Indicators of Exposure

Tenable Identity Exposure measures the security maturity of your AD infrastructures through Indicators of Exposure (IoEs) and assigns severity levels to the flow of events that it monitors and analyzes. Tenable Identity Exposure triggers alerts when it detects security regressions.

These IoEs are pre-configured, and any deviations from the established norms trigger corresponding alerts.

  1. In Tenable Identity Exposure, click Indicators of Exposure in the navigation pane.

    The Indicators of Exposure pane opens. By default, Tenable Identity Exposure shows only the IoEs that contain deviances.

  2. (Optional) To show all IoEs, click the Show all indicators toggle to Yes.

Tenable Identity Exposure IoEs come with a range of features designed to boost your investigative capabilities :

  • Searchable and filterable: Effortlessly explore the IoE by applying filters based on forest and domain.

  • Export capability: Deviance object will allow you to export the IoE’s in CSV format.

  • Action on IoE incidents: Remove an exposure from the whitelist/re-enable it.

The data from IoEs include:

  • Information section: This section provides executive summary about each Indicator of Exposure (IoE), including known attack tools, affected domains, and relevant documentation.

  • Vulnerability details:This section provides more in depth information above the misconfiguration in Active Directory.

  • Deviant objects: This section highlights misconfigurations in Active Directory that may contribute to broader attack surfaces.

  • Recommendation: This section guides you through effective configuration strategies to minimize your attack surface.

Severity levels allow you to assess the severity of the detected vulnerabilities and to prioritize remediation actions.

The Indicators of Exposure pane shows IoEs as follows:

  • By severity level using color codes.

  • Vertically — from most severe to least severe(red for top priority and blue for least priority).

  • Horizontally — from most complex to least complex. Tenable Identity Exposure computes the complexity indicator dynamically to indicate the level of difficulty to remediate the deviant IoE.

Severity Description
Critical — Red Shows how to prevent attacks and compromise of the Active Directory by certain unprivileged users.
High — Orange

Deals with either post-exploitation techniques leading to credential theft or security bypass or with exploitation techniques that require chaining to be dangerous.
Medium — Yellow Indicates a limited risk for the Active Directory infrastructure.
Low — Blue Shows good security practices. Certain business contexts may allow low-impact deviances that do not necessarily affect AD security. These deviances have an impact on the AD only if an administrator makes an error such as by activating an inactive account.

You prioritize remediation efforts on high-severity IoEs identified by the system. Additionally, you can further prioritize within the critical category using the risk meter within the IoE.

If you believe that the IoE falls within your organization's purview or operational mandate, you can allowlist it.

The following use case focuses on the IoE called "Accounts with Never Expiring Passwords".

  1. When Tenable Identity Exposure flags an IoE, it appears in the Indicators of Exposure pane:

  2. To get more insights about the IoE, click on the IoE to access additional details. Within the information page, you'll discover an executive summary providing a concise overview, details regarding potential attack tools associated with the IoE, affected domains, and relevant documentation to help you understand and address the issue effectively.

  4. For more details about the IoE, click on the “Vulnerability details” tab.

  5. To verify which accounts have the "Account with never expiring password" setting enabled, click on the "Deviant objects." This action will allow you to access a list of accounts that possess this configuration within your system.

  6. Click on the deviant object to see the accounts that the IoE flagged.

  7. Consult your Active Directory administrator to understand why the affected account has the "Accounts With Never Expiring Passwords" option enabled.

  8. Based on the response, you can either choose to whitelist the account or assist your Active Directory administrator in making recommendations to address the issue.

  9. For recommendations, you can refer to the recommendation section of the IoE.

  10. If the account has an exception or is known to work as expected, you can ignore the IoE by navigating to Deviance object > Select the respective deviance > Ignore selected object (or) stop ignoring the selected object based on the requirement.

See also

  • Indicators of Exposure

  • Indicator of Exposure video tutorial

  • Customize an Indicator