Attack path management is a cybersecurity technique that involves the continuous discovery, mapping, and risk assessment of identity-based attack paths.[1][2][3] Attack path management is distinct from other computer security mitigation strategies in that it does not rely on finding individual attack paths through vulnerabilities, exploits, or offensive testing.[4] Rather, attack path management techniques analyze all attack paths present in an environment based on active identity management policies, authentication configurations, and active authenticated "sessions" between objects.[5][6][7][8]
Overview
editAttack path management relies on concepts such as mapping and removing attack paths, identifying attack path choke points, and remediation of attack paths.[3][9] Identity-based attacks are present in most publicly disclosed breaches, whether through social engineering to gain initial access to Active Directories or lateral movement for privilege escalation.[10][9][11][12]Attackers require privileges to attack an environment’s most sensitive segments.[10][9] Attack path management often involves removing out-of-date privileges and privilege assignments given to overly large groups.[13]
In attack path management, attack graphs are used to represent how a network of machines’ security is vulnerable to attack.[9][13][14] The nodes in an attack graph represent principals and other objects such as machines, accounts, and security groups.[13]
The edges in an attack graph represent the links and relationships between nodes.[13] Some nodes are easy to penetrate due to short paths from regular users to ___domain admins, resulting in focal points of concentrated network traffic, which are known as attack path choke points.[15] Attack graphs are often analyzed using algorithms and visualization.[13][9]
Attack path management also identifies tier 0 assets, which are considered the most vulnerable because they have direct or indirect control of an Active Directory or Microsoft Entra ID environment.[16]
References
edit- ^ "Automated Generation and Analysis of Attack Graphs" (PDF). cs.cmu.edu.
- ^ "Heat-ray: Combating Identity Snowball Attacks Using Machine Learning, Combinatorial Optimization and Attack Graphs" (PDF). sigops.org.
- ^ a b Gibson, Kirsten (2025-01-23). "Insurance companies can reduce risk with Attack Path Management". Security Boulevard. Retrieved 2025-03-06.
- ^ "Attack Path Analysis". Rapid7. Retrieved 2025-03-06.
- ^ "Protecting Your Paths, Part 1: How Attack Path Management Can Stop Attackers in Their Tracks | Proofpoint UK". Proofpoint. 2023-11-07. Retrieved 2025-03-06.
- ^ "Close security gaps with attack path analysis and management | TechTarget". Search Security. Retrieved 2025-03-06.
- ^ "Practical Anytime Algorithms for Judicious Partitioning of Active Directory Attack Graphs" (PDF). ijcai.org.
- ^ "Attack path management with Microsoft Security Exposure Management". Microsoft. November 19, 2024.
- ^ a b c d e "Attack Path Management: cos'è e come difendersi dagli attacchi basati sull'identità". Cyber Security 360. 2022-06-17. Retrieved 2025-03-06.
- ^ a b "NSA warns that Active Directory is an "exceptionally large and difficult to defend" attack surface". The Stack. 2024-09-27. Retrieved 2025-03-06.
- ^ "Attack Paths: Just 4 Steps Can Compromise 94% of Assets". www.bankinfosecurity.com. Retrieved 2025-03-06.
- ^ Shread, Paul (2022-03-31). "A Few Clicks from Data Disaster: The State of Enterprise Security". eSecurity Planet. Retrieved 2025-03-06.
- ^ a b c d e "Heat-ray: Combating Identity Snowball Attacks Using Machine Learning, Combinatorial Optimization and Attack Graphs" (PDF). sigops.org.
- ^ "Automated Generation and Analysis of Attack Graphs" (PDF). .cs.cmu.edu.
- ^ "ADSynth: Synthesizing Realistic Active Directory Attack Graphs" (PDF). dsn2024uq.github.io.
- ^ "Semperis adds Microsoft Entra ID support to its attack path management tool". SiliconANGLE. 2023-10-12. Retrieved 2025-03-06.