Attack Path Analysis

Attack path analysis is an important tool in the fight to stay ahead of increasingly sophisticated attacker methodology.

Explore Surface Command

What is Attack Path Analysis? 

Attack path analysis is a simplified way of graphically visualizing the avenues bad actors can use to navigate your on-prem and cloud environments. Attackers can leverage these different “paths” to access sensitive information and, unsurprisingly, exploit a vulnerable configuration or resource. At the level of large enterprise business, it’s not difficult to imagine the sheer number of potential attack paths.

By studying this data in the form of an attack graph, it’s easier to get a real-time understanding of risk and identify relationships between compromised resources and how they could affect your larger network. To this end, the majority of security teams seem to be finding attack paths quickly and remediating them responsibly. An estimated 75% of exposures were found to be dead ends that could not be exploited by attackers.

Choke points refer to places where potential attack paths come together, and it’s a major gateway to sensitive data and assets. The critical nature of a choke point is also what makes it a great place to identify anomalous activity and simplify exactly what it is you need to investigate. It’s here where logs can be centralized and baseline behaviors set so that teams know what looks normal and what doesn’t as it comes through the choke point.

Attack Path vs. Attack Vector vs. Attack Surface

There are a number of terms that not only sound similiar to "attack path," but also overlap in terms of definition and function. Let's take a look at a few key differences between some of those terms. 

Attack Path 

An attack path is the visual representation of the specific journey an attacker could take to access sensitive data or leverage system access to exploit vulnerabilities. The attack path is typically represented by a graph and can be accessed via data that a cloud security solution already harvests and analyzes from accounts and associated services. From there, the solution should be able to communicate the source, target, and severity of each attack path.

Attack Vector 

An attack vector is essentially the break-in point where the attacker entered a system. From there, the attacker would take the attack path to the desired information or resource. Malware, for example, has three main vector types – trojan horse, virus, and worms – that leverage typical communications like email. Other typical vectors include system entry points like compromised credentials, ransomware, phishing schemes, and the exploitation of cloud misconfigurations.

Attack Surface

An attack surface is a collection of vulnerable attack vectors along an entire network – on-prem and cloud – where attackers could gain entry. Individual attack vectors create small openings, but the combination of all of those entry points creates a larger vulnerability that can turn common networks into dynamic attack surfaces. The attack surface contains vectors through which an attacker can create a path to sensitive assets and data.

How Does Attack Path Analysis Work? 

Attack path analysis works by helping security teams visualize real-time risk across cloud environments. In the quest to uncover potentially toxic combinations – originally purpose-built within the network to be useful – teams begin to understand the current overall health of their network. Does its current state leave the organization and business at higher risk or will they find out they’re actually in a relatively secure place?

As an example of how attack path management and analysis works, let’s consider the concept of identity and access management (IAM). Without prior knowledge of the security team, is the environment actually open to an account takeover where an attacker could strut around unchecked?

Login credentials could be taken and exploited to gain further access to customer information or intellectual property. If an IAM system is compromised and credentials stolen, an attacker could have access to, well, everything. Let’s take a look at some steps:

  • An attacker has compromised an IAM system and stolen an individual user's credentials. 
  • The attacker uses those credentials to gain access to a larger subgroup within the larger security or IT organizations. 
  • The attacker then has access to hordes of credentials which they can leverage to establish lateral movements and larger attack paths throughout the network. 
  • The attacker ultimately lands at the prize: sensitive financial data on thousands of customers, which is quickly exfiltrated. 

In order to detect these types of attacker movements faster – or to block them before they ever have a chance to begin – it’s critical to:

  • Look at the resource connections along the network and examine their relationships to one another. 
  • Review the visual graph so that personnel can view the resources and their associated risk factors along a potential attack path. 
  • Determine the proper steps to break the links in the attack path by altering aspects such as access controls and security configurations as well as patching any vulnerabilities. 
  • Configure automatic notifications that alert the relevant resource owner(s) and generate communications that can convey information to technical and non-technical stakeholders alike. 

The Importance of Attack Path Analysis 

Attack path analysis is an important tool in the fight to stay ahead of increasingly sophisticated attacker methodology. It helps security organizations understand how, even though certain configurations and connections may be beneficial in one sense, they may also leave gaping vulnerabilities waiting to be exploited.

Attack path analysis should be part of a holistic cloud-security solution that places an emphasis on speed in attack path mapping and identification. It also grants greater visibility and understanding of how to best secure the network while simultaneously keeping business operations on track.

Risk prioritization is a product of the aspects above, which yields the benefits of knowing where to place analyst effort at any given time and proactively taking action against emerging threats.

Think Like an Attacker 

The greatest benefit to a security team is that with the visibility, speed, and risk prioritization granted by attack path analysis, practitioners can think like attackers better than ever. Because a threat actor’s desire is to act with speed when they’re at high risk of discovery, they have to pre-determine a certain number of potential steps in an attack path before they even begin.

When a security organization begins identifying potential paths and thinking proactively about the lateral movements an attacker might make along the way to accessing sensitive information, they begin to truly understand the uniqueness of their network and how best to secure it against threats.

Attack Path Analysis Use Cases

Security teams – especially the non-technical stakeholders that rely on those teams – would do well to be educated on the specific use cases of attack path analysis and how they can identify opportunities to leverage them.

  • Understand how attackers access sensitive information: This case provides easy-to-consume visualizations that present various ways a resource storing sensitive information could be directly or indirectly accessed. 
  • Minimize false positives and accelerate critical-risk response times: This case shortens risk prioritization and response times by identifying and targeting for remediation the source of an attack and its path through the system. 
  • Prioritize remediation efforts: This case helps security teams visualize potential attack paths and prioritize cloud risks and threats. It provides context into how bad actors could move laterally throughout an environment and access sensitive information.
  • Easily communicate risk to non-technical stakeholders: This case visualizes attack paths with a graph and can be an effective way to communicate to non-technical stakeholders – such as executives or board members – potential risks and impacts of a cyberattack.
  • Stay in compliance: This case helps security teams and auditors identify, track, and remediate compliance violations across a range of regulatory concerns like SOC 2, which establishes strict criteria for managing customer data that lies along any number of potential attack paths.

Read More about Attack Path Security

Attack Surface Management: Latest Rapid7 Blog Posts

Rapid7 Blog: Uncover and Remediate Toxic Combinations with Attack Path Analysis