Snatch Ransomware Explained - CISA Alert AA23-263A
By Suleyman Ozarslan, PhD • January 02, 2023
The Top 10 MITRE ATT&CK Techniques Used by Adversaries
Cyber threat actors are constantly finding new ways to perform more stealthy, sophisticated, and high-profile attacks on their targets. Security professionals often consider attack vectors, attack surfaces, and attack paths when planning to harden their defenses against possible cyber attacks and increase the cyber resilience of their organizations. While these three closely-related concepts are often used interchangeably, each has a different meaning and purpose. In this blog, we discuss the distinctions between these concepts, as well as why attack path validation is crucial to help identify and manage risk throughout the attack life cycle within an organization’s network.
An attack vector is a specific method used by an attacker to achieve an objective, such as gaining unauthorized access to a system or network, obtaining control of resources, or stealing sensitive information. Some of the most common attack vectors are malware, phishing emails, compromised and weak credentials, misconfigurations, software vulnerabilities, and abusing trust relationships, as in supply chain attacks.
The attack surface is the set of all possible attack vectors in an organization. An attack vector could allow an adversary to compromise a system or network. However, the attack surface refers to all known, unknown, and potential attack vectors that an attacker could use to compromise systems and networks in an environment.
Attack surface analysis is determining an organization’s attack surface by examining possible attack vectors and assessing the likelihood that attackers leverage them to perform malicious actions. As a result of attack surface analysis, the organization knows which attack vectors pose a risk. Then, the organization can increase its cyber resilience by eliminating these vectors. For instance, if a program uses a vulnerable Log4j version on a server that an attacker could exploit, the organization can eliminate this attack vector by applying patches released by the vendor.
However, focusing on individual attack vectors and threats is not enough to reduce an organization’s attack surface. It’s also important to visualize how these attack vectors are used. This is where attack path analysis enters the picture.
An attack path is a graphical representation of the route that attackers traverse by exploiting attack vectors to reach their goals. Thus, an attack path visualizes the sequence of actions in the attack lifecycle of an attacker.
A simplified example of how attack vectors, attack surface, and attack path vectors are aligned would be as follows: A threat group gains access to a system by exploiting a vulnerable Log4j installation running on a webserver. Once they gain an initial foothold, they will attempt to remain persistent by creating a scheduled task to execute malware at the system startup and dump credentials. Then, they laterally move to another system using the remote desktop connection with dumped credentials and reach a critical database in this system. Eventually, they use an encrypted C2 channel to exfiltrate the database as their ultimate goal. In this example, exploiting the Log4j vulnerability, creating a scheduled task, dumping credentials, remote desktop connection, and data exfiltration over an encrypted C3 channel are attack vectors, while the attack path is the visualization of the chain of all these attack vectors within the organization’s network. The organization’s attack surface is the set of all the potential attack vectors, including the used vectors in this example.
Attack Path Validation is the process of identifying, analyzing, mapping, managing, and validating attack paths that attackers could take to reach their goals within the network. Therefore, it covers attack path discovery, attack path analysis, attack path mapping, and attack path management processes.
Attack path validation is critical for understanding the real cybersecurity risk faced by organizations. It exposes the steps an attacker would likely take to compromise your network, such as exploitation of vulnerabilities, lateral movement within a network, privilege escalation, and stealing critical information.
Attack Path Validation allows you to eliminate attack paths within a production environment. Once you know where the risks exist, you can start to address them through technical, procedural, and policy means, as well as by building an end-to-end risk-based defense.
What distinguishes Attack Path Validation is its ability to identify new and unknown chains of attack vectors that reach critical assets within the network, as opposed to just individual attack vectors in signature-based attack analysis approaches such as vulnerability scanning. As a result, attack paths more accurately depict your attack surface and help you better prepare for potential threats. Moreover, a vulnerability scanner only identifies vulnerabilities, whereas the Attack Path Validation approach goes much further by exploiting identified vulnerabilities and creating validated Attack Paths that demonstrate how attackers can exploit the vulnerabilities and connections between the assets within the network to reach their utmost objectives.
Since most organizations are focused on defending their external attack surface, they are unaware of possible attack vectors within their networks and how attackers might exploit them to achieve their goals. Some security teams engage in internal network penetration testing and red teaming to increase the visibility of post-compromise attack vectors. However, due to limitations in both time and resources, these types of assessments are neither thorough nor performed frequently enough to be functional for continuous improvement in cyber resilience. As a result, they do not provide the level of insight necessary for continuously identifying, prioritizing, and mitigating risks.
Picus’ Attack Path Validation (APV) product is a comprehensive attack path analysis, mapping, and management solution that offers all the previously explained benefits of the attack path validation approach and more.
With Picus Attack Path Validation, security teams can automatically discover and visualize the steps an advanced attacker that has successfully breached a network would likely take to compromise critical assets and entities, such as domain admin credentials and the Domain Controller (DC) server in the Active Directory (AD).
Powered by Picus’ Intelligent Adversary Decision Engine, which mimics the approach and actions of real-world adversaries, this easy-to-use application identifies, validates, and helps eliminate the attack paths that pose the most significant risk. By doing so, Picus Attack Path Validation
Therefore, the user can concentrate on remediating and mitigating the riskiest threats and spare the time and effort of fixing a long list of unprioritized vulnerabilities and attack vectors that are not necessarily exploitable by attackers.
Picus Attack Path Validation identifies the vulnerable and critical routes attackers could take to compromise critical assets and validate that they are actual paths that can be exploited, not false positives. Picus Attack Path Validation (APV) determines entities on your network where multiple attack paths converge to help prioritize mitigating vulnerabilities and misconfigurations at these ‘choke points’ to ensure you achieve the best security impact. Organizations use this approach to optimally defend their most important assets by reducing their cyberattack exposure.