Attack Path Analysis

As part of a typical attack, adversaries leverage different tools and techniques to accomplish their objectives. Usually, a hacker attains an initial foothold over the network, whether by a phishing attack or exploiting a publicly exposed vulnerability. Hackers may then seem to maintain access over the machine (Persistence), elevate their privileges, and laterally pivot between network devices (Lateral Movement). Last, the hacker tries to complete their objective, for example, a denial of service of critical infrastructure, exfiltration of sensitive information, or distraction of existing services. This event is known as Attack Path. An attack path contains one or more Attack Techniques, allowing the hacker to accomplish his objective.

Attack Path Analysis takes your data and pairs it with advanced graph analytics and the MITRE ATT&CK™ Framework to create Findings. These Findings allow you to understanding and take action on the unknowns that enable and amplify threat impact on your assets and information.

Additionally, you can use the Discover tab to dive deeper into the mind of an attacker by interacting directly with attack paths, building custom paths, and manipulating the origins and targets within a path to view exactly how these changes affect your data.

Note: Data ingestion in Attack Path Analysis can take up to 5 hours.

Before you begin:

Ensure you have the following:

  • Tenable Vulnerability Management Basic Network Scan with credentials.

  • One of the following:

    • A Tenable Vulnerability Management basic scan using the Active Directory Identity scan template. This scan type requires fewer permissions, and provides a basic overview of your active directory entities.

      Note: You can run this scan type on its own, or as part of a Basic Network Scan. In a Basic scan, you must ensure the Collect Identity Data from Active Directory option is enabled in the Discovery section.

    • Tenable Identity Exposure SaaS deployed.

    Note: Because the plugin only supports up to 7,000 identities, the Active Directory Identity scan template is not designed for large environments, but is instead intended to help small customers kick start their use of Attack Path Analysis. Tenable recommends that larger customers deploy Tenable Identity Exposure.

  • A default Tenable Web App Scanning scan, including injection plugins.

  • An AWS connection with a Tenable Cloud Security scan policy including all vulnerabilities and available AWS resources.

  • Tenable recommends the following:

    • Have at least 60% of assets scanned via an authenticated scan.

    • Select maximum verbosity in the Basic Network Scan.

    • When using Tenable Identity Exposure, enable privileged analysis. This option highlights key attack vectors used by hackers and gives you a better understanding of your attack surface, including credential auditing and password analysis.

    • A scan frequency of at least once a week.

To access Attack Path Analysis:

  1. In the upper-left corner of the page, click the button.

  2. In the Analytics section, click Attack Path Analysis.

    Attack Path Analysis appears. By default, the Attack Path Analysis Dashboard is active.

In Attack Path Analysis, you can: