Most modern security teams perpetually deal with resource constraints. Whether it’s money, manpower or tools, cybersecurity is usually a game of deciding how to allocate very limited resources most effectively.
Focusing on choke points is one of the most impactful, yet not widely appreciated, tactics for solving resource constraints.
Let’s take a closer look at how identifying and addressing choke points can help improve your efficiency and your secure posture.
Choke Points Defined
In battle, it is possible for a numerically outmatched combatant to gain an advantage by using terrain to reduce the effectiveness of its opponent. For example, an army may force a larger and more powerful opponent to travel between a narrow mountain pass, or a navy may force opposing ships to travel through a narrow strait.
These geographical features are commonly referred to as “choke points” in military strategy. These choke points prevent a combatant from bringing its full power to bear, and create vulnerabilities when that combatant is attempting to traverse the chokepoint. The 300 Spartans who famously fought at Thermopylae — and used a narrow coastal pass to their advantage against a massively superior foe — are one historical example of a military unit using a chokepoint to great advantage.
Like other military concepts (such as red team/blue team exercises), the idea of choke points has been ported to the world of cybersecurity. In the latter case, choke points are the places multiple attack paths traverse through just prior to reaching a critical asset.
To understand choke points in the context to cyber security we must first understand what are entities and critical assets. Entities are any endpoint, file, folder, or cloud resource in your environment the attacker can use to advance in an attack path towards your critical assets. A critical asset is an entity in the network that has possible value to an attacker or the organization (which makes it a point of interest to an attacker). A critical asset can be one of the following: Device: An endpoint in the network; Data: A file types found on any of the endpoints; Network: A network-related entity – like a certain segment, subnet, etc.; Cloud: There are multiple cloud entity types, such as S3, Lambda, roles, etc. That brings us to our Choke Points. A Choke Point is the entity presenting the greatest risk to the critical assets and the rest of the environment as well. The greater number of attack paths the entity plays a step in, the more the entity is a choke point.
How Focusing on Choke Points Helps Increase Efficiency
Attackers typically must go through a series of steps to steal assets. They will often breach defenses, move laterally, escalate privileges, evade detection, then exfiltrate data.
Mapping and prioritizing the choke points that attackers move though when launching attacks is a key approach for ensuring that critical assets stay safe. This strategy can also solve resource constraints — an important advantage for perennially understaffed/under-provisioned IT departments.
One example: Studies have shown that organizations that use attack path management have 80% fewer issues to remediate by knowing where to disrupt attack paths. Using such a solution to gain a deeper understanding of attack paths helps organizations identify potential choke points, monitoring requirements and architectural weaknesses. By identifying these issues, they can be prioritized effectively and addressed.
By directing resources to fix issues at specific choke points, it’s possible to quickly reduce overall risk and lower the number of attack paths. Attack path management platforms can help organizations see the smallest number of actions that can be taken to have the greatest impact on risk.
In essence, teams can do a lot more with less.
By understanding how attackers can exploit security gaps like misconfigurations and vulnerabilities in relation to your critical assets, you can disrupt the opportunity for lateral movement across the network — and pinpoint the exact changes needed to quickly eliminate the risk of compromise.
This ability to identify and prioritize the most impactful areas to address helps overstretched security teams optimally deploy their resources, while also creating a stronger security posture.