Parisians play chess at Luxembourg Gardens in Paris to celebrate New Year’s Day on January 01, 2021. Today’s columnist, Menachem Shafran of XM Cyber, writes how attack path management can help security teams play chess instead of checkers to fight the hackers. (Photo by Kiran Ridley/Getty Images)

Cybersecurity teams too often try to protect everything at once. I realize this may seem counterintuitive. But think of it this way: Even a novice chess player knows it’s difficult to protect every single piece on the board. Therefore, the player must focus on the most important pieces. Cybersecurity works much the same way: Security teams can simplify and improve cyber defenses through a focused process called attack path management.

Why protecting everything doesn’t work

Enterprise IT teams typically try to boil the ocean, investing in myriad cybersecurity solutions such as endpoint protection, network security, firewalls, and penetration testing. And obviously, they are often quite effective. But it’s just not enough.

Unfortunately, this strategy treats all company data with equal importance. Photos purchased from iStock get the same level of security as private health information. If an attacker gains access to a network, they would only have to exploit simple security mishaps to move laterally and eventually reveal basically everything.

I don’t recommend this as the best way to protect information. Different data stores have varying degrees of sensitivity and security teams should prioritize accordingly. Returning to the chess analogy, the pawns, rooks, bishops and knights are all the bits of data and documents a company stores for standard operations, but the King and Queen are critical assets. In practical terms these assets are often   customer data, intellectual property, and financial transactions. A good cybersecurity strategy triages by first focusing on protecting the King and Queen.

But how does a security team do that when they’re running a complex multi-cloud or hybrid cloud with a limited understanding of its vulnerabilities, misconfigurations, overly permissive identities and how attackers can exploit them? Companies really need the ability to view the network through the eyes of the attacker. And that’s where attack path management comes in.

Explaining the attack path

Isolated vulnerabilities are not a true reflection of cyber risk, because many offer no access to sensitive assets even if they are exploited. An attack path, on the other hand, functions as a chain of security gaps -- including vulnerabilities, lapsed security controls, overly permissive identities and other examples of poor security hygiene. It gives attackers a path through the network to reach the company’s critical assets.

Attackers are working harder, but they don’t need to work that hard. They only must access one of these attack paths to have a devastating impact.

Identifying and fortifying the attack paths to critical assets allows the security team to eliminate 95% of the company’s cyber risk by focusing on the 5% that makes a difference. More specifically, it lets the team to make sure that when hackers breach the network, there's no way they can reach the most critical assets.

How attack graphing work

Security teams can discover both common and hidden attack paths to critical assets by playing out multiple scenarios the way they would on a chess board. Think like the other player (the attacker): If x happens, it could lead to y.

Cyber-attack graphs are visual maps of all possible paths that an attacker could take within a cybersecurity network to successfully reach the company’s critical assets. Some of these paths will lead to second or third tier data, but others are a straight shot to sensitive data -- and that’s what the graphing looks for.

The importance of chokepoints

Mapping out these thousands of paths creates an attack graph that security teams can carefully analyze to reduce risk and improve the company’s security stance. Some critical junctions will show up repeatedly in multiple scenarios, and these are known as chokepoints. Chokepoints are different for every company; they might include a folder that everyone has access to, or a device with poor security. They represent the key entities that all attack paths traverse through. So once the team has used attack graphing to identify priority chokepoints, they can quickly and easily secure them and cut off access to critical assets.

Organizations looking to improve their security posture must develop a comprehensive understanding of the attack paths and chokepoints within their network. Attack path management must become a part of every enterprise’s arsenal because it is the only way to view the environment the same way that attackers do and focus on eradicating the risk in the most cost-effective manner. Only with the true context of the routes an attacker can take to reach the critical assets can this become a reality.

Menachem Shafran, vice president, product, XM Cyber