Attack Path Analysis FAQ
The following are common questions and answers about Attack Path Analysis.
Attack Path Analysis currently supports these Tenable products: Tenable.ad and Tenable.io.
For the complete list of attack techniques, see Attack Path Analysis Attack Techniques.
An attack path defines a source, a target, and one or more attack techniques leading an attack from the source to the target.
Attack Path Analysis receives data and pairs it with advanced graph analytics, MITRE ATT&CK™, and Open Web Application Security Project® (OWASP) to map the possible attack techniques.
See the prerequisite section of each attack technique in Attack Path Analysis Attack Techniques to find the conditions that must exist for an attack query to run.
A finding is an attack technique that exists in one or more attack paths leading to one or more critical assets.
The calculation includes mathematical algorithms, to assess the following:
Likelihood: The number of attack paths using the technique associated with the finding.
Impact: The number of critical assets that the technique allows an adversary to compromise.
Method: The tactic associated with the technique such as lateral movement, privilege escalation, etc.
Path: The starting point and ending point of the technique.
Attack Path Analysis determines the asset type as follows:
Computer, Server, or Workstation — By parsing the operating system type and mapping it to the relevant type to determine if the asset is a Workstation, Server, or Computer.
Domain Controller — By determining the domain controller through User Account Control.
Other computer assets— By considering Computer as the base type for unknown assets.
Attack Path Analysis runs a data synchronization process every 30 minutes. So, if within that time Attack Path Analysis removes or resolves an asset or finding, it no longer considers them as a finding.
The findings data can also change if Attack Path Analysis removes the path to the critical asset or it resolves one of the attack path techniques leading to the critical asset. Attack Path Analysis considers as a finding only those instances of an attack path technique leading to the critical asset. For more information, see Findings.
Attack Path Analysis triggers a data processing job every 30 minutes and it takes up to two hours to update the data.
The Discover > Query Builder includes the following asset types:
|PrivilegedUser||A user account with administrator access on more than 10 devices.|
|DomainAdmin||A user account that is part of a group with full control of the domain including domain administrators, enterprise administrators, and administrators.|
|GlobalAdministrator||The global administrator is a user account with access to all administrative features in Azure Active Directory.|
|ServiceAccount||A special type of non-human privileged account that can execute applications and run automated services, virtual machine instances, and other processes.|
|Executive||A human associated user account at the top of the organizational hierarchy, based on manager attribute in Windows-based systems.|