Attack Path

As part of a typical attack, adversaries leverage different tools and techniques to accomplish their objectives. Usually, a hacker attains an initial foothold over the network, whether by a phishing attack or exploiting a publicly exposed vulnerability. Hackers may then seem to maintain access over the machine (Persistence), elevate their privileges, and laterally pivot between network devices (Lateral Movement). Last, the hacker tries to complete their objective, for example, a denial of service of critical infrastructure, exfiltration of sensitive information, or distraction of existing services. This event is known as Attack Path. An attack path contains one or more Attack Techniques, allowing the hacker to accomplish his objective.

The Attack Path page in Tenable Exposure Management takes your data and pairs it with advanced graph analytics and the MITRE ATT&CK™ Framework to create Top Attack Techniques. These paths allow you to understandand take action on the unknowns that enable and amplify threat impact on your assets and information.

Additionally, you can use the Top Attack Paths tab to dive deeper into the mind of an attacker by interacting directly with attack paths, building custom paths, and manipulating the origins and targets within a path to view exactly how these changes affect your data.

What is Attack Path?

• What is a top attack path?

  • A top attack path is an attack path that leads to one or more critical assets.

• What is a top attack technique?

  • A top attack technique is an attack technique that exists in one or more attack paths that lead to one or more critical assets.

• How does Tenable Exposure Management map critical assets?

  • Assets with an Asset Criticality Rating of 7 and above

  • Cloud resource assets marked as Sensitive

  • User account assets within Active Directory with Domain Admin rights

• How does Tenable Exposure Management classify the severity of an attack technique?

  • Likelihood: The number of attack paths

  • Impact: The critical assets that could be compromised by the attack

  • Method: The tactic associated with the attack (for example, lateral movement or privilege escalation)

  • Path: The start and end points of the attack path technique

Before you begin:

For Attack Path data ingestion to function as expected, ensure you have the following:

• A Tenable Vulnerability Management Basic Network Scan with credentials.

• One of the following:

  • A Tenable Vulnerability Management basic scan using the Active Directory Identity scan template. This scan type requires fewer permissions, and provides a basic overview of your active directory entities.

    Note: You can run this scan type on its own, or as part of a Basic Network Scan. In a Basic scan, you must ensure the Collect Identity Data from Active Directory option is enabled in the Discovery section.

  • Tenable Identity Exposure SaaS deployed.

  Note: Because the plugin only supports up to 7,000 identities, the Active Directory Identity scan template is not designed for large environments, but is instead intended to help small customers kick start their use of Tenable Exposure Management. Tenable recommends that larger customers deploy Tenable Identity Exposure.

• Additionally, for best performance, Tenable recommends the following:

  • Have at least 40% of assets scanned via an authenticated scan.

  • Select maximum verbosity in the Basic Network Scan.

  • A default Tenable Web App Scanning scan, including injection plugins. At least 40% of the web applications should be scanned.

  • An AWS connection with a Tenable Cloud Security scan policy including all vulnerabilities and available AWS resources.

  • When using Tenable Identity Exposure, enable privileged analysis. This option highlights key attack vectors used by hackers and gives you a better understanding of your attack surface, including credential auditing and password analysis.

  • A scan frequency of at least once a week.

  • Configure Tenable OT Security.

  • Configure Tenable Attack Surface Management.

To access the Attack Path page:

1. In the left navigation menu, click Attack Path.

   The Attack Path page appears with the Dashboard tab displayed by default.

   

On the Attack Path page, you can:

• View and interact with the data on the Dashboard tab.

• View and interact with the data on the Attack Paths tab.

• View and interact with the data on the Attack Techniques tab.

• View and interact with the data on the ATT&CK Heatmap tab.