Owner security

The Beginner’s Guide to Attack Paths

Description: Why the future of cloud security is to behave like an attacker.


  • How the threat landscape is changing
  • What is an attack path?
  • The Path of Attack vs. Security Outcomes
  • The anatomy of an attack path

How the threat landscape is changing

According Gartnerglobal spending on security and risk management will reach $150 billion in 2021. In another report by Cybersecurity companies, cybersecurity spending could reach $1.75 trillion. With all the tools and increased security spending, one would expect security teams to feel confident and secure in protecting their assets. Yet today’s security teams are overwhelmed by the volume of alerts, struggle with siled security findings, and find it nearly impossible to determine which findings are critical and need immediate remediation and which are not. are not.

Could today’s security teams be wrong about security?

The future of protecting multi-cloud environments with a variety of layers and with a multitude of attack vectors means that a future solution must also be multi-faceted. It should be contextual and link results at multiple levels. It should be intuitive and able to prioritize results while presenting them visually. It should be sophisticated in nature anticipating a hacker’s moves rather than just rehashing existing vulnerabilities.

What is an attack path?

A path of attack is not the same as an attack vector. These terms are often used interchangeably, but an attack vector is a single method an attack uses to compromise a cloud environment, while an attack path can be defined as follows:

  • It’s like a map or a recipe. An attack path is a visual representation of exploitable attack vectors. Think of it as a “map” or “recipe” an attacker could use to compromise a cloud environment. The attack path emphasizes “connecting the dots” and looking at the full context of an imposed risk.
  • It’s contextual. This context incorporates elements of a variety of risk categories – from the network exposure of the asset in question, to the asset whose access privileges are elevated by risky roles and permissions. attached, up to the “jewel in the crown” – the exploitation of sensitive data.
  • It’s like looking through the striker’s lens. Attack paths can reveal new and unknown risks, rather than those from known attack vectors. How can this be done? The answer is by analyzing your attacking surface by looking at it through the attacker’s lens. Attackers map security outcomes by identifying them in a cloud environment, then they see how each aspect of one outcome could potentially impact another should it be compromised. This is how critical attack paths are constructed and eventually prioritized – which assets could be compromised, how easily, which connected accounts/identities or permissions could an intruder access if they breach asset X? Where are the most exploitable gaps in your cloud surface? The ability to think like an attacker provides an advantage – instead of reacting to violations, it is possible to proactively Determine where your multi-cloud environment has the most “attractive” shortcomings.

This is why attack paths are important. It’s a new representation, a new metric that leads to real risk reduction.

The Path of Attack vs. Security Outcomes

Yet most security teams today focus on security outcomes.

A path of attack is very different from safety findings. While security findings are a good starting point for protecting your cloud environment, singular findings can leave holes in the big picture. This connecting the dots approach provides a more sophisticated view of vulnerabilities than a simple security score would. It includes the context and assesses the combined risk according to several different variables:

Path of attack

Security Search


Combines several discoveries

Single statement

The context

Use the context

Without context, presented in a silo


big picture

Narrator’s point of view


Presents a complete real risk

Presents partial risk – disconnected from other factors in a given environment

Relevant risk categories

Open CVEs, risky vs. permissive roles, private IPs exposed to the internet, malware risks… all of these facets are important factors in determining the priority given to time-strapped security and DevOps teams. But these are just a few, here is a list of relevant risk categories:

  • Public exhibition
  • Identity risk
  • Compromised Account
  • Data at risk
  • Identifiers
  • Setup risk
  • Asset at risk

The attack path is key to understanding the context of risks imposed on a cloud environment, as opposed to unique security outcomes where relationships and connections to other nodes or security issues may not be readily apparent. Attack paths show you what to focus on first, giving you the real, exploitable risk.

The anatomy of an attack path

Attack path analysis is the key to uncovering new and known risks. As a “map” or “recipe” an attacker could use, the intuitive and easy-to-understand visualization of these attack paths is a game-changer for security organizations. Let’s look at some examples:

Example 1: Access key shared by multiple EC2 instances (low)

Attack paths can find threats visible only from the topology of the graph and the logical connections between the nodes it contains. To take the simplest case, think of an access key shared by multiple EC2 instances, as shown in the diagram below. By running a degree centrality algorithm on all access keys that exist in the topology, we can detect attack paths that impose serious risk and could potentially lead attackers to perform lateral movements in the environment to reach sensitive data or any other payload.

Path of attack analysis gives the cloud owner a complete view of imposed risks and assets, specifically those that are affected or at risk of attack. This view not only helps mitigate current cases, but it also prevents attacks from occurring in the future.

Example 2: Use of IMDSV1 (low) and highly permissive role attached to the workload (medium)

The following two security outcomes are shown in the panel:

  1. Use of IMDSV1 (low)
  2. Very permissive role attached to the workload (medium)

Without any context, these two singular results can be considered unrelated. But what if we add a little context? Suppose there is an EC2 instance in the AWS account that uses MDSV1 and has an “S3 read all” role attached.

We can now understand the connection between these two seemingly unrelated safety findings. Now we can see that they are both linked to the same EC2 instance. Now that we understand that they are related, we need to better understand the real risk associated with them. Should these results be marked as “Low Risk” or “Medium Risk?” »

To answer this question and calculate the actual risk, we need to look at the entire cloud environment. We need to answer some important questions, including:

  • In which VPC is this EC2 located?
  • Is it private or accessible to the public?
  • What are the effective permissions between the role and the buckets?
  • and more…

Analyzing the identified security outcomes with the context allows us to assess the actual risk. In this scenario, if the EC2 is public for any IP address and the bucket’s resource-based policy is not denied, the actual risk should be designated as “high”.

why it matters

Current attack vector analysis focuses on just one method. Even attack surface tools focus on existing attack vectors. None of these approaches sufficiently quantifies risk or helps security teams discover problems in the cloud. So what’s the answer?

Leverage attack path technology. Attack path analysis is a huge step forward for cloud security. Having a reliable attack path analysis system in place enables a contextual and well-informed overview to combat security blind spots, helps both track and prioritize threats, achieves the goal of increasing the productivity of risk reduction and attack mitigation efforts, and leads to more intuitive and improved decision-making.

Lightspin’s graph-based cloud security platform takes the noise out of non-critical misconfiguration alerts and helps us shine a light on critical attack paths using their prioritization engine.

Yossi Yeshua, CISO


*** This is a syndicated Lightspin Blog Security Bloggers Network blog written by Kenneth Balibalos. Read the original post at: https://blog.lightspin.io/the-beginners-guide-to-attack-paths