Top Attack Techniques

As part of a typical attack, adversaries leverage different tools and techniques to accomplish their objectives. This event is known as Attack Path. An attack path contains one or more Attack Techniques, allowing the hacker to accomplish their objective. To see a full list of supported attack paths within Tenable Exposure Management, view the Tenable Attack Path Techniques list.

Every attack path contains one or more attack techniques. Every network includes multiple attack paths. Tenable helps you to focus on the most important paths by highlighting:

  • Attack paths that lead to critical assets.

  • Assets with an ACR greater than 7.

  • Other Tenable defined static identifiers, such as Domain Admins.

An attack technique is a technique that exists in one or more attack paths that lead to one or more critical assets. The Top Attack Paths tab on the Attack Path page takes your data and pairs it with advanced graph analytics and the MITRE ATT&CK® Framework to create top attack techniques, which allow you to understand and act on the unknowns that enable and amplify threat impact on your assets and information.

Before you begin:

For Attack Path data ingestion to function as expected, ensure you have the following:

  • A Tenable Vulnerability Management Basic Network Scan with credentials.

  • One of the following:

    • A Tenable Vulnerability Management basic scan using the Active Directory Identity scan template. This scan type requires fewer permissions, and provides a basic overview of your active directory entities.

      Note: You can run this scan type on its own, or as part of a Basic Network Scan. In a Basic scan, you must ensure the Collect Identity Data from Active Directory option is enabled in the Discovery section.

    • Tenable Identity Exposure SaaS deployed.

    Note: Because the plugin only supports up to 7,000 identities, the Active Directory Identity scan template is not designed for large environments, but is instead intended to help small customers kick start their use of Tenable Exposure Management. Tenable recommends that larger customers deploy Tenable Identity Exposure.

  • Additionally, for best performance, Tenable recommends the following:

    • Have at least 40% of assets scanned via an authenticated scan.

    • Select maximum verbosity in the Basic Network Scan.

    • A default Tenable Web App Scanning scan, including injection plugins. At least 40% of the web applications should be scanned.

    • An AWS connection with a Tenable Cloud Security scan policy including all vulnerabilities and available AWS resources.

    • When using Tenable Identity Exposure, enable privileged analysis. This option highlights key attack vectors used by hackers and gives you a better understanding of your attack surface, including credential auditing and password analysis.

    • A scan frequency of at least once a week.

    • Configure Tenable OT Security.

    • Configure Tenable Attack Surface Management.

  • At least one attack technique found within Tenable Exposure Management.

  • At least one attack path generated within Tenable Exposure Management.

  • Attack paths that use the previously mentioned attack technique and lead to at least one critical asset.

To access the Top Attack Techniques tab:

  1. Do one of the following:

    • In the left navigation menu, click Attack Path > Attack Techniques.

    • At the top of the Attack Path page, click the Attack Techniques tab.

    The Top Attack Techniques tab appears.

On the Top Attack Techniques tab, you can:

  • On the left side of the page, view Attack Techniques tiles:

    • Open Attack Techniques — View the total number of open attack techniques within Tenable Exposure Management. Also, view the number of open techniques in each priority level.

    • Archived Attack Techniques —View the total number of archived attack techniques within Tenable Exposure Management. Also, view the number of archived techniques in each priority level.

    • Total Attack Techniques — View the total number of attack techniques within Tenable Exposure Management. Also, view the number of total attack techniques in each priority level.

    Deactivated Attack Techniques: In cases where attack path data does not exist outside of the Top Attack Techniques list, Tenable Exposure Management automatically updates the Log History of the attack technique:

    • When a attack technique is not seen as part of any attack path, Tenable Exposure Management changes the attack technique State to Archived.
    • When a attack technique cannot be found within the Attack Path Graph on the Top Attack Paths tab, Tenable Exposure Management changes the attack technique State to Archived and the Status to Done.

    If at any point the attack technique is again seen as part of an attack path, Tenable Exposure Management automatically reactivates the attack technique State to Open.

    Click on a tile to filter the Top Attack Techniques list by that type of technique.

  • View the Top Attack Techniques list, where you can:

      1. At the top of the Top Attack Techniques list, click inside the search box.

        The Choose your filter drop-down box appears where you can filter the list. Options include, but are not limited to:

        Filter Description
        Priority Filters by priority: critical, high, medium, or low.
        Note: When calculating the priority, Tenable Exposure Management considers the following:
        • The number of attack paths where the attack technique is present compared to the total number of attack paths.
        • The number of critical assets to which these attack paths lead compared to the total number of critical assets.
        • The tactic used, for example, lateral movement or privilege escalation.
        Status Filters by status: To Do, In Progress, In Review, and Done.
        Source Filters by the attack path source.
        Target Filters by the attack path target.
        CVE Filters by specific CVEs.
        Mitigations Filters by mitigations for the attack techniques.
        Tactic Filters attack techniques with similar tactics.
        Technique Filters by attack techniques. For more information about attack techniques, view the Tenable Attack Path Techniques list.

      2. Select the filter you want to use to filter the Top Attack Techniques list.

        The Choose operator drop-down box appears.

      3. Select the operator you want to use to filter the Top Attack Techniques list.

        The Choose value drop-down box appears.

      4. Select the value you want to use to filter the Top Attack Techniques list.

      5. Click Apply.

        Tenable Exposure Management filters the Top Attack Techniques list based on your criteria.

      1. In the upper-right corner of the Top Attack Techniques list, click the button.

        A drop-down menu appears.

      2. Select or deselect the check box next to the column you want to show or hide in the list.

        The Top Attack Techniques list updates based on your selection.

    • Export an attack technique.

    • Change the status of an attack technique.

      Tip: See View the Log History for an Attack Technique for more information about attack technique statuses.

    • Archive an attack technique.

    • View the following attack technique information:

      • View Path — Click the button in the row of any attack technique to navigate to the Top Attack Paths tab, where you can view a graphical representation of the attack path and interact with more attack path data.

      • Priority — The priority, or criticality, of the attack technique, for example, Critical.

        Note: By default, the Top Attack Techniques list sorts attack techniques by highest priority first.

        Note: When calculating the priority, Tenable Exposure Management considers the following:
        • The number of attack paths where the attack technique is present compared to the total number of attack paths.
        • The number of critical assets to which these attack paths lead compared to the total number of critical assets.
        • The tactic used, for example, lateral movement or privilege escalation.

      • MITRE ATT&CK Id — The MITRE ATT&CK identification number for the attack technique. Click an identification number to navigate directly to the MITRE ATT&CK listing for the attack technique.

      • Technique — The MITRE ATT&CK technique associated with the attack technique.

      • Source — The source of the attack technique.

      • To — The target of the attack technique.

      • Status — The status to indicate the action taken on the attack technique, for example, In Progress.

    • Click on a technique to view additional attack technique details.