Inconsistencies in Attack Path Results

There may be inconsistencies when comparing the Attack Path results in Attack Path Analysis, Tenable Identity Exposure, and Tenable OT Security with the same source and target inputs. The following are some of the probable causes for such behavior:

• Lack of MITRE ATT&CK™ coverage — Tenable Identity Exposure and Tenable OT Security might support attack primitives, security relationships, or configurations that are not covered in MITRE ATT&CK™ Framework and as a result their results do not match with the attack path results in Attack Path Analysis.

• Lack of Attack Path Analysis coverage — Attack Path Analysis parsing capabilities may not be on par with Tenable Identity Exposure and Tenable OT Security in some cases. Tenable is aware of the lack of support in several scenarios of special Access Control Entry (ACE) or Access Control List (ACLs) and group policy object (GPO) settings where there may be false positive or false negative.

• Attack Path is not exploitable — Attack Path Analysis only shows attack paths that are “believed” to be feasible to exploit. Some security relationships that create a vulnerability in Tenable Identity Exposure and Tenable OT Security may not be considered exploitable in Attack Path Analysis. Such scenarios include vulnerabilities that can be mitigated by other controls such as network segmentation or endpoint hardening. It is important to note that such behavior is intended and therefore it is a feature and not a bug.

• Unsynced data — Unsynced data can cause inconsistencies between the products. Tenable Identity Exposure and Tenable OT Security have their own data collection service and are considered to be real-time. However, Attack Path Analysis relies on a data lake and receives data from various Tenable products. A delay to sync the data between Tenable Identity Exposure, Tenable OT Security, and Attack Path Analysis is expected.