Attack Path Management
Attackers use attack paths to access your valuable assets. Learn how Epiphany helps you manage your attack paths so you can keep your assets safe.
Last updated
Attackers use attack paths to access your valuable assets. Learn how Epiphany helps you manage your attack paths so you can keep your assets safe.
Last updated
Attack paths are the highways and paths attackers take to reach something of material value within your organization. Attackers do this using combinations of conditions ranging from exploitable vulnerabilities, to exposed identities, to misconfigured systems. To put it more plainly, it's the map to an impact that can occur if left exposed.
Attack path management is the science of reducing or eliminating the potential for material impact within your environment. By understanding how attackers can take advantage of your environment's exploitability, you can know where and how to take away their opportunities to cause harm. Attack path management is an important part of an overall exposure management approach.
An attack path can be represented by many different devices, users, and relationships. The most basic attack paths include devices and users. This is what we think of when a device on the internet is exploited and an attacker gains access to a valuable user such as one with an administrator account. Epiphany is constantly evaluating, much like a very evil Google Maps, the best route an adversary could take to get to a destination (a "prize") at any time. When you break down these attack paths though, the pieces are fairly straight forward and are comprised of:
Devices. Any computer system capable of supporting an operating system.
User identities. A representation of a person or system that interacts with the authorization and authentication system.
Objectives. The reason an attacker would want to use a path (to reach a prize). You can think of this as something that would cause a material impact to your organization. In the basic attack path, the objective is an admin user.
Relationships. How the devices, identities, and objectives matter to each other. Example relationships are "what is installed on what" or "who is using what device."
Epiphany keeps track of many more types of objectives and relationships from your on-premises network equipment to your cloud assets. But the key is to understand these basics first.
Attacks don't just suddenly appear in the environment and go from there. They take advantage of an exploitable condition to gain their foothold into the environment. To better illustrate this, it can be broken down into a few different representations: a direct exploitation attempt, a user exploitation attempt, and stolen credentials. They are described next.
These types of attacks are easier to execute with devices on public Wi-Fi, shared office spaces, and homes of remote employees because these networks usually lack the protections provided within the corporate network. Consider how your users access your data and systems and how their devices are exposed.
User exploitation attempts, called social engineering or in some cases arbitrary code execution, are centered around being able to convince a user to execute some dangerous code that is meant to exploit the operating system or application on the user's device. The first stage of a lot of ransomware, called the dropper, is usually benign but is used to download malicious code that will take advantage of known vulnerabilities.
The most common attack vectors for these types of attacks are phishing attacks through email that result in the user executing a trojan document such as a PDF, redirecting the user to a malicious site, or redirecting the user to a site to steal their credentials.
Using stolen credentials is the exploitation equivalent of using the front door. Often ransomware groups and advanced persist threats (APT) will use credentials stolen through other breaches or social engineering attempts to log directly in your corporate VPN and work from there. The only meaningful way to protect against that is by using multi-factor authentication (MFA) to validate against a remote access system.
The relationship between the nodes within an environment is one of the most important parts of understanding the attack path. Epiphany uses these relationships to give you the ability to see why an attacker might want to use a relationship to carry out its attack. The implications of each relationship and the impact to the business is what Epiphany constantly thinks about. As you become familiar with the platform you will see the steps Epiphany takes to simplify this.
The illustration above shows some of the types of relationships Epiphany takes into account when building the attack paths you see within the platform. In this very basic example, there are multiple mechanisms for exploitation that Epiphany considers. The normal relationship in Epiphany is between a device and a user. Inside Epiphany, it is labeled with "Used By." This is to simplify the ability to read the path from left to right, but can actually be technically represented by the presence of a token, an active session, or a credential that could be used. Each of these mean different things to the attacker, its tools, and its objectives.
Epiphany also illustrates the relationship a group could have to the "Admin to" relationship of a device. In this case Epiphany uses the administrator and backup operator group from Windows Active Directory to show that an attacker may have different ways to access the objective device by using the user credential stolen earlier in the path.
Epiphany keeps track of many different relationships among multiple systems within a platform, including network management, identity management, vulnerability scanners, application inventories, patch managers, endpoint protection, and many more.
The objective is the whole reason the attacker is going after your organization to begin with. Each group or automated malicious application has an objective. The key to defending your organization is to understand the material impact caused by an attack path. To think of it another way, what in your organization causes a five-alarm fire if it goes down? What applications, users, and devices support that?
Managing attack paths is all about understanding your potential exposure, which is a function of a threat's ability to take advantage of your organization's weaknesses to create a material impact. You could think of it like this:
This can be described simplistically as follows: for every exploitable condition present that the adversary can use, multiply them and then multiple that by the number of critical applications, users, and systems those conditions can impact. This index, an exploitability index, can turn out to be quite a large number and seem somewhat overwhelming. This is where Epiphany simplifies the problem. Its engine spends all of its time understanding all the components that contribute to your organization's potential exposure and then ranks the most exploitable paths, from the adversary's perspective, first. This allows you to focus on the outcome you want to achieve, instead of analyzing the problem.
Using the skills described above, it is possible to understand the attack path and pick the most meaningful relationship to focus on. Managing the attack path is all about working backward from the problem.
While the attack path in the next image looks intimidating, you can understand it if you apply the skills described above and understand that Epiphany is doing a lot of the heavy lifting for you.
By going to the end of the attack path, you can see what Epiphany has automatically found as exposed and understand why it's important to the business. This is what Epiphany wants to stop the attacker from being able to reach. Notice the jewel icon in the upper right of the device icon. Epiphany uses the jewel to indicate that a device includes a "prize."
Pivot points are quite common in attack paths and usually occur because the attacker's objective is on the other side of the device or firewall. This could be access to a high-value account or a restricted network that gets the attacker to its objective.
Once you've analyzed the path, pick the remediation strategy you think is best for your organization. Epiphany allows you to do multiple things with a remediation including creating tickets, assigning it for review, notifying on reoccurrence, or accepting the risk.
The process for managing attack paths built by Epiphany is very straight forward and can be repeated for different paths and variations in the same way.
Finally, determine what fix you'd like to apply to the path to remediate it. Epiphany thinks the best course, by default, is to break the path. But this is not always practical for business operations. Sometimes you should also consider strategies for increasing your ability to monitor a high-risk situation or increase resistance to an attacker by changing defensive control settings.
In direct exploitation attempts, the attacker is trying to use a known vulnerability in an application or operating system to gain access (a "presence") to a device. This is the classic example that the basic attack path illustrated (above) and is what we most think of when we hear about something being exploited. These types of attacks are commonly used against firmware of internet-facing devices, such as the exploitation from 2021. This type of exploitation can also be used by ransomware to spread within a network using weaknesses in operating systems to exploit and install its malicious payload.
All attack paths can trace their access back to some point on the attack surface. This could be caused by a vulnerability, misconfiguration, or direct access such as with a stolen credential.
Epiphany has a built in "easy button" to take you to the relationship you should focus on first. Just click the anywhere you see it and it will display Epiphany's top recommendation list.
Find and understand how, if it were compromised, it might impact your business. Applications, devices, and users all have different values to a business. Keep this in mind as you proceed.
Look for a or other direct relationship to . This, for example, could be a misconfigured firewall or a user with special permissions. In the example path above, it is RICHARD.KLEINSCHMIDT@DEMO.EIP.IO that gives this access and the attacker gets it by using the HELPDESK_ADMINS@DEMO.EIP.IO account to access Richard's device.
Next, trace back to the beginning of the path. This is where the attack initially gains a foothold. If this is caused by a vulnerability, Epiphany will prioritize the vulnerabilities you should remediate using Epiphany's engine.
