DEV Community

Cover image for Eyes On The Road - How Attackers Navigate Through Your Organization
oliverbeenthere
oliverbeenthere

Posted on • Originally published at Medium

Eyes On The Road - How Attackers Navigate Through Your Organization

From Doors to Roads

For years, security discussions revolved around a simple question:

Where is the vulnerability?

A missing patch, a weak password, an exposed service or a misconfigured system. 
The assumption was that an attack began with a single weakness and ended once it was exploited.
Modern attacks rarely work that way.
A vulnerability alone doesn't determine the impact. 
The real danger lies in what that vulnerability connects to.
A compromised workstation may hold a little value by itself, but the identity using it may have access to another system. 
That system may trust an application, which in turn may have permissions to sensitive resources. 
A vulnerability matters less on its own than the connections it creates.
Modern attacks are no longer about isolated weaknesses. 
They are about navigating connected environments.
Attackers don't simply break into organizations.
They navigate them.
The first authentication event is only the beginning of that journey. 
A stolen credential becomes a token. 
A token becomes access to an API. 
An API permission becomes an opportunity for privilege escalation, eventually leading to the organization's most valuable assets.
The question is no longer:

"How did the attacker get in?"

The better question is:

"Where can the attacker go from here?"

That is where Attack Paths begin.

Every Road Starts Somewhere

A vulnerability tells us that something is weak.
An attack path tells us why that weakness matters.
Imagine two identical vulnerabilities.
One exists on an isolated server with no sensitive data, no privileged accounts and no trusted connections. 
The other exists on a server used by a privileged administrator with access to critical infrastructure.
The vulnerability is exactly the same.
But the risk isn't.
The difference is where that path leads.
This is the context traditional vulnerability management often misses.
Security teams prioritize findings by severity, but attackers don't think in CVSS scores. 
They think in opportunities for movement.
A low risk permission that eventually leads to privileged access may be far more valuable than a critical vulnerability sitting on an isolated machine.
An attack rarely ends where it begins. 
Initial access leads to an identity, that identity inherits permissions, those permissions reach additional resources and eventually the attacker reaches a privileged system or a "Crown Jewel" (High Value Assets).
The weakness is only where the journey begins. 
The real risk depends on where that journey can lead.
Modern security therefore focuses less on simply fixing vulnerabilities and more on understanding exposure, privilege relationships and the routes an attacker can follow.
Because attackers don't need every door to be open.
They only need one road that leads somewhere valuable.

Identifying The Intersections

When people think about identity, they usually think about users.
In reality, modern environments contain many kinds of identities.
Applications, service principals, managed identities, automation accounts and cloud workloads all authenticate, receive permissions and interact with other systems.
To an attacker, every one of them is another intersection on the map.
A regular employee account may appear harmless because it has no administrative privileges and no direct access to sensitive systems. 
But attackers aren't interested only in what that identity can access today.
They want to know what it can lead to.
That account may belong to a security group. 
The group may grant access to an internal application. 
That application may hold permissions in Microsoft Graph or another cloud service. 
A seemingly ordinary identity can become the first step toward privileged access.
Modern organizations are built on relationships.
Users belong to groups, groups receive roles, applications access resources and services trust one another. 
Each relationship creates another possible route through the environment.
This changes the questions defenders should ask.
Instead of asking:

"Who is this identity?"

They should ask:

"Where can this identity lead?"

Every new application, integration, service account or permission adds another connection. 
Individually these decisions make perfect sense, but together they create a network that attackers only need to understand well enough to find the next turn.
Every identity becomes another intersection. 
Whether the attacker turns left or right depends on the roads that identity is connected to.

The Shortest Path Is Rarely Straight

People often imagine attacks as direct routes: compromise a system, escalate privileges and reach the target.
Real attacks are rarely that simple.
Modern organizations are complex networks of identities, applications, permissions and trust relationships. 
Reaching a valuable asset is less about moving in a straight line and more about discovering the route that already exists.
Like a driver using GPS, attackers look for the next available road. 
A forgotten permission, an overlooked trust relationship or an application with excessive access may become the shortcut that moves them forward.
They don't need to know the entire map.
They only need to discover one viable route.
This is why attack paths fundamentally change how we view security.
Instead of seeing isolated systems, attackers see a connected map.
Identities, applications and resources become destinations, while permissions, group memberships and trust relationships become the roads between them.
Some roads lead nowhere.
Others quietly lead to the organization's most valuable assets.
The challenge is that these paths are often invisible to defenders. 
One team understands the application, another manages the cloud permissions and another owns the sensitive resources. 
Each connection appears reasonable in isolation, but together they may create a route that nobody realized existed.
This is exactly what attack graph tools were built to visualize.
Tools such as BloodHound became valuable because they reveal the relationships that make privilege reachable, rather than simply highlighting privileged accounts.
The same principle applies beyond Active Directory. 
In cloud environments, application permissions, managed identities and trusted integrations create similar navigation opportunities. 
A permission granted for convenience months ago may become the bridge an attacker uses today.
Good navigation requires a good map.
Without visibility into relationships, defenders protect individual streets while attackers navigate the entire city.
And the most dangerous roads are often the ones nobody realized had been built.

The Roads We Build Ourselves

Attack paths don't appear by accident.
They exist because organizations create connections that allow people, applications and services to work together. 
Every role assignment, API permission, service account and trust relationship adds another possible route through the environment.
Individually, these decisions are perfectly legitimate.
An application needs access to Microsoft Graph. 
An automation account deploys cloud resources. 
A service principal retrieves secrets from a Key Vault. 
Each permission solves a business problem.
The challenge is that attackers evaluate permissions by the opportunities they create, not in isolation.
Consider a cloud application with broad API permissions that may operate safely for years. 
But if an attacker compromises that application or the identity behind it, they immediately inherit every permission that was granted to make that automation possible.
The application itself isn't the vulnerability.
Its permissions define the attacker's next move.
The concept also applies to** Role Based Access Control (RBAC).
Roles simplify administration by grouping permissions together, but they also create predictable routes through an environment. 
An ordinary user may appear unprivileged, yet group memberships, inherited roles or delegated permissions can quietly extend their reach far beyond what is immediately visible.
Even temporary privileges deserve attention. 
Solutions such as **Privileged Identity Management (PIM)
reduce standing access, but temporary permissions are still permissions. If an attacker compromises an identity while those privileges are active, the available attack paths change accordingly.
This is why security teams should ask more than:

"Who has this permission?"

They should ask:

"What new path does this permission create?"

Most permissions are harmless on their own.
As Murphy's Law reminds us: Anything that can go wrong, will go wrong.
In security, the challenge isn't that individual decisions are wrong. 
In fact, most of them are reasonable. 
The challenge is that thousands of reasonable decisions can slowly transform into an outcome nobody expected.
The danger appears when those decisions create roads no one intended to build.
Attackers rarely create those roads.
They simply learn how to navigate them.

Think Like a GPS, Not a Gatekeeper

Traditional security focused on keeping attackers out.
Firewalls protected the perimeter. 
Authentication verified identities. 
Access controls decided who could enter. 
The goal was to build stronger gates.
Modern attacks have changed that assumption.
Attackers often begin with legitimate access such as a compromised user, a stolen token, a trusted application or a third party integration. 
Once they get inside, the question is no longer whether they can enter.
The question is where they can go next.
This requires a different mindset.
A gatekeeper asks:

"Who should be allowed in?"

But a GPS doesn't ask how someone arrived.
It asks:

"Where can they go next?"

That shift changes how defenders evaluate risk.
Instead of prioritizing isolated findings, they begin asking which paths actually lead to critical assets.
A critical vulnerability on an isolated system may present little practical risk, while a single permission may create a direct route to the organization's most valuable assets.
Risk isn't defined by severity alone.
It's defined by where the path leads.
This concept also applies to remediation.
Traditional vulnerability management asks:

"Which vulnerability should we fix first?"

Attack path analysis asks:

"Which connection should we remove first?"

Sometimes removing a single unnecessary permission, reducing an application's privileges or breaking an unnecessary trust relationship can eliminate multiple attack paths at once.
Rather than fixing weaknesses one by one, defenders remove the routes that connect them.
The goal isn't to eliminate every vulnerability.
It's to make navigation difficult.
Every organization has critical assets. 
The objective isn't to protect every road equally, but to understand which roads eventually lead to those destinations. 
Once those routes become visible, defenders can identify choke points where one security improvement disrupts multiple attack paths at the same time.
Attackers succeed because they understand how to move.
Defenders become more effective when they understand the roads that make that movement possible.
Security teams spend years watching the gates while attackers spend their time studying the roads.
Maybe it's time we did the same.

Top comments (0)