The cybersecurity industry is littered with acronyms. SIEM. EDR. APT. CISO. CISA. The list goes on and on.
So it wasn’t surprising that there were a lot of acronyms in RSAC 2023’s sessions and keynotes, as well as in the dozens of news items and studies released during the conference. The hottest acronym, by far, was AI, as everyone (literally everyone, including keynote speaker Eric Idle) had something to say about ChatGPT and the skyrocketing popularity of generative AI.
But there were a few other, less familiar, acronyms discussed at RSAC this year: HEAT and EASM. Neither are new terms, Andrew Barratt, vice president at Coalfire, pointed out in an interview.
“External attack surface management and detection, or previously just attack surface management (ASM), is a concept that has been around for a while. The aim is really to gain a better understanding of those initial points of attack that lead to the ‘initial access,’” Barratt said. “The HEAT definition is essentially a repackaging of our old friend, the Advanced Persistent Threat or APT.”
As web browsers become one of the most-used enterprise applications, they’ve become one of the most popular attack vectors for threat actors. It’s not surprising, then, that browser-based HEAT attacks have become a launching point for ransomware, advanced phishing and zero-day malware.
What is HEAT?
HEAT stands for Highly Evasive Adaptive Threats, which attack through web browsers and use a variety of techniques to avoid detection by the layers of technology in current security stacks.
“HEAT attacks work by understanding how organizations are likely to detect threats entering (technology such as URL reputation, sandboxing and HTTP analysis) and adapting the approach to evade detection,” said Mark Gunrip, senior director, cybersecurity strategy at Menlo Security, in an interview.
This type of attack is just one more step in attack evolution, and HEAT proves that evolving threats are a step ahead of security defenses. In this case, the attacks aren’t linear, and penetration tests don’t offer a clear view into what the attacker can see and how they can operate in your system.
HEAT is a stealth attack
“HEAT attacks are designed to be invisible to traditional security technologies, therefore, it’s important for an organization to try and understand their potential exposure to these techniques that can be used to introduce ransomware, keyloggers or other malware to the local browser,” said Gunrip. “It’s critical that the browser is treated as a separate entity as it relates to security controls and policy in order to have any insight into HEAT attacks that might be targeting the organization.”
This particular type of attack can move outside of the expected channels in order to evade detection. For instance, threat actors have shifted from email to collaboration tools like Slack or Teams to target victims. Even personal SMS messages can be compromised. This has expanded the attack landscape for threat actors to reach their victims. IT and security teams need to broaden the scope of their visibility to be able to detect a HEAT attack.
Defending against HEAT
HEAT attacks only give a glimpse of a point in time at a single pivot or turn in an attacker’s path, according to Timothy Morris, chief security advisor for the Americas at Tanium. In most cases, successful attacks are elusive and multi-threaded.
The best approach to HEAT attacks is cloud-based browser security. This offers the necessary visibility inside the browser to identify HEAT characteristics and to do so in the cloud — and away from the endpoint — while displaying “clean” content to the end user. With this approach, a preventative stance can be taken against threats rather than relying on detection technology as the first layer of defense.
“A key element in implementing effective browser security is browser isolation which is extremely effective for preventing HEAT attacks,” said Gunrip. “If the threat is unable to reach corporate networks, there is no concern. The most important factor is that everything must operate as expected for the end user in terms of website or application functionality and performance so there is no impact to the digital experience of the end user.”
What is EASM?
EASM stands for External Attack Surface Management and is essentially perimeter security re-named for modern tooling and acronyms. Expect to start seeing this term more as exposure management strategy plays a more prominent role in end-to-end security systems.
“Defining attack surface has always been important. The external attack surface is meant to simply define the perimeter, but the perimeter has dissolved,” said Morris. “The endpoint, or more specifically the browser or the user, is now the perimeter.”
EASM is a way to define exactly that, allowing security and risk teams to speak a common language. With the advent of the Cloud, things have changed dramatically around asset management, so the need for more robust tooling and processes was necessary.
Benefits of EASM
As we consider the fluid nature of the perimeter and cloud, EASM provides an approach for identification, tracking and remediation of vulnerabilities as they reside on the organizational perimeter in a way that is focused and concise, according to Matt Mullins, senior security researcher at Cybrary.
“The largest problem I personally ran into with cloud perimeter and asset perimeter security was the constantly changing nature of it. By the time we completed an enterprise-wide scan for initial optics, the perimeter had changed,” Mullins said in an interview. “By having efforts specifically around tracking these aspects, with engineering focused first and foremost on the more contemporary enterprises’ needs, we no longer have hacky fixes to a serious enterprise issue.”
A strong EASM program will give you better asset tracking and optics. The organization’s security posture improves because it will have known-knowns, known-unknowns and unknown-unknowns.
“What that means is you have your assets that are tracked, you have assets you have a general idea of but aren’t tracked and then you have assets that you aren’t aware of,” said Mullins. “The punch you don’t see coming is the one that puts you down on the canvas, so having a way to track all assets and their vulnerabilities is paramount to security.”
Cloud and the shifting perimeter are the buzz terms behind both HEAT and EASM. As the threat landscape continues to expand, expect to be hearing these terms a lot more.