Attack Path Analysis

As part of a typical attack, adversaries leverage different tools and techniques to accomplish their objectives. Usually, a hacker attains an initial foothold over the network, whether by a phishing attack or exploiting a publicly exposed vulnerability. Hackers may then seem to maintain access over the machine (Persistence), elevate their privileges, and laterally pivot between network devices (Lateral Movement). Last, the hacker tries to complete their objective, for example, a denial of service of critical infrastructure, exfiltration of sensitive information, or distraction of existing services. This event is known as Attack Path. An attack path contains one or more Attack Techniques, allowing the hacker to accomplish his objective.

Attack Path Analysis takes your data and pairs it with advanced graph analytics and the MITRE ATT&CK™ Framework to create Findings. These Findings allow you to understand and take action on the unknowns that enable and amplify threat impact on your assets and information.

Additionally, you can use the Discover tab to dive deeper into the mind of an attacker by interacting directly with attack paths, building custom paths, and manipulating the origins and targets within a path to view exactly how these changes affect your data.

Note: Data ingestion in Attack Path Analysis can take up to 5 hours.

What is Attack Path Analysis?

  • What is a top attack path?

    • A top attack path is an attack path that leads to one or more critical assets.

  • What is a finding?

    • A finding is an attack technique that exists in one or more attack paths that lead to one or more critical assets.

  • How does Tenable One map critical assets?

    • Assets with an Asset Criticality Rating of 7 and above

    • Cloud resource assets marked as Sensitive

    • User account assets within Active Directory with Domain Admin rights

  • How does Tenable One classify the severity of a finding?

    • Likelihood: The number of attack paths

    • Impact: The critical assets that could be compromised by the attack

    • Method: The tactic associated with the attack (for example, lateral movement or privilege escalation)

    • Path: The start and end points of the attack path technique

Before you begin:

For Attack Path Analysis, ensure you have the following:

  • A Tenable Vulnerability Management Basic Network Scan with credentials.

  • One of the following:

    • A Tenable Vulnerability Management basic scan using the Active Directory Identity scan template. This scan type requires fewer permissions, and provides a basic overview of your active directory entities.

      Note: You can run this scan type on its own, or as part of a Basic Network Scan. In a Basic scan, you must ensure the Collect Identity Data from Active Directory option is enabled in the Discovery section.

    • Tenable Identity Exposure SaaS deployed.

    Note: Because the plugin only supports up to 7,000 identities, the Active Directory Identity scan template is not designed for large environments, but is instead intended to help small customers kick start their use of Attack Path Analysis. Tenable recommends that larger customers deploy Tenable Identity Exposure.

  • Additionally, for best performance, Tenable recommends the following:

    • Have at least 40% of assets scanned via an authenticated scan.

    • Select maximum verbosity in the Basic Network Scan.

    • A default Tenable Web App Scanning scan, including injection plugins. At least 40% of the web applications should be scanned.

    • An AWS connection with a Tenable Cloud Security scan policy including all vulnerabilities and available AWS resources.

    • When using Tenable Identity Exposure, enable privileged analysis. This option highlights key attack vectors used by hackers and gives you a better understanding of your attack surface, including credential auditing and password analysis.

    • A scan frequency of at least once a week.

    • Configure Tenable OT Security.

    • Configure Tenable Attack Surface Management.

To access Attack Path Analysis:

  1. In the upper-left corner of the page, click the button.

  2. In the Analytics section, click Attack Path Analysis.

    Attack Path Analysis appears. By default, the Attack Path Analysis Dashboard is active.

In Attack Path Analysis, you can: