Analyze the Attack Path
Last updated
Last updated
To analyze attack paths generically, we provide a quick you can follow in the section . But for the Epiphany-specific process, we'll use the following workflow:
Access Epiphany's Path Finder and view the prioritized attack paths located within Epiphany.
Go to the Detailed Path within a card to analyze the full attack path.
Manually review the attack path or use the Top Recommendation engine to guide you to a recommended point of remediation.
Select a Remediation.
The Path Finder in Epiphany is one of the most useful tools for understanding your exposure. When Epiphany builds an attack path to a unique objective (a "prize") it will create a new card and rank it appropriately for you.
The Path Finder card shows the relevant data about a specific attack path at a glance. You can use it to understand quickly what the impact might be to your business if the situation isn't corrected.
A few key areas are highlighted on the Path Finder Card:
The card's Detailed Path button displays the Risk Explorer, where you can analyze the detailed attack path. The Quick Info button displays a pop-up with a visualization of the attack path that you can review without leaving the page.
The criticality flag is displayed in the upper-right corner of cards that have devices, users, and applications that have been tagged within the BIM or have been automatically assigned by Epiphany. The ranking of flags is as follows:
ADMIN. This is the highest criticality within Epiphany and indicates that a system-level permission is accessible within the attack path. This can be an account that has the equivalent permissions to a Windows domain administrator, AWS IM *, or Azure service principal, for example.
CRITICAL. This criticality is assigned by the user, within the BIM, to a device, application, or user, or by Epiphany to high-value applications and devices such as domain controllers or Sharepoint. These are usually targets of known advanced persistent threat (APT) or ransomware.
HIGH. This criticality is assigned by the user, within the BIM, to a device, application, or user, or by Epiphany to high-value applications and devices such as a database server or other information repository. These are usually targets of known APT or ransomware.
MEDIUM. This criticality is assigned by the user, within the BIM, to a device, application, or user, or by Epiphany to potentially valuable applications and devices that are not known to be of high value.
LOW. This criticality is assigned by the user, within the BIM, to a device, application, or user. Epiphany does not assign a low priority to anything by default.
The Risk Explorer shows you an interactive view of the attack path.
At first glance this attack path might seem complex since Epiphany shows you all the relevant alternative paths an attacker could use to reach the target. But when you analyze the attack path this example is actually a slightly elongated version of an attack path that looks like this:
Epiphany will always expand relevant alternative permissions or attack paths that an attacker could use to get to the prize so that you can evaluate your options for remediation.
Within the Risk Explorer, Epiphany makes any complex analysis task simplistic by guiding you to the greatest areas of risk in an efficient way. Epiphany takes into account many different variables about the attack path relationships, including complexity, length, defensive controls, prizes, attacker risk, and more.
With these calculations, Epiphany will identity the attack path variation that represents the greatest impact with the least attacker risk and show that to you in the Risk Explorer. Within this visualization, however, is the compression of potentially millions of variations of how an attacker could use a single permission of vulnerability. To simplify this, the recommendation engine will relay information to you as paths broken. This indicates to you how many attacker opportunities you've removed by making the change.
Clicking on any recommendation will display the exact relationship on the path it represents. For example, clicking on the first recommendation Remove admin rights from HELPDESK_ADMINS@DEMO.EIP.IO displays that specific relationship.
This node represents the that Epiphany identified as the easiest place to start the attack path leading to a specific objective. This includes every potential foothold starting variation. The Foothold area (labeled with a large "1") also includes specific information about the foothold. This can include the Hostname(s), IP(s), previously defined by a user, as well as the foothold's Entry Point Score. The entry point score is Epiphany's indication of how at-risk the device is, on a scale of 1-10.
This node represents the attacker's ("prize," as indicated by the jewel in the icon). This can be an application, a device, a user, or virtually any other object that can be located in the BIM. The Target area (labeled with a large "2") provides key information about the prize in the attack path, including Hostname(s), IP(s), BIM Groups, and specific Prize(s). Cards are generated based on unique prizes so you will not see multiple cards with the same prize.
You can access Top Recommendations in the Risk Explorer by selecting the icon in the upper-left of the attack path view. The Top Recommendations for this attack path display in a pop-up.
The Recommendations displayed below the relationship are your guide for how to think about breaking the attack path and why it is important to the attacker. Some key areas of this are the relationship itself, the recommendation and the explanation of why that recommendation should be used, the outcomes if you take this action, and the actions you can take within Epiphany. The recommendations are covered in depth in the next section, , as part of your next workflow.
