Attack Paths

Watch a summary on youtube >>.

In the previous modules, securiCAD in a Nutshell and Simulation Results, we looked at the securiCAD example model, run an initial simulation and looked at the risk exposure and Time To Compromise results of the High Value Assets.

In this module we will look at the attack paths leading up to the High Value Assets.

The main use for the attack path maps is for reviewing the different attack steps an attacker is expected to use while moving towards the High Value Assets. In practice, they will help you understanding how an attack is expected to happen and what mitigations that are applicable to limit the risk exposure of a certain target.

Critical Path

Looking to the right in the High Value Assets table, we find the Critical Path icons to every asset.

Critical Path icon.
Critical Path icons.

Clicking on for instance the Critical Path icon of Customer records / Write, will show the most likely attack path that securiCAD has found.

Critical Path of Customer records Write.
Critical Path of Customer records Write.

What we see here is the most likely attack path. Every bubble is an attack step and the arrows in between them indicates how hard each “jump” is expected to be and also how important it is to the attacker.

Red arrows indicate that an attack step is quickly achieved and yellow ones indicate attack steps that will take more time. Thick arrows indicate attack steps that are important to the attacker while thin arrows indicate less important attack steps where the attacker has more alternative options to use.

At first, the attack steps are floating around trying to automatically adjust themselves. If we rearrange the attack steps a bit, we will see the attack path more clearly.

Collecting credentials and using them for pivoting.
Collecting credentials and using them for pivoting.

The above set of attack steps illustrate the beginning of the simulated attack. To a penetration tester, this is trivial but useful to illustrate how attack steps are drawn.

  • The attacker’s starting point is the Workstation 1 host.
  • This gives access to dumping the memory of the LSASS process as well as the RDP Client installed on the host.
  • The LSASS dump is not encrypted (enough to present a problem). The attacker finds the (local) Administrator credentials in it.
  • The RDP Client can be used to use (Request) the RDP Session dataflow which in turn gives the attacker possibility to Connect to the RDP Service.
  • Having access to the RDP Session dataflow, in combination with having found the Administrator UserAccount, gives the attacker RootShellLogin on the RDP Service.
  • Succeeding with RootShellLogin on RDP Service gives Compromise on the Stage srv 1 host since the RDP service is running with SYSTEM privileges in the model.

This way you can investigate different parts of an attack path or a kill chain to review it or to see possible mitigations related to this particular attack path.

However, depending on your security analysis approach, this might not be necessary at all.

Visualization Filters

Above the attach path map, there are some visualization filters to assist you.

Visualization filters.
Visualization filters.
  • Hide defenses is for hiding or showing the green bubbles, like LSASS Encrypted, which represents defenses that could be improved to help blocking the attack.
  • Freeze nodes will toggle the auto adjustment on and off.
  • Highlight basepath will make the most likely attack path highlighted when additional attack paths are also shown in the map.
  • Group attack steps will bundle attack steps related to the same object into one bubble to make the map less detailed.

Additional Attack Paths

The initial attack path shown in the map is the most likely attack path the attacker will use. It is also called the Critical Path.

However, securiCAD will also take into consideration that there are other possible attack paths that the attacker might use as well. Let’s look at an example, compromising the Oracle Database, close to the target.

The Critical Path around Oracle Database looks like below.

Critical Path around Oracle Database.
Critical Path around Oracle Database.

We see that the most likely attack step to use here is to use an exploit due to the Oracle Database not being properly patched.

However, this is not the only possible attack step here. Sliding the Detail Level control to the right will show additional attack paths as well.

Detail Level control.
Detail Level control.

This will show additional attack paths on the map.

Additional attack paths around Oracle Database.
Additional attack paths around Oracle Database.

In the center, we have the most likely attack path. Above it, we see a set of attack steps related to using weak login credentials on the Oracle Database and in the lower area we see attack steps making use of UnknownSerivice, representing an unknown/non-maintained service left available on the Prod srv 1 host. Both of these tracks are possible alternatives for compromising the Oracle Database and writing to the Customer records datastore.

Now, when we have seen what the attack paths consist of, we are ready to look at the Chokepoints in the report. These are described in the Chokepoints module.