Attack Path Analysis: What It Is and Why You Should Care

While you probably have most of the fundamental elements of your security stack in place, you may be missing a critical piece of the puzzle: attack path analysis.

Attack path analysis is a proactive approach to security that helps you identify possible vulnerabilities and assess risks in advance of a breach. It is an important complement to the other components of your security strategy, such as threat intelligence, access control and authentication, attack surface management, network/endpoint security, incident response and recovery, and ongoing monitoring and threat hunting.

What is an attack path?

Although they are sometimes confused, an attack path is not synonymous with an attack vector. The term "attack vector" is used to describe a type of attack, such as credential theft, social engineering, or phishing. In contrast, the term "attack path" refers to an end-to-end sequence of steps or actions that an attacker may take as they breach a target environment, or application.

A physical analog for an attack path is home security. For example, the attacker's first step might be to find their way through an exterior gate. Next, the invader may be able to enter your home via your front door, your back door, a side door, or a window. A comprehensive approach to home security includes an awareness of every possible entry point, so you can anticipate potential risks in advance. The same goes for your network or cloud environment.

Depending on the target, a cyberattack path may be simple or complex. It may involve multiple actions (for example, access, privilege escalation, a vulnerability exploit, lateral movement, and/or data exfiltration). An attacker may have to navigate throughout multiple layers of an environment or application, including databases, endpoints, servers, or clouds. Some attacks may be traversed in rapid fashion or carried out in stages (such as with a trojan or time bomb).

To complicate the issue even more, attack paths are usually not static. They may evolve over time as you add microservices or scale out your applications.

Why attack path analysis is so critical

Attack path analysis involves scanning your environment and creating a visual map that shows exploitable paths that a bad actor might leverage to breach your environment, as well as what data or resources will be vulnerable once a breach occurs. Here are some of the benefits:

• It gives you the opportunity to prioritize your efforts. Once you identify the most vulnerable entry points and movement paths in your environment, you'll be able to focus resources in these areas first. This is especially helpful if you have a limited security budget.
• It allows you to build a multi-layered defense strategy. As you analyze the attack paths in your environment, you'll know where to add security controls and safeguards (like container scanning, for example), and setting up appropriate observability and monitoring solutions. Obviously, the more layers you add to your defense, the more effective you'll be in deterring attackers.
• It assists with SOC2 compliance audits. Attack path analysis helps you attain required account, permissions, and environment isolation, ensuring compliance with SOC2 requirements. What's more, a good graph-based attack path analysis tool provides the visibility that auditors need to verify compliance.
• It may help you respond to threats more quickly. If you're aware of the attack paths in your environment and a breach occurs, it will be easier to locate and track an attacker's movements, which can speed remediation measures.

Case study: the Log4j attack path

To put attack-path analysis in context, let's use the example of Log4j—the infamous vulnerability that affected the Apache Log4j library. This vulnerability became big news because of the ubiquity of this open source logging utility. It allowed remote code execution, making it particularly onerous.

A high-level Log4j attack path might involve the following steps:

1. The attacker scans for systems running a version of the utility that contained the vulnerability and establishing them as targets.
2. The bad actor uses an HTTP request with a payload in its header (usually "user-agent" or "referrer") to trigger the vulnerability.
3. Next, an attacker sends a malicious request (a Java naming and directory interface, or JNDI, lookup) to a vulnerable web application, server, or other service that used the Log4j library for logging. At that point, the Log4j library processes the payload and paves the way for the remote code execution.
4. Remote code execution allows attackers to gain unauthorized access to the target service or system, move laterally, steal data, or install malware.

The graphic below depicts this Log4j attack path:

What to look for in an attack path analysis tool

As you evaluate tools for attack path analysis, consider the following attributes:

• Comprehensiveness: It's better to choose a robust tool that meets all of your needs than to "brew your own" solution. Think about the topology of your environment and look for a tool that can evaluate all possible attack paths.
• Scalability: It's not always possible to anticipate the direction your organization will take in the future. But if you know, for example, that you'll probably be moving into a multicloud, hybrid cloud, or public-cloud environment, you should take this into account as you shop for an attack path analysis tool.
• Automation: At the risk of sounding ridiculously obvious, the more you can automate your security processes, the better. That said, automation alone isn't enough. You need tools that will prioritize and contextualize its recommendations and alerts, so that you're not constantly deluged with false alarms and so you don't have to perform an exhaustive manual investigation every time you get an alert.
• Visualization and reporting : Graphical representations of your attack paths, vulnerabilities, and associated risks not only help you—they help all of your stakeholders (executives, auditors, and folks on different teams) understand your internal security landscape.
• Fast time to value : Graph based algorithms offer out-of-the-box results. You are too busy to spend weeks or months inputting queries into a bespoke vendor's tool. Look for solutions that have cloud security researchers connected closely with graph algorithm engineers to provide contextual prioritization you can trust.

At the end of the day, the right attack path analysis solution is the one that fits the requirements of your unique environment. By carefully evaluating tools based on the criteria above, you'll be most likely to make the right choice.

I'd love to hear about your experiences with attack path analysis solutions. Do you have a favorite? If so, what do you like about it? Let me know in the comments. And don't forget to connect with Outshift on Slack!

Note: Special thanks to Jan Schulte and Luke Tucker for their collaboration on this post.