At its core, an attack path analysis presents a powerful visual and impactful representation covering a potential path that cyber threat actors or malicious payloads may tread to breach asset or network targets. The benefits justify resource and attention investments in an APA exercise. In addition to helping disrupt the changes of a successful cyberattack, it can also improve the maturity of your OT security team.
Table of Contents
The depiction of a compromise path, so to speak, presents a visual dimension to a possible attack and enables security teams, SOC analysts, CISOs, and security decision-makers to derive and deploy countermeasures. Attack Path Analysis also helps prioritize vulnerabilities for action based on a deeper understanding of the impact a possible cyberattack could have.
How to approach Attack Path Analysis in an OT environment
An OT environment can present several challenges to the smooth conduct of an Attack Path Analysis effort. Knowledge of the environment, operational dynamics, asset topology and vulnerabilities are essential. As we have seen many times before, many OT operators do not have such information or lack information at the level required to conduct an APA in a structured manner. The relevance of the outcome of the APA for your organization depends on many factors.
To conduct an APA in an OT environment and to get results that matter, these pre-requisites have to be in place:
- Full-scale deployed asset visibility and intelligence: including the interactions between devices, controls used, baseline, and (acceptable deviations from) functional signatures
- Detailed view into existing and potential gaps and vulnerabilities
- Potential app and hardware additions in the future
- Clear view of all the protocols used
- View of all security responses at various stages of a breach
- Communication paths to all assets
Once the above data is in place, a model can be derived to map the possible attacks and the targets along with the path an attack could potentially take. Contextual information that enables a direct correlation between targets, breach points, conduits, and the overall path can then be ascertained.
Reccommended reading: Complete Guide to Cyber Threat Intelligence Feeds
APA should not be seen as a drawing board/whiteboard exercise to be conducted on paper. Instead, APA should be conducted as an objective exercise to identify and break existing attack paths and reduce the changes of a new one appearing in the future.
Charting the course of an attack
It is not essential for an attack to move horizontally in a network in a linear manner. Thus, when drawing the attack path, the model must be able to offer multiple paths with the probability of the attacker choosing a specific path to a target and link that with the probable success ratio. This will help security teams focus their attention on breaking the attack path through specific interventions starting with the most probable paths.
When deciding on prioritizing interventions the following aspects can be used to derive a path score:
- Probability of the attack path being used: How easily is it accessible from within and outside the network
- How severe are the vulnerabilities and enabling security gap(s)?
- What sort of privilege exploitation does the attack path entail? Is there a risk of multiple privileges being misused?
- Can the attack progress in a linear way? Or does the attack have to go through multiple hops?
- Can the attack path be broken using a deflection?
- How easy or difficult is it to access the entry point?
- Can the involvement of an insider improve the chances of success of the attack?
- What is the business impact of the attack?
- How easy will it be to dissolve or diffuse the attack path?
- What resources will the attack involve and what are the chances of the attack staying dormant or staying hidden within the network for a prolonged period of time?
- In case of a complex attack chain, how many potential points of detection will emerge?
- Can multiple attack paths merge? If so what could be the result?
Benefits of an Attack Path Analysis
Conducting an APA can lead to many benefits for your organization. Some of these include:
- It makes your security analysts think like an attacker and plan a defense strategy accordingly
- Unlike traditional security measures that are implemented in siloes, APA makes defense methods more widespread
- APA helps place barriers that improve the efficiency and effectiveness of your existing security measures
- It is a more relevant and contextual way of planning cybersecurity measures and governance
- APA can also help security teams understand the OT environment from a security perspective
- APA also offers you a chance to build cyber resilience and gain a much better and relevant view of your on-ground security posture
- By disrupting the attack paths you can increase the distance between your assets and the attacker
Interested in learning more about how you can deploy APA in your organization? Talk to our APA expert.
Watch our On-Demand webinar here: How to conduct OT attack path analysis in your organization