By Josh Neame, CTO, BlueFort Security
Across all walks of life there are a myriad of catchphrases used to capture a mood, describe a situation, explain a certain behaviour, or define the odds of something happening. The phrase “there’s no such thing as a silver bullet” seems largely to have been assigned to the archives of cybersecurity marketing vaults these days (thank goodness). Alongside its teammate that reads something like “if you think you know it all about cybersecurity, this discipline was probably ill-explained to you.” Both are true, by the way, but very much overused in my humble opinion. And then there’s ‘fight fire with fire!’. Whilst this has also had its fair share of overuse in today’s vernacular, I’m not going to send this one to the archives just yet, as it is relevant in the context of this blog. Bear with me folks…..
If you Google (other search engines are available) the term ‘fight fire with fire’ Wikipedia delivers back a wide array of potential offerings including a Metallica song, a Bruce Willis movie, and a feminist book by Naomi Wolf. However, that’s not what I’m thinking about today. Today I have the concept of attack path management (APM) on my mind, and the relevance to the ‘fight fire with fire’ analogy is that APM is what is usefully described as a threat-informed defence strategy. As the Chinese general Sun Tzu once said, “If you know the enemy and know yourself, you need not fear the result of a hundred battles”. Thinking like the enemy is the foundation of APM.
What is Attack Path Management?
Put simply, attack path management (APM) is a process your company can use to get insight into your security weaknesses, as seen through the eyes of an attacker. Importantly, it does this with the additional context of your company’s own unique security infrastructure, security controls, and existing cybersecurity defences.
The process aims to identify any ‘attack path’ that a cybercriminal could take. If you know how an attacker might try to break into your systems, you can bolster your defences and help your team shut down those routes fast – before the bad guys get any deeper into your network accessing servers, databases, or sensitive files.
Attack path management is all about:
- Identifying the routes an attacker could use to traverse your systems (and there will be way more than you think);
- Analysing those routes to understand which are most dangerous (and it’s not necessarily the length of those routes – it’s where they lead to and the potential for damage that’s key);
- Put in place remediation tactics to effectively shut those routes down – like patching a system, changing permissions, or locking a virtual door.
Does my organisation even need APM? I’ve got lots of other tools….
This is a fair question. After all, the average company works with 10 to 15 security vendors and 60 to 70 security tools. Throwing another one into the mix could be considered overkill. But when you step back and look at the current state of play for security teams, I think you’ll be persuaded that APM is a tool worth careful consideration.
Enterprise Strategy Group (ESG), in conjunction with XM Cyber, recently published a white paper that addresses this very question. Jon Oltsik, Senior Principal Analyst & ESG Fellow who authored the paper cites the unprecedented growth of cyber attacks driven by “sophisticated threats, a growing attack surface, greater use of business IT, and even poor security hygiene”. Or, as I like to say, the complexity of cybersecurity challenges faced by security teams today is a one-way street with no end in sight. The M&S and Co-Op cyber attacks in play as I write are testament to the gravity of the situation.
Here’s an interesting statistic from XM Cyber’s 2024 Report: organisations typically have about 15,000 exposures across their environments that attackers could exploit. However, traditional CVE-based vulnerabilities account for less than 1% of those and just 11% of all exposures to critical assets. Put simply, threat actors don’t care about CVSS scores – they care about real-world opportunities. So that should be your focus too.
APM is more than stopping attacks after they happen — it’s proactive. You’re always thinking like an attacker so you can stay one step ahead.
This is why Continuous Threat Exposure Management (CTEM) has made such a massive difference for security teams. Enabling CISOs and SecOps teams to move from a reactive to a proactive mindset, CTEM actively prioritises risks most relevant to their organisation. In case you’re still sitting on the fence about CTEM, Gartner predicts that by 2026, organisations that prioritise security investment based on a CTEM program will be three times less likely to suffer a security breach.
APM fits within the CTEM framework by giving organisations a process to focus on the relatively small and stable number of tactics, techniques, and procedures (TTPs) used by attackers, rather than an ever-increasing and unpredictable number of CVEs. Examples of an attack path include malware, unpatched software, and weak passwords. Once an attacker accesses your network through an attack vector, the attack path details the steps they take to laterally move through the system and access critical assets.
Rather than noodling on knowing every intricate detail of your assets, identifying misconfigurations, identifying risky user behaviour and software vulnerabilities, instead focus your efforts on 1) identifying how an attacker would move through your system and 2) prioritising fixes that make the most significant impact.
How does it work?
At the risk of sounding like an old record, when it comes to effective cybersecurity we all know that visibility is key. The ability to clearly see all aspects of your organisation’s digital footprint, as well as the risks and vulnerabilities within it, is the common thread behind all robust cybersecurity programs.
Where to start?
As I’ve just said, visibility is key. Knowing what you’ve got, where it is, what’s missing…. From first-hand experience, I see that many of the challenges organisations face stem from having little or no visibility into their IT estate. Without a clear view of what exists, it’s impossible to gather accurate information or maintain control. True visibility allows organisations to understand their assets and apply effective controls to the parts they know about.
This is the starting point for APM. The process starts with a systematic review of the components, connections, and interactions within a given system, with the objective of mapping potential sequences of actions that an attacker might employ. By reproducing these pathways, defenders can assess the potential impact and risk of multiple scenarios, and ultimately more effectively prioritise their mitigation efforts.
Benefits of Attack Path Management
- Identifies and Addresses Weaknesses: Detects vulnerabilities in systems, enabling targeted and effective mitigation by focusing on the most critical threats and high-risk attack paths.
- Improves Incident Response: Supports security teams in creating robust incident response plans by anticipating potential attack paths, and defining clear actions to take during a breach.
- Strengthens Compliance: Helps meet regulatory requirements by providing a deep understanding of security risks – ensuring organisations can demonstrate compliance to regulators and stakeholders.
- Enhances Third-Party Risk Management: Reduces risk exposure from vendors and external partners by assessing and managing their security posture.
- Optimises Security Architecture: Offers insights that can inform the redesign or adjustment of security frameworks, making systems more resilient to cyberattacks.
- Promotes Security Awareness: Encourages a culture of cybersecurity awareness and best practices across the entire organisation.
- Enables Cost-Effective Planning: Allows for smarter resource allocation within security teams, helping to prevent costly breaches and optimise security investments.
Utilising an APM tool can help ensure your security team has a complete view of your digital assets, together with the contextual awareness to understand the threats faced and the necessary controls to secure them from loss or harm.
Curious to know more?
Tech Talk Tuesday – Evolving a Cyber Resilience Strategy – Attack Path Analysis.
24th June at 2.00pm
Register here to join me as we discuss APM in depth, highlighting use cases and delving into how organisations should look to integrate threat-informed processes into their overall cyber resilience strategy.
We’ll highlight XM Cyber’s award-winning Exposure Management that lets security teams see their on-prem and cloud networks through the eyes of an attacker, and spot attacks before they happen. Because when you see all the ways in, you can keep them all out.
