Microsoft Security Exposure Management’s attack path management capabilities transform isolated findings into a clear, cohesive picture, enabling defenders to adopt an attacker’s perspective. By understanding potential attack paths, organizations can prioritize vulnerabilities and build resilience, proactively securing critical assets against exploitation.
Imagine trying to assemble a jigsaw puzzle without the box showing the final picture. You have all the pieces scattered in front of you, but without knowing how they connect, you’re left guessing and constantly reworking pieces in search of the right fit.
Now, imagine someone hands you the completed picture. Suddenly, everything clicks into place, and each piece’s role in the larger image becomes clear. This is the new superpower defenders gain with Microsoft Security Exposure Management’s attack path management – a full perspective that turns scattered vulnerabilities, assets, and risks into a cohesive map. In this sense, an attack path can be defined as the route an adversary takes by leveraging the connections between multiple assets. It represents the sequence of steps or methods an attacker uses to exploit security gaps and traverse through an organization’s environment to reach a target.
As the attack surface has grown increasingly complex in recent years, defenders have struggled to piece together a comprehensive view of their exposure. Even with a strong grasp of critical assets, they often lack visibility into how attackers might exploit seemingly unrelated gaps, several steps or "hops" away, to reach these targets. Microsoft Security Exposure Management addresses this by unifying fragmented information and highlighting the most probable attack paths, enabling defenders to drive resilience with clarity and precision.
In a recent blog post, we emphasized the importance of prioritizing critical assets. Now, we’ll shift our focus to how Microsoft Security Exposure Management utilizes attack path analysis and management to help organizations effectively reduce their attack surface.
To know your enemy, you must become your enemy
Unlike defenders, attackers are not focused on individual vulnerabilities or security gaps. Instead, they are driven by their end goal, which is often to target critical assets for disruption, financial gain, or other malicious motives. In this regard, each security gap is merely a step on a path toward achieving their objective.
To counter this, defenders should embrace a similar approach and view security vulnerabilities and gaps as building blocks of a potential attack, as valuable context and insights are often missed when vulnerabilities or other findings are examined independently. For example, a vulnerability on-prem may seem less significant when viewed separately but could lead to sensitive cloud resources when considered in context.
Attack path management bridges the gap by viewing the entire organization – across both on-premises and cloud infrastructure – as a connected network of assets with their relevant security findings. This change in mindset is becoming increasingly critical as security teams struggle to manage the expanding enterprise attack surface, leading to what can be described as “risk fatigue” from the overwhelming number of findings they face.
Figure 1: Attack path management dashboard provides insight into path discovery over time, top attack scenarios, top targets and more.
Moving from resolving security vulnerabilities to increasing cyber resilience
Consider how organizations address security vulnerabilities today: an endless queue of issues and devices to patch. Instead of patching thousands of devices for a single high-risk vulnerability, imagine if defenders could see how that vulnerability contributes to attack paths across on-premises and cloud environments. With this context, defenders can prioritize critical assets and findings involved in potential attack paths or apply quicker, less disruptive mitigations.
Moreover, it's important to recognize that fixing a security issue doesn’t always translate to meaningful risk reduction. Often, while resolving such an issue may improve compliance with security policies or standards, it doesn’t necessarily strengthen resilience against real threats. On the other hand, focusing on attack paths usually leads to addressing the most critical gaps, resulting in greater risk reduction and enhanced resilience.
If attackers think in graphs, defenders should think in paths
Microsoft Security Exposure Management offers defenders a fresh perspective on their exposure and risks. With attack path management, defenders can identify emerging threat patterns in the form of attack paths and are equipped with the tools to reassess and prioritize risk mitigation. This includes automatic discovery of potential attack paths, risk assessment for each path, identification of chokepoints – assets involved in multiple attack paths – and tailored recommendations for mitigating these paths.
Figure 2: Attack path list screen presenting all paths discovered in the environment.Users can view a comprehensive list of all discovered attack paths in their environment. Each path is assigned a risk score that reflects the likelihood of its exploitation and potential impact, based on factors such as path complexity, involved assets, and security findings. Additionally, by using the Attack Surface Map, users gain enhanced exploration capabilities, allowing for further investigation into attack paths.
Figure 3: Exploration using the Attack Surface Map; attack paths are highlighted with bold lines
Exposure Management also provides visibility into chokepoints – assets that multiple attack paths pass through. By focusing on chokepoints, security teams can adopt a cost-effective approach to risk reduction, addressing significant threats by targeting key assets. Customers can review chokepoints, learn more about these assets, and visually explore their role in attack paths using Exposure Management's "Blast Radius Analysis" feature.
Figure 4: Chokepoints screen provides visibility into the assets that are involved in multiple potential paths.Figure 5: Blast radius view in the Attack Surface Map; indicates potential attack paths leading to critical assets.
Spotlight: From a vulnerable device to entire domain control
As mentioned, attackers are driven by their end goal, often targeting critical assets through a sequence of other weaknesses and assets. They often can’t breach the most critical asset right away; instead, they focus on finding a way to reach it. Once inside, they can navigate through the organization’s environment to reach the crown jewels, that is, unless the organization has the visibility and the measures in place to prevent it. To see this in action, let’s walk through an example from the attacker’s point of view:
After multiple reconnaissance attempts, an attacker identifies a vulnerable internet-facing web service running on a development server. John, a developer at the company, had set up this server for testing purposes but inadvertently left it accessible to the public internet without proper security measures. While this oversight might seem insignificant to John, the exposed server now serves as an entry point for the attacker to infiltrate the company's network.
Once inside, the attacker begins to explore options for lateral movement within the organization, utilizing John’s access, with the target of reaching critical assets. During this reconnaissance, the attacker identifies a server accessible via RDP to all employees, including John – TERM-SRV. By using pass-the-hash (an attack technique that involves passing the hashed credentials to authenticate to another resource) with John’s credentials the attacker can start an RDP session into the TERM-SRV server. By exploiting another vulnerability, the attacker can perform an elevation of privileges. With these privileges, the attacker can now enumerate and dump all logged-on users’ credentials using mimikatz.
Figure 6: Attacker uses Mimikatz to enumerate all user credentials in the server and finds Alex’s credentials
One of these users is Alex, an IT Administrator who is part of the IT Admins group, that maintains servers like Domain Controllers, SCCMs etc. This means that the attacker can use Alex’s permissions to remotely execute code on the Domain Controller as admin, practically gaining control over the entire domain.
From the defender's perspective, limited visibility makes the task of identifying and countering such an attack a real challenge. Moreover, the attacker's steps outlined above represent just one of many potential paths that could be taken at every turn.
Defending against threats like the one described traditionally requires manual work of analyzing data and events from an extensive array of tools and solutions. To prevent an attack path like the one outlined, defenders would need to patch many vulnerable devices, identify all internet-exposed endpoints, cross-reference these with identity data, and map out permissions across systems. Detecting and mitigating such attack paths remains a challenge with conventional methods, leaving defenders constantly trying to catch up.
To overcome these challenges, Microsoft Security Exposure Management leverages advanced graph algorithms that mimic adversarial behavior. Applying these algorithms continuously allows for ongoing monitoring of the customer environment and its changes to discover attack paths covering various adversary techniques across both on-premises and cloud environments.
Getting Started with Attack Path Management
Here are some tips for getting started with attack path management concepts and features:
- Define your critical assets: Use the Critical Asset Management module to create custom queries for discovering and flagging your critical assets. Once an asset is defined as critical, Microsoft Security Exposure Management automatically marks it as a potential target and identifies attack paths leading to it.
- Explore attack path management in Exposure Management: Review the Attack Path Overview page to gain a high-level overview of the risks discovered in your environment. Switch to the Attack Path list tab to view a comprehensive list of all identified attack paths, and utilize the filters and group-by features to focus on the paths that are most relevant to you.
- Utilize attack path recommendations to resolve paths and reduce risk: After identifying an attack path of interest, navigate to the Recommendations tab in the attack path side pane to review the necessary actions required to “break” the attack path.
- Explore an attack path in the Attack Surface Map: From the attack path list screen, you can select a specific attack path and choose to view it in the Attack Surface Map for enhanced exploration capabilities.
- Focus on chokepoints: In the attack path area of Exposure Management, navigate to the Chokepoints tab to review assets involved in multiple attack paths. Focus on resolving the issues associated with these assets to maximize the impact of your risk mitigation efforts. Additionally, chokepoints will be marked in the Attack Surface Map with a distinctive design (outlined with a dashed border).
- View chokepoint blast radius: Use the Blast Radius functionality to visualize the attack paths a chokepoint is involved in. This functionality is available for chokepoints in the asset side pane within the Chokepoint screen and in the Attack Surface Map.
- Integrate the Continuous Threat Exposure Management (CTEM) framework into your strategy: Focusing on prioritization and validation, shift your perspective to view vulnerabilities and exposures through the lens of an attacker. Utilize the Attack Path Management capabilities in Microsoft Security Exposure Management to identify and prioritize critical gaps. Encourage your team to engage in regular reviews of attack paths and chokepoints. This mindset shift will enable faster and more effective mitigation of risks.
- Enhance Defender deployment: It’s important to note that the capabilities of the Microsoft Security Exposure Management attack path management module are enhanced when visibility is increased. This means that the broader the deployment of Defender products, the greater our visibility, and consequently, our ability to identify potential paths. Key products include Microsoft Defender for Endpoint and Microsoft Defender for Identity for on-premises attack paths, and Microsoft Defender for Cloud DCSPM plan for cloud-based attack paths.
To summarize, Microsoft Security Exposure Management enables security teams to adopt a contextual, risk-based approach by considering both the criticality of assets and the likelihood of their compromise through automatic attack path discovery. With Exposure Management, teams can strategically prioritize activities that have the greatest security impact, while enhancing the organization's overall resilience.
In today's challenging and evolving threat landscape, defenders should not only adopt an attacker's mindset, but also leverage their visibility to advance even further. If, as the saying goes, defenders think in lists while attackers think in graphs, Exposure Management allows defenders to evolve beyond graphs to “think in paths”.
For those looking to learn more about attack paths, critical assets, and exposure management in general, here are some additional resources you can explore:
-
Attack path management documentation: Overview of attack paths in Microsoft Security Exposure Management - Microsoft Security Exposure Management | Microsoft Learn
- Critical asset protection documentation: Overview of critical asset management in Microsoft Security Exposure Management - Microsoft Security Exposure Management | Microsoft Learn
- Microsoft Security Exposure Management website: Microsoft Security Exposure Management | Microsoft Security
Updated Nov 19, 2024
Version 2.0DeanRubinstein
Microsoft
Joined March 26, 2023
Microsoft Security Blog
Follow this blog board to get notified when there's new activity