Learn about some of the types of components found in potential attack paths.
A potential attack path contains:
-
A potential threat source
-
Vulnerable assets
-
A potential path for lateral movement
-
Assets likely to be targeted
The tables below provide examples and descriptions of some potential attack path components.
Potential threat sources
|
Example
|
Description
|
|
Internet exposure
|
The asset can be accessed from the internet.
|
|
Detected threat
|
Malware, trojans, malicious traffic, or backdoors have been detected on the asset
|
|
Suspicious activity/behavior
|
The asset is displaying unusual behavior or activities that may indicate compromise
|
|
Leaked credentials
|
The credentials of an identity-related asset were leaked or otherwise compromised
|
Vulnerable assets
|
Example
|
Description
|
|
Open session with detected threat source
|
The asset has opened a legitimate session with a potential threat source.
|
|
Administrated by detected threat source
|
The asset is administrated by a potential threat source and can grant permissions.
|
|
Detected high-impact vulnerabilities
|
High-impact vulnerabilities have been detected on the asset.
|
|
Detected misconfigurations
|
The asset contains highly exploitable misconfigurations.
|
|
Weak authentication
|
The asset uses a weak method of authentication that could be exploited.
|
|
Excessive permissions
|
The asset has been granted more permissions than needed and can access large parts
of the network.
|
Relationships facilitating potential lateral movement
|
Example
|
Description
|
|
Connects
|
The asset has network activity with other assets.
|
|
Routes traffic to
|
The source asset can route traffic to a secondary asset.
|
|
Runs
|
The asset runs a secondary asset,
|
|
Contains
|
The asset contains a secondary asset.
|
|
Uses
|
The asset performs activities with a secondary asset.
|
|
Manages
|
The asset has administrative privileges over one or more assets.
|
|
Has permission to
|
The asset has permission to access one or a group of resources.
|
|
Admin to
|
The asset has direct administrative permission to one or more assets.
|
|
Can authenticate as
|
The Azure asset can authenticate to a particular identity and use the identity's privileges.
|
|
Controls
|
The asset dictates or orchestrates the actions of other assets.
|
|
Member of
|
The asset is a member of another asset.
|
Likely targets
|
Critical devices or cloud infrastructure
|
Devices or cloud resources that are highly critical to business operations and are
required for the functionality of other assets
|
|
Important users
|
User accounts with high organizational ranks or functionality
|
|
Highly privileged accounts
|
User accounts granted high privileges to administrate or control multiple assets
|
|
Highly privileged service accounts, IAM accounts, or keys
|
Highly privileged non-human identities used by applications or cloud resources
|
|
Assets with sensitive data
|
A storage-related asset that contains critical data such as keys or financial information
|