Attack path analysis is an important tool in the fight to stay ahead of increasingly sophisticated attacker methodology.
Rapid7 Cloud Risk CompleteAttack path analysis is a simplified way of graphically visualizing the avenues bad actors can use to navigate your on-prem and cloud environments. Attackers can leverage these different “paths” to access sensitive information and, unsurprisingly, exploit a vulnerable configuration or resource. At the level of large enterprise business, it’s not difficult to imagine the sheer number of potential attack paths.
By studying this data in the form of an attack graph, it’s easier to get a real-time understanding of risk and identify relationships between compromised resources and how they could affect your larger network. To this end, the majority of security teams seem to be finding attack paths quickly and remediating them responsibly. An estimated 75% of exposures were found to be dead ends that could not be exploited by attackers.
Choke points refer to places where potential attack paths come together, and it’s a major gateway to sensitive data and assets. The critical nature of a choke point is also what makes it a great place to identify anomalous activity and simplify exactly what it is you need to investigate. It’s here where logs can be centralized and baseline behaviors set so that teams know what looks normal and what doesn’t as it comes through the choke point.
There are a number of terms that not only sound similiar to "attack path," but also overlap in terms of definition and function. Let's take a look at a few key differences between some of those terms.
An attack path is the visual representation of the specific journey an attacker could take to access sensitive data or leverage system access to exploit vulnerabilities. The attack path is typically represented by a graph and can be accessed via data that a cloud security solution already harvests and analyzes from accounts and associated services. From there, the solution should be able to communicate the source, target, and severity of each attack path.
An attack vector is essentially the break-in point where the attacker entered a system. From there, the attacker would take the attack path to the desired information or resource. Malware, for example, has three main vector types – trojan horse, virus, and worms – that leverage typical communications like email. Other typical vectors include system entry points like compromised credentials, ransomware, phishing schemes, and the exploitation of cloud misconfigurations.
An attack surface is a collection of vulnerable attack vectors along an entire network – on-prem and cloud – where attackers could gain entry. Individual attack vectors create small openings, but the combination of all of those entry points creates a larger vulnerability that can turn common networks into dynamic attack surfaces. The attack surface contains vectors through which an attacker can create a path to sensitive assets and data.
Attack path analysis works by helping security teams visualize real-time risk across cloud environments. In the quest to uncover potentially toxic combinations – originally purpose-built within the network to be useful – teams begin to understand the current overall health of their network. Does its current state leave the organization and business at higher risk or will they find out they’re actually in a relatively secure place?
As an example of how attack path management and analysis works, let’s consider the concept of identity and access management (IAM). Without prior knowledge of the security team, is the environment actually open to an account takeover where an attacker could strut around unchecked?
Login credentials could be taken and exploited to gain further access to customer information or intellectual property. If an IAM system is compromised and credentials stolen, an attacker could have access to, well, everything. Let’s take a look at some steps:
In order to detect these types of attacker movements faster – or to block them before they ever have a chance to begin – it’s critical to:
Attack path analysis is an important tool in the fight to stay ahead of increasingly sophisticated attacker methodology. It helps security organizations understand how, even though certain configurations and connections may be beneficial in one sense, they may also leave gaping vulnerabilities waiting to be exploited.
Attack path analysis should be part of a holistic cloud-security solution that places an emphasis on speed in attack path mapping and identification. It also grants greater visibility and understanding of how to best secure the network while simultaneously keeping business operations on track.
Risk prioritization is a product of the aspects above, which yields the benefits of knowing where to place analyst effort at any given time and proactively taking action against emerging threats.
The greatest benefit to a security team is that with the visibility, speed, and risk prioritization granted by attack path analysis, practitioners can think like attackers better than ever. Because a threat actor’s desire is to act with speed when they’re at high risk of discovery, they have to pre-determine a certain number of potential steps in an attack path before they even begin.
When a security organization begins identifying potential paths and thinking proactively about the lateral movements an attacker might make along the way to accessing sensitive information, they begin to truly understand the uniqueness of their network and how best to secure it against threats.
Security teams – especially the non-technical stakeholders that rely on those teams – would do well to be educated on the specific use cases of attack path analysis and how they can identify opportunities to leverage them.