Reading time: 5 minutes

If you’re not focusing on identity and access controls, you’re ignoring today’s threat landscape. Today, identity is what paves the way for your sensitive data.

Many organizations still speak the language of firewalls, antivirus, endpoint protection, and vulnerabilities, but cloud infrastructure is totally different than legacy systems. The methods of attack are different and the way bad actors move through your environment is different – so bringing old security concepts and solutions to this ballgame won’t be enough.

Today, it’s not just users who access your data. Non-personal identities are a new frontier proliferating in your environment – ​​supporting service principals, roles, access keys, functions and more.

These entities have broad rights, because sometimes security is not the focus of developers’ work. In reality, only about 3% of granted rights are actually used, which is simply an unnecessarily increased attack surface. Sometimes it’s easier to over-indulge in privileges to enable seemingly easier and faster workflows.

All of these privileges, permissions, and access are what make cloud identities the perfect thing to leverage. Bad actors often start with a low-level identity and then leverage permissions to move laterally through an environment. As they move laterally through your environment, they gain a level of permissions that could cause irreparable damage.

A common concern is escalation of privileges. Privilege escalation routinely goes unnoticed, especially in a complex cloud environment where enterprises already struggle to gain visibility into their internal users, identities, compute assets, services, and actions. A bad actor could spend days or even weeks in your surroundings and you wouldn’t even know it.

What is attack path analysis?

Attack path analysis is the process of automatically detecting and simulating all possible paths to your data. Many tools today address a one-time risk, whether it’s workload security or identity and rights management. However, your platform’s identity, workloads, data, and configurations are all interconnected in the cloud and combine to create attack paths to your data. Pathways analysis aims to reveal how all of these interconnected factors combine to create exploitable pathways. This is the first step, which allows your teams to break these “chains” of attack and remediate the risks.

A path of attack follows the following stages: reconnaissance, infiltration, lateral movement, exfiltration and impact. Automatic analysis examines once someone is inside, what movement and escalation is possible in your environment – this is the “lateral movement” aspect of an attack path. Mitigating opportunities for lateral movement is essential.

Why do you need attack path analysis?

Previously, breach prevention was all about understanding how someone can get into your system and break into your network. This emphasized vulnerability management to maintain a secure perimeter. In the cloud, breach prevention is less about vulnerabilities and networks, and more about once someone is in your environment, what can they do? Can they access a sensitive data store? Can they access an overprivileged identity? Attack path analysis answers these questions.

Most organizations are unaware of the risks associated with their cloud. It seems impossible to see every possible path or connection between compute, roles, policies, permissions, and data. However, you can’t protect what you can’t see. Illustrating an attack path is key to finding that turning point (whether it’s a trust relationship or indirect privilege escalation capabilities) that enables a serverless function in a sandbox account. access customer files in production.

How does attack path analysis work?

At Sonrai, we approach attack path analysis in four parts:

How can they get in?

How can they move laterally?

What can they access?

How sensitive is what they can access?

attack path analysis

At the heart of Sonrai Dig is our patented identity graphics and analytics. Every night, we simulate every possible attack path pattern in your environment and present it in an easy-to-use dashboard. How?

By finding out what lateral movement is possible in your cloud. Our deep visibility into every connection between identity and data reveals the effective (end-to-end) permissions of each identity. The reality is that teams and manual efforts cannot track the scope of the 37,000 possible actions in the cloud, and the scale at which new policies and individual actions are assigned to identities – we measure 17 new permissions per day. Teams must rely on automation to solve this problem of scale, hence the value of automated attack path analysis.

What makes Dig different is its ability to detail where an attack path ends. In the cloud, where an attack path begins (with a vulnerability or network misconfiguration) matters less than where an attack path ends. Dig can detail the exact data store at the end of an attack path, what it is through data classification, and its value to your business. Or maybe there is an overprivileged identity with the ability to wipe a database via policy. Dig can detail what policy gives that identity access, but also interpret the specific actions possible accordingly – this is unique to Dig.

To better understand this capability, we have captured examples of our product:

An identity “risk amplifier” on a vulnerable computer. A complex chain of trust relationships allows this sandbox-based compute to take on a new role in a production account, which has a policy called “Executive Functions” associated with it.
Don’t think of the attached policy label as its actions – drill down to see exactly what granular permissions it has. This has the ability to invoke lambda functions in production.

Break down attack paths to your data

You want to find risks before an attacker has time to exploit them. With attack path analysis and patented identity analysis, your organization can break the permission chains leading to your data.

Of course, not all risks are created equal, as privileges and data sensitivity are incremental. Dig’s insights into these unique risk levels allow your organization to better understand the business impact and prioritize remediation accordingly.

Teams are overwhelmed and alert fatigue is universal. Having insight into the most pressing avenues of attack allows your team to address key concerns first.

Learn what a cloud attack path looks like in this attack path simulation blog.

*** This is a syndicated blog from Sonrai’s Security Bloggers Network | Enterprise cloud security platform created by James Casagrande. Read the original post at: https://sonraisecurity.com/blog/attack-path-analysis-breaking-down-paths-to-your-data/