Beyond vulnerability-based attacks: Identity-based attack path management (APM)

As many as you know, I have been involved in penetration testing since the beginning of my career. It is my passion that drove my entire career. The very design of NopSec Threat Exposure Management Platform was an attempt to provide a way for organizations to track attack surface and dangerous security vulnerabilities beyond the time scope of the annual compliance-driven penetration test.

As both red and blue-teamers know, there is more than just CVE-based vulnerability exploitation in attackers’ bag of tricks and killchain. There is the attacker capability to tunnel protocols to evade ingress and egress traffic to and from the organization’s network. There is also the attacker capability to “live off the land”, meaning using the configuration and identity management issues to move laterally across the network without raising alarm coming from vulnerability exploitation.

Attack Path Management

Attack Path Management

Attack Path Management, NopSec’s Threat Exposure Management version of Threat Modeling, provides a visual representation of potential attack paths. It integrates vulnerability exposures, network topology, and firewall segmentation policies. This allows Blue Teams and Vulnerability Management teams to understand the implications of vulnerabilities and misconfigurations within their network. Through this graphical representation, teams can identify and address potential paths that attackers could exploit.

NopSec accomplishes this by mapping vulnerabilities and threat risks together with network topology rules into a graph so we can calculate various scenarios where the exploitation from various network segments could be possible if all those circumstances are met.

Obviously those conditions mentioned above are not the only ones that could contribute to a successful internal network breach.

As I mentioned above, an attacker only uses CVE-based security vulnerabilities exploitation just to gain the initial foothold into the internal network. All the other “lateral movement” steps are accomplished via “Identity-based” exploitation most of the time taking advantage of Windows Active Directory misconfiguration and default passwords left unchanged. 

That’s where “Identity-based Attack Path Management” comes into play as part of NopSec Threat Exposure Management platform.

“Identity-based Attack Path Management”

In essence, Active Directory objects such as Users, Computers, GPO, OUs, Domains are mapping into the Graph nodes together with the permissions and the delegations. Path are then calculated between Computers (with vulnerabilities, the network topology, the users and permissions allowed to path to reach highly priced assets in the network such as Domain Controllers, SQL and File Servers.

The Identity path explained

As you can see from the graphical network diagram image above, once the attacker reaches a host or a server through a chain of vulnerability exploits through an allowed path the subnets and network firewall rules, where he can find privileged users – such as users members of the Domain Admin Group – logged in, he can then look into memory for these users’ credentials and then with these permissions move to log into Domain Controllers and other priced enterprise servers.

This is exactly what this graphical path would like to depict.

As a disclaimer, other identity exploitation paths are possible and will be added to this base scenario in short order. Also this scenario assumes that the privileged users are still logged into the compromised hosts along the path so that the attacker could harvest the user’s credentials in memory.

Soon we will also add a scenario where an exploitation path is traced from regular unprivileged users hosts to highly priced enterprise servers.

Attack Path Management Recommendations

At this point, you might ask which actions would be recommended to fix the conditions that allow these vulnerabilities, topology and identity-based attack path exposures in the first place.

• First off, fix vulnerabilities that have a high threat-based risk score, because in most cases they are already actively exploited in the wild and present on high value assets in your organization;

• Secondly, improve firewall rules with additional conditions that restrict traffic to only the required services or, if possible, close network firewall rules that would allow those vulnerabilities to be reachable by an attacker in the first place, from the Internet and/or from a less privileged subnet in the internal network; 

• Lastly, harden your Active Directory installation to fix common misconfigurations such as allowing privileged users to log in on hosts around the network, allowing user unconstrained delegation, allowing easily guessable passwords, closing the path between unprivileged user group to privileged user group, etc.

Understanding the relationships between your network, asset, and identity vulnerabilities is essential for visualizing and prioritizing your highest risk exposures. This knowledge is a crucial step in fostering collaboration between Network, Security, and IT teams to mitigate potential attack and breach scenarios effectively.