Attack path management with Microsoft Security Exposure Management
Imagine trying to assemble a jigsaw puzzle without the box showing the final picture. You have all the pieces scattered in front of you, but without knowing how they connect, you’re left guessing and constantly reworking pieces in search of the right fit. Now, imagine someone hands you the completed picture. Suddenly, everything clicks into place, and each piece’s role in the larger image becomes clear. This is the new superpower defenders gain with Microsoft Security Exposure Management’s attack path management – a full perspective that turns scattered vulnerabilities, assets, and risks into a cohesive map. In this sense, an attack path can be defined as the route an adversary takes by leveraging the connections between multiple assets. It represents the sequence of steps or methods an attacker uses to exploit security gaps and traverse through an organization’s environment to reach a target. As the attack surface has grown increasingly complex in recent years, defenders have struggled to piece together a comprehensive view of their exposure. Even with a strong grasp of critical assets, they often lack visibility into how attackers might exploit seemingly unrelated gaps, several steps or "hops" away, to reach these targets. Microsoft Security Exposure Management addresses this by unifying fragmented information and highlighting the most probable attack paths, enabling defenders to drive resilience with clarity and precision. In a recent blog post, we emphasized the importance of prioritizing critical assets. Now, we’ll shift our focus to how Microsoft Security Exposure Management utilizes attack path analysis and management to help organizations effectively reduce their attack surface. To know your enemy, you must become your enemy Unlike defenders, attackers are not focused on individual vulnerabilities or security gaps. Instead, they are driven by their end goal, which is often to target critical assets for disruption, financial gain, or other malicious motives. In this regard, each security gap is merely a step on a path toward achieving their objective. To counter this, defenders should embrace a similar approach and view security vulnerabilities and gaps as building blocks of a potential attack, as valuable context and insights are often missed when vulnerabilities or other findings are examined independently. For example, a vulnerability on-prem may seem less significant when viewed separately but could lead to sensitive cloud resources when considered in context. Attack path management bridges the gap by viewing the entire organization – across both on-premises and cloud infrastructure – as a connected network of assets with their relevant security findings. This change in mindset is becoming increasingly critical as security teams struggle to manage the expanding enterprise attack surface, leading to what can be described as “risk fatigue” from the overwhelming number of findings they face. , top attack scenarios, top targets and more. Moving from resolving security vulnerabilities to increasing cyber resilience Consider how organizations address security vulnerabilities today: an endless queue of issues and devices to patch. Instead of patching thousands of devices for a single high-risk vulnerability, imagine if defenders could see how that vulnerability contributes to attack paths across on-premises and cloud environments. With this context, defenders can prioritize critical assets and findings involved in potential attack paths or apply quicker, less disruptive mitigations. Moreover, it's important to recognize that fixing a security issue doesn’t always translate to meaningful risk reduction. Often, while resolving such an issue may improve compliance with security policies or standards, it doesn’t necessarily strengthen resilience against real threats. On the other hand, focusing on attack paths usually leads to addressing the most critical gaps, resulting in greater risk reduction and enhanced resilience. If attackers think in graphs, defenders should think in paths Microsoft Security Exposure Management offers defenders a fresh perspective on their exposure and risks. With attack path management, defenders can identify emerging threat patterns in the form of attack paths and are equipped with the tools to reassess and prioritize risk mitigation. This includes automatic discovery of potential attack paths, risk assessment for each path, identification of chokepoints – assets involved in multiple attack paths – and tailored recommendations for mitigating these paths. Users can view a comprehensive list of all discovered attack paths in their environment. Each path is assigned a risk score that reflects the likelihood of its exploitation and potential impact, based on factors such as path complexity, involved assets, and security findings. Additionally, by using the Attack Surface Map, users gain enhanced exploration capabilities, allowing for further investigation into attack paths. Exposure Management also provides visibility into chokepoints – assets that multiple attack paths pass through. By focusing on chokepoints, security teams can adopt a cost-effective approach to risk reduction, addressing significant threats by targeting key assets. Customers can review chokepoints, learn more about these assets, and visually explore their role in attack paths using Exposure Management's "Blast Radius Analysis" feature. Spotlight: From a vulnerable device to entire domain control As mentioned, attackers are driven by their end goal, often targeting critical assets through a sequence of other weaknesses and assets. They often can’t breach the most critical asset right away; instead, they focus on finding a way to reach it. Once inside, they can navigate through the organization’s environment to reach the crown jewels, that is, unless the organization has the visibility and the measures in place to prevent it. To see this in action, let’s walk through an example from the attacker’s point of view: After multiple reconnaissance attempts, an attacker identifies a vulnerable internet-facing web service running on a development server. John, a developer at the company, had set up this server for testing purposes but inadvertently left it accessible to the public internet without proper security measures. While this oversight might seem insignificant to John, the exposed server now serves as an entry point for the attacker to infiltrate the company's network. Once inside, the attacker begins to explore options for lateral movement within the organization, utilizing John’s access, with the target of reaching critical assets. During this reconnaissance, the attacker identifies a server accessible via RDP to all employees, including John – TERM-SRV. By using pass-the-hash (an attack technique that involves passing the hashed credentials to authenticate to another resource) with John’s credentials the attacker can start an RDP session into the TERM-SRV server. By exploiting another vulnerability, the attacker can perform an elevation of privileges. With these privileges, the attacker can now enumerate and dump all logged-on users’ credentials using mimikatz. Mimikatz to enumerate all user credentials in the server and finds Alex’s credentials One of these users is Alex, an IT Administrator who is part of the IT Admins group, that maintains servers like Domain Controllers, SCCMs etc. This means that the attacker can use Alex’s permissions to remotely execute code on the Domain Controller as admin, practically gaining control over the entire domain. From the defender's perspective, limited visibility makes the task of identifying and countering such an attack a real challenge. Moreover, the attacker's steps outlined above represent just one of many potential paths that could be taken at every turn. Defending against threats like the one described traditionally requires manual work of analyzing data and events from an extensive array of tools and solutions. To prevent an attack path like the one outlined, defenders would need to patch many vulnerable devices, identify all internet-exposed endpoints, cross-reference these with identity data, and map out permissions across systems. Detecting and mitigating such attack paths remains a challenge with conventional methods, leaving defenders constantly trying to catch up. To overcome these challenges, Microsoft Security Exposure Management leverages advanced graph algorithms that mimic adversarial behavior. Applying these algorithms continuously allows for ongoing monitoring of the customer environment and its changes to discover attack paths covering various adversary techniques across both on-premises and cloud environments. Getting Started with Attack Path Management Here are some tips for getting started with attack path management concepts and features: Define your critical assets: Use the Critical Asset Management module to create custom queries for discovering and flagging your critical assets. Once an asset is defined as critical, Microsoft Security Exposure Management automatically marks it as a potential target and identifies attack paths leading to it. Explore attack path management in Exposure Management: Review the Attack Path Overview page to gain a high-level overview of the risks discovered in your environment. Switch to the Attack Path list tab to view a comprehensive list of all identified attack paths, and utilize the filters and group-by features to focus on the paths that are most relevant to you. Utilize attack path recommendations to resolve paths and reduce risk: After identifying an attack path of interest, navigate to the Recommendations tab in the attack path side pane to review the necessary actions required to “break” the attack path. Explore an attack path in the Attack Surface Map: From the attack path list screen, you can select a specific attack path and choose to view it in the Attack Surface Map for enhanced exploration capabilities. Focus on chokepoints: In the attack path area of Exposure Management, navigate to the Chokepoints tab to review assets involved in multiple attack paths. Focus on resolving the issues associated with these assets to maximize the impact of your risk mitigation efforts. Additionally, chokepoints will be marked in the Attack Surface Map with a distinctive design (outlined with a dashed border). View chokepoint blast radius: Use the Blast Radius functionality to visualize the attack paths a chokepoint is involved in. This functionality is available for chokepoints in the asset side pane within the Chokepoint screen and in the Attack Surface Map. Integrate the Continuous Threat Exposure Management (CTEM) framework into your strategy: Focusing on prioritization and validation, shift your perspective to view vulnerabilities and exposures through the lens of an attacker. Utilize the Attack Path Management capabilities in Microsoft Security Exposure Management to identify and prioritize critical gaps. Encourage your team to engage in regular reviews of attack paths and chokepoints. This mindset shift will enable faster and more effective mitigation of risks. Enhance Defender deployment: It’s important to note that the capabilities of the Microsoft Security Exposure Management attack path management module are enhanced when visibility is increased. This means that the broader the deployment of Defender products, the greater our visibility, and consequently, our ability to identify potential paths. Key products include Microsoft Defender for Endpoint and Microsoft Defender for Identity for on-premises attack paths, and Microsoft Defender for Cloud DCSPM plan for cloud-based attack paths. To summarize, Microsoft Security Exposure Management enables security teams to adopt a contextual, risk-based approach by considering both the criticality of assets and the likelihood of their compromise through automatic attack path discovery. With Exposure Management, teams can strategically prioritize activities that have the greatest security impact, while enhancing the organization's overall resilience. In today's challenging and evolving threat landscape, defenders should not only adopt an attacker's mindset, but also leverage their visibility to advance even further. If, as the saying goes, defenders think in lists while attackers think in graphs, Exposure Management allows defenders to evolve beyond graphs to “think in paths”. For those looking to learn more about attack paths, critical assets, and exposure management in general, here are some additional resources you can explore: Attack path management documentation: Overview of attack paths in Microsoft Security Exposure Management - Microsoft Security Exposure Management | Microsoft Learn Critical asset protection documentation: Overview of critical asset management in Microsoft Security Exposure Management - Microsoft Security Exposure Management | Microsoft Learn Microsoft Security Exposure Management website: Microsoft Security Exposure Management | Microsoft SecurityUnlock Proactive Defense: Microsoft Security Exposure Management Now Generally Available
As the digital landscape grows increasingly interconnected, defenders face a critical challenge: the data and insights from various security tools are often siloed or, at best, loosely integrated. This fragmented approach makes it difficult to gain a holistic view of threats or assess their potential impact on critical assets. In a world where a single compromised asset can trigger a domino effect across connected resources, thinking in graphs has become essential for defenders. This approach breaks down silos, allowing them to visualize relationships between assets, vulnerabilities, and threats, ultimately enabling proactive risk management and strengthening their stance against attackers. Traditional vulnerability management is no longer sufficient. While patching every potential weakness might seem like a solution, it's neither practical nor effective. Instead, modern security strategies must focus on the exposures that are easiest for attackers to exploit, prioritizing vulnerabilities that present the greatest risk. This shift marks the evolution of vulnerability management into what we now call exposure management. Earlier this year, we launched Microsoft Security Exposure Management in public preview, introducing defenders to powerful foundational capabilities for holistic exposure management. Backed by extensive threat research and Microsoft’s vast visibility into security signals, these tools provide coverage for commonly observed attack techniques. Exposure Management includes Attack Surface Management, Attack Path Analysis, and Unified Exposure Insights— solutions that offer security teams unmatched visibility and insight into their risk landscape. Attack Surface Management offers a complete, continuous view of an organization’s attack surface, enabling teams to fully explore assets, uncover interdependencies, and monitor exposure across the entire digital estate. Central to this is the identification of critical assets, which are often prime targets for attackers. By highlighting these key assets, security teams can prioritize their efforts and better understand which areas require the most protection. By giving security teams a clear map of their exposure points, Attack Surface Management empowers a more informed and comprehensive defense strategy. Attack Path Analysis takes this a step further, guiding teams in visualizing and prioritizing high-risk attack paths across diverse environments, with a specific focus on critical assets. This capability allows for targeted, effective remediation of vulnerabilities that impact these key assets, helping to significantly reduce exposure and the likelihood of a breach by focusing on the most impactful pathways an attacker might exploit. Unified Exposure Insights gives decision-makers a clear view of an organization's threat exposure, helping security teams address key questions about their posture. Through Security Initiatives, teams focus on priority areas like cloud security and ransomware, supported by actionable metrics to track progress, prioritize risks, and align remediation with business goals for proactive risk management. Exposure Management translates vulnerabilities and exposures into more understandable language about risk and actionable initiatives related to our environment, which helps stakeholders and leadership grasp the impact more clearly. - Bjorn Pauwels Cyber Security Architect Atlas Copco Throughout the public preview, we collaborated closely with customers and industry experts, refining Microsoft Security Exposure Management based on real-world usage and feedback. This partnership revealed that the biggest challenges extended beyond deploying the right tools; they involved enhancing organizational maturity, evolving processes, and fostering a proactive security mindset. These insights drove strategic enhancements to features and user experience, ensuring the solution effectively supports organizations aiming to shift from reactive to proactive threat management. For example, several organizations created a 'RiskOps' role specifically to champion cross-domain threat exposure reduction, breaking down silos and unifying teams around common security goals. Security Operations (SecOps) teams now report significantly streamlined processes by leveraging asset criticality in incident prioritization, helping them address the most impactful threats faster than previously possible. Likewise, vulnerability management teams are using enhanced attack map and path analysis features to refine patching strategies, focusing more precisely on vulnerabilities most likely to lead to real risks. These examples underscore Exposure Management's ability to drive practical, measurable improvements across diverse teams, empowering them to stay ahead of evolving threats with a targeted, collaborative approach to risk management. Exposure Management enables organizations to zero in on their most critical exposures and act quickly. By breaking down silos and connecting security insights across the entire digital estate, organizations gain a holistic view of their risk posture. This comprehensive visibility is crucial for making faster, more informed decisions—reducing exposure before attackers can exploit it. We are excited to announce the general availability of Microsoft Security Exposure Management This release includes several new capabilities designed to help you build and enhance a Continuous Threat Exposure Management (CTEM) program, ensuring that you stay ahead of threats by continuously identifying, prioritizing, and mitigating risks across your digital landscape. Global rollout started 19 Nov, 2024 so keep an eye out for Exposure Management in your Defender portal,https://security.microsoft.com Cyber Asset Attack Surface Management To help you establish a comprehensive, single source of truth for your assets, we are expanding our signal collection beyond Microsoft solutions to include third-party integrations. The new Exposure connectors gallery offers a range of connectors to popular security vendors. Data collected through these connectors is normalized within our exposure graph, enhancing your device inventory, mapping relationships, and revealing new attack paths for comprehensive attack surface visibility. Additional insights like asset criticality, internet exposure and business application or operational affiliation are incorporated from the connected tools to enrich the context that Exposure Management can apply on the collected assets. This integrated data can be visualized through the Attack Map tool or explored using advanced hunting queries via KQL (Kusto Query Language). External data connectors to non-Microsoft security tools are currently in public preview, we are continuously working to add more connectors for leading market solutions, ensuring you have the broadest possible visibility across your security ecosystem. Discover more about data connectors in our documentation. Extended Attack Path Analysis Attack Path Analysis provides organizations with a crucial attacker’s-eye perspective, revealing how adversaries might exploit vulnerabilities and move laterally across both cloud and on-premise environments. By identifying and visualizing potential paths – from initial access points, such as internet-exposed devices, to critical assets – security teams gain valuable insight into the paths attackers could take, including hybrid attack paths that traverse cloud and on-prem infrastructure. Microsoft Security Exposure Management addresses the challenge of fragmented visibility by offering defenders an integrated view of their most critical assets and the likely routes attackers might exploit. This approach moves beyond isolated vulnerabilities, allowing teams to see their environment as a connected landscape of risks across hybrid infrastructures, ultimately enhancing their ability to secure critical assets and discover potential entry points. We are excited to update on our solution’s latest enhancement, which includes a high-level overview experience, offering a clear understanding of top attack scenarios, entry points, and common target types. Additionally, Exposure Management highlights chokepoints with a dedicated experience – these chokepoints are assets that appear in multiple attack paths, enabling cost-effective mitigation. Chokepoints also support blast radius querying, showing how attackers might exploit these assets to reach critical targets. In addition, we are adding support for new adversarial techniques including: DACL Support: We now include Discretionary Access Control Lists (DACLs) in our attack path analysis, through which more extensive attack paths are uncovered, particularly those that exploit misconfigurations or excessive permissions within access control lists. Hybrid Attack Paths: Our expanded analysis now identifies hybrid attack paths, capturing routes that originate on-premises and extend into cloud environments, providing defenders with a more complete view of potential threats across both infrastructures. In essence, attack path management allows defenders to transform isolated vulnerabilities into actionable insights across hybrid infrastructures. This comprehensive perspective enables security teams to shift from reactive to proactive defense, strengthening resilience by focusing on the most critical threats across their entire environment. Unified Exposure Insights With Microsoft Security Exposure Management, organizations can transform raw technical data into actionable insights that bridge the gap between cybersecurity teams and business decision-makers. By offering clear, real-time metrics, this platform answers key questions such as "How secure are we?", "What risks do we face?", and "Where should we focus first to reduce our exposure?" These insights not only provide a comprehensive view of your security posture but also guide prioritization and remediation efforts. To help your organization embrace a proactive security mindset, we introduced Security Initiatives—a strategic framework to focus your teams on critical aspects of your attack surface. These initiatives help teams to scope, discover, prioritize, and validate security findings while ensuring effective communication with stakeholders. Now, we are enhancing these capabilities to offer even greater visibility and control. The expanded initiative catalog now features new programs targeting high-priority areas like SaaS security, IoT, OT, and alongside existing domain and threat-focused initiatives. Each initiative continues to provide real-time metrics, expert-curated recommendations, and progress tracking, empowering security teams to drive maturity across their security programs. With this expanded toolset, organizations can further align their security efforts with evolving risks, ensuring a continuous, dynamic response to the threat landscape. SaaS Security Initiative (Powered by Microsoft Defender for Cloud Apps): Effective SaaS posture management is essential for proactively preventing SaaS-related attacks. The SaaS Security initiative delivers a comprehensive view of your SaaS security coverage, health, configuration, and performance and consolidates all best-practice recommendations for configuring SaaS apps into measurable metrics to help security teams efficiently manage and prioritize critical security controls. To optimize this initiative, activate key application connectors in Defender for Cloud Apps, including Microsoft 365, Salesforce, ServiceNow, GitHub, Okta, Citrix ShareFile, DocuSign, Dropbox, Google Workspace, NetDocuments, Workplace (preview), Zendesk, Zoom (preview), and Atlassian. For more information, check out https://aka.ms/Ignite2024MDA OT Security Initiative (Powered by Microsoft Defender for IoT): The convergence of Operational Technology (OT) and Information Technology (IT) has transformed industries worldwide, but it has also introduced significant new security challenges, particularly for industrial operations and critical infrastructure. The modern threat landscape, now accelerated by the growing capabilities of AI, demands specialized security solutions for these sensitive environments. The OT Security Initiative addresses these challenges by providing practitioners with a comprehensive solution to identify, monitor, and mitigate risks within OT environments, ensuring both operational reliability and safety. By leveraging Microsoft Defender for Endpoint discovery, the initiative offers unified visibility across enterprise and OT networks, empowering organizations to identify unprotected OT assets, assess their risk levels, and implement security measures across all physical sites. Enterprise IoT Security Initiative (Powered by Microsoft Defender for IoT): This initiative delivers comprehensive visibility into the risks associated with IoT devices within the enterprise, enabling organizations to assess their resilience against these emerging threats. As IoT devices frequently connect to endpoints, one another, or the internet, they become prime targets for cyberattacks. Therefore, businesses must continuously monitor the security of these devices, tracking their distribution, configuration, connectivity, exposure, and behavior to prevent the introduction of hidden vulnerabilities. By leveraging this initiative, organizations can proactively manage IoT risks and safeguard their digital landscape. Proactively understand how system updates affect scores The new versioning feature offers proactive notifications about upcoming version updates, giving users advanced visibility into anticipated metric changes and their impact on related initiatives. A dedicated side panel provides comprehensive details about each update, including the expected release date, release notes, current and updated metric values, and any changes to related initiative scores. Additionally, users can share direct feedback on the updates within the platform, fostering continuous improvement and responsiveness to user needs. Exposure History With the new history-reasoning feature, users can investigate metric changes by reviewing detailed asset exposure updates. In the initiative's history tab, selecting a specific metric now reveals a list of assets where exposure has been either added or removed, providing clearer insight into exposure shifts over time. Unified Role-Based Access Control (URBAC) Support We are excited to introduce the capability to manage user privileges and access to Microsoft Security Exposure Management through custom roles within the Microsoft Defender XDR Unified Role-Based Access Control (URBAC) system. This enhancement ensures higher productivity and efficient access control on a single, centralized platform. The unified RBAC permissions model offers administrators an alternative to Entra ID directory roles, allowing for more granular permission management and customization. This model complements Entra ID global roles by enabling administrators to implement access policies based on the principle of least privilege, thereby assigning users only the permissions they need for their daily tasks. We recommend maintaining three custom roles that align with organizational posture personas: Posture Reader: Users with read-only access to Exposure Management data. Posture Contributor: Users with read and manage permissions, enabling them to handle security initiatives and metrics, as well as manage posture recommendations. Posture Admin: Users who likely already hold higher-level permissions within the Microsoft Defender portal and can now perform sensitive posture-related actions within Exposure Management experiences. To learn more about the Microsoft XDR Unified RBAC permissions model, click here. For more information on Microsoft Security Exposure Management access management with unified RBAC, click here. How to get Microsoft Security Exposure Management Exposure Management is available in the Microsoft Defender portal at https://security.microsoft.com. Access to the exposure management blade and features in the Microsoft Defender portal is available with any of the following licenses: Microsoft 365 E5 or A5 Microsoft 365 E3 Microsoft 365 E3 with the Microsoft Enterprise Mobility + Security E5 add-on Microsoft 365 A3 with the Microsoft 365 A5 security add-on Microsoft Enterprise Mobility + Security E5 or A5 Microsoft Defender for Endpoint (Plan 1 and 2) Microsoft Defender for Identity Microsoft Defender for Cloud Apps Microsoft Defender for Office 365 (Plans 1 and 2) Microsoft Defender Vulnerability Management Integration of data from the above tools, as well as other Microsoft security tools like Microsoft Defender for Cloud, Microsoft Defender Cloud Security Posture Management, and Microsoft Defender External Attack Surface Management, is available with these licenses. Integration of non-Microsoft security tools will incur a consumption-based cost based on the number of assets in the connected security tool. The external connectors are currently in public preview, with plans to reach general availability (GA) by the end of Q1 2025. Pricing will be announced before billing for external connectors begins at GA. Learn More The threat landscape is constantly shifting, and the attack surface continues to grow, leaving organizations exposed. Outpacing threat actors through patching alone is no longer feasible. Now is the time to evolve your vulnerability management strategy to be smarter, more dynamic, and more powerful — focused on exposures and built on a proactive mindset. By adopting a Continuous Threat Exposure Management (CTEM) process, you can stay ahead of attackers. Microsoft Security Exposure Management equips you with the tools to scope, discover, prioritize, validate, and mobilize your teams, empowering you to defend your organization with precision and confidence. Embrace the future of cybersecurity resilience—contact us today to learn more, sign up for a demo, or speak with our team about how Microsoft Security Exposure Management can transform your defense strategy. Don’t wait to secure your organization. Get started today. Explore overview and core scenarios on our website Learn about capabilities and scenarios in blog posts written by our engineering and research teams
Microsoft Security Exposure Management Graph: Prioritization is the king
Unlock the full potential of Microsoft’s Security Exposure Management raph in Advanced Hunting. This blog post delves into essential concepts like Blast Radius and Asset Exposure, equipping you with powerful queries to enhance your security posture.
Learn how to customize and optimize Copilot for Security with the custom Data Security plugin
This is a step-by-step guided walkthrough of how to use the custom Copilot for Security pack for Microsoft Data Security and how it can empower your organization to understand the cyber security risks in a context that allows them to achieve more.
