Key attack path components | Trend Micro Service Central

Views:

Learn about the types of components found in potential attack paths and common component characteristics.

A potential attack path contains:

Entry point assets with risk detections indicating the asset is vulnerable to compromise
- Entry point assets are typically accessible from the internet or displaying signs of potential compromise.
A potential path for lateral movement that could allow attackers to reach critical assets using asset relationships
- Relationships are determined by analyzing the following:
  - Network activities
  - User activities
  - Administrative actions
  - Permissions
  - Cloud asset traffic
High-value critical assets that serve as desirable target points for attackers
- Asset criticality is determined based on asset attributes, represented by platform tags assigned to the asset such as job role, device ownership, or device type. For more information about platform tags, see Asset profile platform tags.
- You may set a custom criticality level for an asset from the asset profile page if you feel the level assigned by Trend Vision One is insufficient. For information on specific asset profile screen types, see Asset profile screens.

In certain cases, an asset may serve as the entry and target point for an attack path, so no lateral movement path is required.

The tables below provide examples and descriptions of common attack path component characteristics that may be displayed in a potential attack path.

Example	Description
Open session with detected threat source	The asset has opened a legitimate session with a potential threat source.
Internet exposure	The asset can be accessed from the internet.
Detected threat	Malware, trojans, malicious traffic, or backdoors have been detected on the asset
Suspicious activity/behavior	The asset is displaying unusual behavior or activities that may indicate compromise
Leaked credentials	The credentials of an identity-related asset were leaked or otherwise compromised
Administrated by detected threat source	The asset is administrated by a potential threat source and can grant permissions.
Detected high-impact vulnerabilities	High-impact vulnerabilities have been detected on the asset.
Detected misconfigurations	The asset contains highly exploitable misconfigurations.
Weak authentication	The asset uses a weak method of authentication that could be exploited.
Excessive permissions	The asset has been granted more permissions than needed and can access large parts of the network.

Example	Description
Connects	The asset has network activity with other assets.
Routes traffic to	The source asset can route traffic to a secondary asset.
Runs	The asset runs a secondary asset.
Contains	The asset contains a secondary asset.
Uses	The asset performs activities with a secondary asset.
Manages	The asset has administrative privileges over one or more assets.
Has permission to	The asset has permission to access one or a group of resources.
Admin to	The asset has direct administrative permission to one or more assets.
Can authenticate as	The asset can authenticate to a particular identity and use the identity's privileges.
Controls	The asset dictates or orchestrates the actions of other assets.
Member of	The asset is a member of another asset.

Example	Description
Critical devices or cloud infrastructure	Devices or cloud resources that are highly critical to business operations and are required for the functionality of other assets
Important users	User accounts with high organizational ranks or functionality
Highly privileged accounts	User accounts granted high privileges to administrate or control multiple assets
Highly privileged service accounts, IAM accounts, or keys	Highly privileged non-human identities used by applications or cloud resources
Assets with sensitive data	A storage-related asset that contains critical data such as keys or financial information