Risk Management May 18, 2023
By Sue Poremba 4 min read

The cybersecurity industry is littered with acronyms. SIEM. EDR. APT. CISO. CISA. The list goes on and on.

So it wasn’t surprising that there were a lot of acronyms in RSAC 2023’s sessions and keynotes, as well as in the dozens of news items and studies released during the conference. The hottest acronym, by far, was AI, as everyone (literally everyone, including keynote speaker Eric Idle) had something to say about ChatGPT and the skyrocketing popularity of generative AI.

But there were a few other, less familiar, acronyms discussed at RSAC this year: HEAT and EASM. Neither are new terms, Andrew Barratt, vice president at Coalfire, pointed out in an interview.

“External attack surface management and detection, or previously just attack surface management (ASM), is a concept that has been around for a while. The aim is really to gain a better understanding of those initial points of attack that lead to the ‘initial access,’” Barratt said. “The HEAT definition is essentially a repackaging of our old friend, the Advanced Persistent Threat or APT.”

As web browsers become one of the most-used enterprise applications, they’ve become one of the most popular attack vectors for threat actors. It’s not surprising, then, that browser-based HEAT attacks have become a launching point for ransomware, advanced phishing and zero-day malware.

What is HEAT?

HEAT stands for Highly Evasive Adaptive Threats, which attack through web browsers and use a variety of techniques to avoid detection by the layers of technology in current security stacks.

“HEAT attacks work by understanding how organizations are likely to detect threats entering (technology such as URL reputation, sandboxing and HTTP analysis) and adapting the approach to evade detection,” said Mark Gunrip, senior director, cybersecurity strategy at Menlo Security, in an interview.

This type of attack is just one more step in attack evolution, and HEAT proves that evolving threats are a step ahead of security defenses. In this case, the attacks aren’t linear, and penetration tests don’t offer a clear view into what the attacker can see and how they can operate in your system.

HEAT is a stealth attack

“HEAT attacks are designed to be invisible to traditional security technologies, therefore, it’s important for an organization to try and understand their potential exposure to these techniques that can be used to introduce ransomware, keyloggers or other malware to the local browser,” said Gunrip. “It’s critical that the browser is treated as a separate entity as it relates to security controls and policy in order to have any insight into HEAT attacks that might be targeting the organization.”

This particular type of attack can move outside of the expected channels in order to evade detection. For instance, threat actors have shifted from email to collaboration tools like Slack or Teams to target victims. Even personal SMS messages can be compromised. This has expanded the attack landscape for threat actors to reach their victims. IT and security teams need to broaden the scope of their visibility to be able to detect a HEAT attack.

Defending against HEAT

HEAT attacks only give a glimpse of a point in time at a single pivot or turn in an attacker’s path, according to Timothy Morris, chief security advisor for the Americas at Tanium. In most cases, successful attacks are elusive and multi-threaded.

The best approach to HEAT attacks is cloud-based browser security. This offers the necessary visibility inside the browser to identify HEAT characteristics and to do so in the cloud — and away from the endpoint — while displaying “clean” content to the end user. With this approach, a preventative stance can be taken against threats rather than relying on detection technology as the first layer of defense.

“A key element in implementing effective browser security is browser isolation which is extremely effective for preventing HEAT attacks,” said Gunrip. “If the threat is unable to reach corporate networks, there is no concern. The most important factor is that everything must operate as expected for the end user in terms of website or application functionality and performance so there is no impact to the digital experience of the end user.”

What is EASM?

EASM stands for External Attack Surface Management and is essentially perimeter security re-named for modern tooling and acronyms. Expect to start seeing this term more as exposure management strategy plays a more prominent role in end-to-end security systems.

“Defining attack surface has always been important. The external attack surface is meant to simply define the perimeter, but the perimeter has dissolved,” said Morris. “The endpoint, or more specifically the browser or the user, is now the perimeter.”

EASM is a way to define exactly that, allowing security and risk teams to speak a common language. With the advent of the Cloud, things have changed dramatically around asset management, so the need for more robust tooling and processes was necessary.

Benefits of EASM

As we consider the fluid nature of the perimeter and cloud, EASM provides an approach for identification, tracking and remediation of vulnerabilities as they reside on the organizational perimeter in a way that is focused and concise, according to Matt Mullins, senior security researcher at Cybrary.

“The largest problem I personally ran into with cloud perimeter and asset perimeter security was the constantly changing nature of it. By the time we completed an enterprise-wide scan for initial optics, the perimeter had changed,” Mullins said in an interview. “By having efforts specifically around tracking these aspects, with engineering focused first and foremost on the more contemporary enterprises’ needs, we no longer have hacky fixes to a serious enterprise issue.”

A strong EASM program will give you better asset tracking and optics. The organization’s security posture improves because it will have known-knowns, known-unknowns and unknown-unknowns.

“What that means is you have your assets that are tracked, you have assets you have a general idea of but aren’t tracked and then you have assets that you aren’t aware of,” said Mullins. “The punch you don’t see coming is the one that puts you down on the canvas, so having a way to track all assets and their vulnerabilities is paramount to security.”

Cloud and the shifting perimeter are the buzz terms behind both HEAT and EASM. As the threat landscape continues to expand, expect to be hearing these terms a lot more.

 |  |  |  |  | 
Sue Poremba

More from Risk Management
September 26, 2023

The Growing Risks of Shadow IT and SaaS Sprawl

4 min read - In today's fast-paced digital landscape, there is no shortage of apps and Software-as-a-Service (SaaS) solutions tailored to meet the diverse needs of businesses across different industries. This incredible array of options has revolutionized how we work, providing cost-effective and user-friendly tools that streamline tasks and boost productivity. However, this ever-expanding application ecosystem comes with its challenges: namely, shadow IT and SaaS sprawl. According to a recent study by Entrust, 77% of IT professionals are concerned about shadow IT becoming a…

September 25, 2023

Are you ready to build your organization’s digital trust?

4 min read - As organizations continue their digital transformation journey, they need to be able to trust that their digital assets are secure. That’s not easy in today’s environment, as the numbers and sophistication of cyberattacks increase and organizations face challenges from remote work and insider behavior. Digital trust can make your organization’s digital transformation stronger. A lack of digital trust can do irreparable harm. However, according to ISACA’s State of Digital Trust 2023 report, too many organizations struggle to define and implement…

September 21, 2023

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging. We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically. For this reason, 75% of organizations…

September 20, 2023

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature