Today's IT systems spread far and wide. They connect myriad devices and applications -- both in the cloud and on premises -- to serve users around the world.
Systems are complex and dynamic with constantly changing resources and permissions, resulting in an ever-shifting environment that security teams scramble to keep secure. Traditional cybersecurity approaches -- identity and access management (IAM), vulnerability scanning and patching -- tend to focus on only one aspect of security, but often, these techniques can't adequately reveal the cumulative effects of vulnerabilities that an attacker could exploit.
Enter attack path analysis, a visual depiction that enables security teams to understand the interrelated and dynamic steps an attacker could take to enter and navigate through an organization's network.
What is attack path analysis and why is it important?
Traditional security controls, including the aforementioned IAM, vulnerability scanning and patching, play an important role in cybersecurity. Tackling each of them individually and reviewing one risk point at a time, however, don't give an accurate view of attackers' potential trajectories through a network.
Other security processes also don't provide the necessary insight. Static and dynamic analysis, for example, look for vulnerabilities in software code and configurations, as well as system behavior and interactions at runtime, but neither can understand how vulnerabilities could be exploited.
Penetration testing and red team exercises, on the other hand, simulate real-world attacks, but they do so one attack vector at a time. Given that network topologies, access controls, software configuration, cloud architectures and services, containerized apps, connections and user privileges are in constant flux, security teams need a more holistic approach to understanding how malicious actors could enter and navigate their organization's network and what they could do once they are inside.
Attack path analysis does just this. It systematically evaluates the components, configurations, connections and interactions within a given system that could open a route through which attackers could reach their goal. By reproducing and visually representing all possible pathways to key assets, the tool lets security teams assess the potential risk, impact and relationships between multiple attack scenarios and prioritize their mitigation efforts.
Before further examining attack path analysis and attack path management, let's define four important terms:
- Attack vector. An attack vector is a method an attacker can use to enter and compromise a system, such as compromised credentials, phishing and system misconfigurations.
- Attack surface. An attack surface is the total collection of an entire network's attack vectors -- every possible point where an attacker can attempt to start a path to sensitive assets and data.
- Attack path. Cybercriminals usually use multiple attack vectors to launch an attack. An attack path is the sequence of actions and events that lead a cybercriminal to the target. It encompasses all the relationships and vulnerabilities exploited to create the direct and indirect connections necessary to reach the attacker's goal, including lateral movement.
- Choke point. A choke point is a step that most attack paths need to take as it connects the rest of the environment to sensitive data and assets.
What is attack path management?
Attack path management is the process of identifying, quantifying, eliminating and managing attack path risks. It involves the following:
- Asset inventory. An asset inventory is an inventory of all the components, including information assets, that reside in the systems in scope. This inventory should already exist in any mature cybersecurity asset management program and include classifications, business criticality and risk impact levels.
- Threat modeling. Threat modeling analyzes potential attack vectors, entry points, data flows and the most logical progression of an attacker into a given system. A variety of threat modeling frameworks and tools can reduce the complexity of this stage, making it structured and repeatable.
- Attack path validation. The attack path validation stage goes deeper than threat modeling by mapping out the specific system vulnerabilities and weaknesses attackers could exploit, as well as the actions and route they would need to take to infiltrate the system and reach a high-value target. This involves specifying all the relationships and connections between resources to establish the actual -- as opposed to intended -- access to any given object. This step lets security teams measure the risks and ramifications from a connection, privilege, vulnerability or misconfiguration.
Tools for attack path analysis and management
Various methodologies and tools help identify, validate and visualize attack paths, but a network of any size requires an automated and scalable tool able to iterate over every facet of the IT environment.
Any tool used specifically for attack path analysis should produce easy-to-understand, graph-based representations of all paths through a system that lead to key assets. It also needs to output information and scores to highlight high-risk pathways, choke points, assets and vulnerabilities. This helps identify and prioritize the security controls required to block or dismantle each path.
Attack path management sounds a bit like risk assessment. A risk assessment matrix is another visual tool that can improve the results of attack path exercises as it categorizes risks by likelihood, potential impact and characteristics -- among them financial and reputational harm to an organization. Although plenty of paths lead to dead ends that cannot be exploited, high-risk choke points immediately become apparent after attack path validation. The consequential security vulnerabilities and attack vectors that lead to them can be prioritized for mitigation.
Based on the information gathered in the previous exercises, mitigations -- among them network segmentation and security and access control reconfiguration -- can be deployed at different points of the attack path. Deploying security controls designed to detect and block anomalous activity as it enters the choke point is the best way to disrupt and close off the largest number of pathways. Additional security awareness training for employees might also be necessary if improper user behavior is a step along a particular path.
Test and monitor any new mitigations to ensure they function as expected. Like any security methodology, attack path management is not a one-off exercise, but a continuous activity to discover, disrupt and monitor attack paths as they materialize and evolve.
Benefits of attack path analysis and management
Illustrating potential attack paths offers security teams two key benefits:
- It lets them better understand how the network connects and interacts with different components.
- It helps teams identify the location of critical junctions.
Attack path analysis yields benefits that go beyond improving the overall security of the network, however. It provides easy-to-consume visualizations of the ways an important resource could be compromised. Nontechnical stakeholders can more easily grasp the potential risks and impacts of a cyberattack after seeing how pathways snake through an organization's multifaceted cloud, hybrid and native environments. More informed decision-making means security budgets that are more efficiently allocated and tailored to reduce the likelihood of expensive breaches.
Improved incident response and mitigation are other bonuses. If an attack occurs, previously planned and rehearsed remediation actions can quickly combat attacks moving along anticipated pathways known to lead to critical assets. This type of analysis can also be applied retrospectively to review paths and patterns that attackers have tried in the past.
Finally, attack path analysis can help organizations mitigate supply chain risks by highlighting pathways created by third-party interactions and connections. Knowing the attack paths that lead to customer and other sensitive data enables auditors to confirm their networks have controls in place to ensure compliance with regulatory and standards requirements. Any compliance violations that take place can be logged as well.
Nobody wants their network to be a victim of a cybercriminal. Breach prevention in modern IT environments has to focus on reducing the risk of a full-blown data breach. Once a criminal has established a presence within the network, detection is hard, and evasion is easy.
To that end, it helps to think like an attacker. Attack paths lay out the sequence of attack vectors and actions in the lifecycle of an attack. Adding attack path management to a cybersecurity program doesn't negate the value of standard security tasks, including IAM, vulnerability scanning and patching. They remain critical to overall security, but attack path management finds the exploitable gaps that remain, despite best efforts in other areas.
Even though every IT environment is different, attack path analysis ensures choke points where attackers are likely to strike are proactively monitored and protected. By taking this step, organizations can dramatically reduce their risk and improve the overall security of key assets.
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 20 years of experience in the IT industry.