Identity (Tenable Identity Exposure)

Vulnerability Priority Rating

Tenable Identity Exposure assigns the VPR at the deviance (vulnerability) level based on the existing severity levels created in Tenable Identity Exposure:

• Critical: Deviances that can be used by an attacker with unprivileged access to compromise the Active Directory.

• High: Post exploitation techniques or techniques that require chaining to be dangerous.

• Medium: Indicates a limited risk for the Active Directory infrastructures.

• Low: Deviances with low impact on the Active Directory. Certain business contexts may allow low-impact deviances that do not necessarily affect AD security.

Asset Criticality Rating

Tenable Identity Exposure calculates ACR for user and computer accounts using a rule based system. Rules fall into three broad categories depending on the properties evaluated:

• Capabilities: Represents an objects capabilities within Tenable Identity Exposure. This is inferred from various properties of the asset. For example, a KRBTGT account or managed service account receives a high capability score.

• Group Permissions: Assets can have greater or lower levels of permissions depending on the groups they are members of. In particular, administrative groups and groups that have write access to other important objects. Examples of groups are DomainAdmins, DomainUsers, Administrators, and BackupOperators.

• Object Type: Looks at the user account control attribute of the object to score it. If the attribute contains one or more of the listed values (normal, disable, workstation, server, interdomain), then Tenable Identity Exposure assigns the asset a score.

Once Tenable Identity Exposure assigns each feature a score, it calculates the ACR by taking the maximum score observed and penalizing disabled accounts.