Understanding Attack Path Management: The Fundamentals

A cyber-attack is a malicious attempt by an unauthorized user to access your systems, network or data. The threat actor may try to exfiltrate, destroy, or alter your data, including the potential to disrupt your systems and related assets.

An attack path is a path a malicious actor may take after exploiting a vulnerability or weakness within your attack surface. The attack path is a visual representation of possible paths an attacker could take to compromise an asset from any entry point. For example, once an attacker gains entry into your network, the attack path enables movement between assets. It’s important for your security teams to understand all of the potential attack paths within your organization so they’re better prepared to stop an attack should a breach occur and prevent further movement throughout your network.

As part of an attack, a threat actor leverages different tools and techniques to accomplish objectives. For example, an exploit allows an attacker to gain an initial foothold over your network and then maintains access over an asset (persistence), elevates privileges and laterally moves between network devices (lateral movement). Finally, the attacker attempts to complete an objective, for example, a denial of service (DoS) of critical infrastructure, exfiltration of sensitive information or distraction of existing services. This is known as an attack path. An attack path contains one or more attack techniques and allows an attacker to accomplish his objective.

An attack path blast radius illustrates the potential lateral movements an attacker could make once gaining entry from an asset.

Attack path management (APM) provides insight into security weaknesses as seen through the eyes of an attacker. By understanding potential attack paths, you can build stronger security defenses that enable your teams to quickly cut off these attack pathways and shut down attacks before threat actors move deeper into your systems and network.

Attack path management is a process security teams can employ to continuously identify vulnerabilities, misconfigurations, and other security issues an attacker may exploit to gain access into your network and systems. By employing attack path management, also called APM, your organization will be better prepared to proactively identify all of your cyber exposures, both on-prem and in the cloud, so teams can prioritize effective remediation. Attack path management also helps your team understand if your security controls work as designed and where you have weaknesses so you can make better business decisions based on your current risks and what you need to do to remediate them.

Attack path mapping creates a visual roadmap of known and hidden attack paths related to all of your assets. By creating an attack path map, your security teams can gain a better understanding of all of the possible scenarios (or paths) an attacker may take after successfully breaching an asset. In simple terms, it’s looking at the bigger picture and asking, if the attacker does X, what could happen and where could the attacker move next?

Attack paths for each organization are unique, however, there are some common attack paths. For example, a misconfiguration in Active Directory (AD) may enable an attacker to take advantage of a security weakness and then after gaining access to your AD, can make lateral movements to other systems and assets connected to your AD.

There are a number of benefits of attack path management, but one of the most important is that attack path management helps your organization identify your cyber exposure, understand how and where attackers might move through your network, and provides context so your teams are prepared to take proactive measures to shore up your security controls and be able to effectively respond to an attack. Attack path management plays an important role in mature cybersecurity programs and helps reduce your risks.

Active Directory is a directory service from Microsoft Windows that enables your organization to effectively manage all of your users, credentials, systems, application, and data across your network. It's often used for identity and access management to control who has access to what within your network.

Active Directory security identifies, prioritizes and remediates security weaknesses within your Active Directory. Unfortunately, AD security is often overlooked by many organizations. Attackers know this and that’s why they keep Active Directory attacks in their toolbox of tricks. If an attacker can successfully access your AD, they can move laterally throughout your network, escalate privileges and take control of your domain. The average attacker can dominate total domain control in less than 20 minutes. Active Directory security gives you insight into areas attackers may exploit so you can proactively disrupt attack paths and respond to events in real time.

Although the terms are often used interchangeably, attack paths and attack vectors are not the same. An attack vector is what an attacker may use to exploit a security weakness, whereas an attack path is the path or map the attacker may use once that exploitation is successful.

With Tenable, Attack Path analysis takes your data and pairs it with advanced graph analytics and the MITRE ATT&CK™ Framework to create Findings. These Findings allow you to understand and take action on unknowns that enable and amplify threat impact on your assets and information.

Attack surface management enables comprehensive visibility automatically and continuously into your assets so you're always aware of what you have, how assets are used and where they may have any vulnerabilities or security issues—from a user and attacker's point of view. Attack surface management enables your security teams to seek out security issues, prioritize remediation, and stay one step ahead of attackers.