security Think

Security Think Tank: How to understand attack paths

The modern-day abundance of platforms, apps and IT tools presents malicious actors with a web of interconnection that is easily exploited to move rapidly through the network to compromise critical assets. Security teams need to understand these attack pathways better in order to fight back By Paddy Francis Published: 12 May 2022 The complexity of…

The modern-day explosion of IT tools, platforms and apps presents malicious actors with an easy way to exploit the network to quickly move through it to compromise important assets. These attack paths are essential for security teams to better understand in order to combat


Paddy Francis


Published: 12 May 2022

The complexity of corporate IT systems has grown significantly in the past 10 years, first with the move from fixed on-premise systems to the cloud, and latterly with the growth of web apps and cloud-based services providing new more efficient ways of doing business.

While some smaller organisations may be fully cloud-based, the vast majority of organisations have a mix of on-premise IT, cloud or hybrid cloud, and use third-party systems and web apps for internal or customer-facing services.

While this has provided a significant increase in capability and efficiency, it has also brought complexity, both technically and organisationally, with external parties such as cloud service providers and developers having security responsibilities for the software or services they provide.

Over the same period, attackers have become more sophisticated, with targeted attacks typically using several vulnerabilities to gain a foothold, escalate their privileges, then move to other hosts and servers within the network.

There will then be yet more exploitation of vulnerabilities to maintain persistence – these vulnerabilities will not just be software vulnerabilities, but could be errors in cloud configuration or identity and access management (IAM), or could be the result of a supply chain attack on a software or service provider.

These can be addressed to some extent through vulnerability scanning and automated cloud policy verification applications that check configurations against a high-level policy, but they can never be eliminated.

The MITRE ATT&CK framework identifies nine main techniques that attackers use to gain initial access.

The majority of these, such as external phishing and exploitation of public apps, web drive-by compromises, exploitation of public applications, replication via removable media, theft of accounts, and exploitation of public-facing app exploitation, will only allow for user-level access.

This allows the attacker to access information available to the user, but does not give full access. This allows the attacker to access information available to the user, but does not give full access.

Similarly, if hosting web applications, exploitation of a vulnerability or misconfiguration in an external-facing web app could give access to an underlying database, or direct access to the operating system and through that to other systems by exploiting other vulnerabilities.

While customer-facing and internal systems should be kept separate, often they are not, and it can be possible to jump from one platform, or system, to another.

The most likely connection will be a common IAM system, particularly if users’ Windows Domain passwords are used across different systems – which is not uncommon. If there is a connection between two systems, an attacker could be able to access them through poor configurations or unpatched vulnerabilities.

This risk cannot be properly addressed without an accurate inventory of assets and interconnections, which needs to be up to date at all times.

“If two systems have a connection, poor configurations or unmitigated vulnerabilities could enable an attacker to move between them.”
Paddy Francis, Airbus CyberSecurity

Once this is in place, the first step in addressing this risk should be zoning/segmentation with appropriate monitoring of inter-zone traffic. Regular vulnerability scanning and patching should follow. If patching is impossible, mitigation of the vulnerabilities should be done. This could be at the level individual vulnerabilities or as a system-level mitigation that addresses multiple vulnerabilities.

Cloud misconfigurations can easily be identified by tools that verify configurations against high-level security policies. This should allow for cloud misconfigurations to being corrected. This assumes that the tool has a policy in place.

Security coding rules and the use of dynamic and static code analysis in DevOps testing cycles will eliminate common issues like buffer overflow or cross-site scripting vulnerabilities.

There will inevitably be vulnerabilities that can’t be patched or mitigated and unknown misconfigurations. There will always be vulnerabilities that cannot be patched or mitigated, and unknown misconfigurations.

Multifactor authentication (MFA), for administrator access, remote acces virtual private networks, and access to other sensitive system will help reduce privilege escalation, the use of stolen credentials, such as password sniffers, keyloggers, etc.

The use of zoning and additional monitoring can also help in creating system-level mitigations for known vulnerabilities and help identify, or prevent, unknown vulnerability and configurations being exploited by limiting traffic between zones to that which would be expected and monitoring inter-zone traffic to dete

Read More

Leave a Reply

Your email address will not be published.