Exposure Management Looks to Attack Paths, Identity to Better Measure Risk

Security firms analyze attack paths and seek out weak identities to find compromise vectors and critical assets that need better controls.

By Rob Lemos

As companies struggle with finding and closing off the paths that attackers could use to infiltrate and compromise their IT environments, security providers are rushing to offer security posture management — also known as exposure management — capabilities in their products.

Security posture management firm Cymulate announced in June a threat exposure management platform that takes data from a variety of sources — including an inventory of the company's assets, its vulnerabilities, potential attack paths, and adversaries tactics — to create a measure of risk. Last week, exposure management firm Tenable announced the release of identity-focused features in its Tenable One platform that can analyze Active Directory and Azure AD instances to find identity-based weaknesses, such as overpermissioned accounts, orphaned users, and anomalous identities.

Exposure Focuses Increasingly on Identity

Attack surface management and attack simulation companies are likely to shift their focus to exposure management as well. Cymulate, formerly a breach and attack simulation company, has shifted to continuous threat exposure management (CTEM), an acronym coined by Gartner, as a way of extending its focus on the attack surface and validation of vulnerabilities, says Carolyn Crandall, chief security advocate for Cymulate.

"Now security teams are getting hit by more threats ... [exposure management] helps them get ahead of the attackers by better prioritizing the vulnerabilities that need remediation," she says. "There's much more pressure now to do testing ... [to see whether] we get the outcomes we expected, and if not, how do we quickly understand those and then change?"

Adding Attack Paths Validates Threats

A key component of exposure management is validating that particular vulnerabilities are both reachable and exploitable by attackers. To determine whether a critical asset is at risk, companies have been focusing on constructing the potential path an attacker could take through the environment, using vulnerabilities in different systems to reach an end goal. Such attack paths validate that the combination of vulnerability scanning, analyzing permissions and identities, and measuring the criticality of assets results in a measurable risk.

A common attack path might involve compromising a Web server using an exploit for Log4j, escalating privileges, and then accessing a database. Using simulations to determine whether that attack is viable helps organizations prioritize patching and the implementation of new controls, says Mike DeNapoli, a cybersecurity architect and director at Cymulate.

"We can re-create this attack in a production-safe way — actually run it and determine, 'Is this merely viable, but we have controls that will compensate for these gaps?' or, 'Is this validated and this is an attack path that a threat actor could use?'" he says.

Read the full article on Dark Reading