT attacks,” said Gunrip. “If the threat is unable to reach corporate networks, there is no concern. The most important factor is that everything must operate as expected for the end user in terms of website or application functionality and performance so there is no impact to the digital experience of the end user.”

What is EASM?

EASM stands for External Attack Surface Management and is essentially perimeter security re-named for modern tooling and acronyms. Expect to start seeing this term more as exposure management strategy plays a more prominent role in end-to-end security systems.

“Defining attack surface has always been important. The external attack surface is meant to simply define the perimeter, but the perimeter has dissolved,” said Morris. “The endpoint, or more specifically the browser or the user, is now the perimeter.”

EASM is a way to define exactly that, allowing security and risk teams to speak a common language. With the advent of the Cloud, things have changed dramatically around asset management, so the need for more robust tooling and processes was necessary.

Benefits of EASM

As we consider the fluid nature of the perimeter and cloud, EASM provides an approach for identification, tracking and remediation of vulnerabilities as they reside on the organizational perimeter in a way that is focused and concise, according to Matt Mullins, senior security researcher at Cybrary.

“The largest problem I personally ran into with cloud perimeter and asset perimeter security was the constantly changing nature of it. By the time we completed an enterprise-wide scan for initial optics, the perimeter had changed,” Mullins said in an interview. “By having efforts specifically around tracking these aspects, with engineering focused first and foremost on the more contemporary enterprises’ needs, we no longer have hacky fixes to a serious enterprise issue.”

A strong EASM program will give you better asset tracking and optics. The organization’s security posture improves because it will have known-knowns, known-unknowns and unknown-unknowns.

“What that means is you have your assets that are tracked, you have assets you have a general idea of but aren’t tracked and then you have assets that you aren’t aware of,” said Mullins. “The punch you don’t see coming is the one that puts you down on the canvas, so having a way to track all assets and their vulnerabilities is paramount to security.”

Cloud and the shifting perimeter are the buzz terms behind both HEAT and EASM. As the threat landscape continues to expand, expect to be hearing these terms a lot more.

 |  |  |  |  | 
Sue Poremba

More from Risk Management
Risk Management   June 9, 2023

Security Awareness Training 101: Which Employees Need It?

4 min read - To understand why you need cybersecurity awareness training, you must first understand employees' outsized roles in security breaches. “People remain — by far — the weakest link in an organization’s cybersecurity defenses,” noted Verizon on the release of their 2022 Data Breach Investigations Report (DBIR). They elaborate that 25% of all breaches covered in the report were the result of social engineering attacks, and when you add human errors and misuse of privilege, the human element accounts for 82% of…

4 min read
Risk Management   June 7, 2023

Secure-by-Design: Which Comes First, Code or Security?

4 min read - For years, developers and IT security teams have been at loggerheads. While developers feel security slows progress, security teams assert that developers sacrifice security priorities in their quest to accelerate production. This disconnect results in flawed software that is vulnerable to attack. While advocates for speed and security clash, consumers must often pay the price when threat actors strike. 48% of developers admitted they were still shipping code with vulnerabilities in 2022. It’s clearly time for a change. Many believe…

4 min read
Government   June 6, 2023

Will Commercial Spyware Survive Biden’s Executive Order?

4 min read - On March 27, 2023, reports surfaced that 50 U.S. government employees had been targeted by phone spyware overseas. On the day of that report, President Joe Biden signed an executive order to restrict federal agencies’ use of commercial spyware. The timing of the order was linked to this specific phone-targeting exploit. But spyware infiltration of government officials — and by government officials — has been a recurring problem globally. Commercial spyware has long been entwined with statecraft and spycraft, both…

4 min read
Risk Management   June 5, 2023

How to Boost Cybersecurity Through Better Communication

4 min read - Security would be easy without users. That statement is as absurd as it is true. It’s also true that business wouldn’t be possible without users. It’s time to look at the big picture when it comes to cybersecurity. In addition to dealing with every new risk, vulnerability and attack vector that comes along, cybersecurity pros need to understand their own fellow employees - how they think, how they learn and what they really want. The human element — the individual and…

4 min read
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature