Managing and remediating cyber exposures is no simple task.
Trying to keep up with myriad vulnerabilities and exposures is difficult and overwhelming (to say nothing about trying to address them as they pop up – that’s just impossible). Organizations often turn to prioritization and risk-based vulnerability management tools to try to address issues with some degree of insight but as these tools highlight every possible vulnerability and exposure, the amount of issues to be dealt with is still simply unmanageable.
In the end, teams are left with endless lists of issues in need of remediation. It’s an exercise in futility – and moreover, a major waste of time.
In this blog, we’ll explore why organizations need to evolve from a visibility-centric approach to a remediation-centric one. This new way to address seemingly insurmountable numbers of exposures leveraging choke points will improve remediation efficiency and security posture at the same time.
Choke Points Defined
In battle, you might expect that whoever has the biggest army would be best positioned to win the war. But throughout history, we find examples of intrepid fighters using other tactics to gain an edge – sometimes, turning the tide entirely to their advantage. One such method is to use the local terrain to reduce the effectiveness of the opponent, forcing them to travel between a narrow mountain pass or slender strait. This curtails their movement and gives the “little guy” the opportunity to easily block the path, essentially cutting the enemy off from reaching their end goal.
And this thin passage is referred to as a choke point.
Choke points prevent combatants from bringing their full power to bear, constricting movement towards a target. The 300 Spartans who famously fought at Thermopylae, using a narrow coastal pass to their advantage against a massively superior foe, is one historical occurrence of a military unit leveraging a choke point to great advantage.
Like other military concepts, the idea of choke points has been adopted in the world of cybersecurity. In the latter case, choke points are the places multiple attack paths traverse through just prior to reaching a critical asset.
To understand choke points in the context of cybersecurity, we must first understand what entities and critical assets are. Entities are any endpoint, file, folder, or cloud resource in your environment the attacker can use to advance in an attack path towards critical assets. A critical asset is an entity in the network that has potential value to an attacker or the organization (which makes it a point of interest to an attacker).
A critical asset can be one of the following: Device: An endpoint in the network; Data: A file type found on any of the endpoints; Network: A network-related entity, like a certain segment, subnet, etc.; or Cloud: There are multiple cloud entity types, such as S3, Lambda, roles, etc.
That brings us to our usage of the term; A choke point is a key entity where multiple attack paths converge before reaching critical assets. The greater number of attack paths in which the entity plays a role, the more the entity is a choke point.
How Focusing on Choke Points Helps Increase Efficiency
Attackers typically must go through a series of steps to reach assets. They often breach defenses, leverage a combination of exposures to move laterally, such as overly permissive identities, active directory or infrastructure misconfigurations, user behavior mishaps or unpatched vulnerabilities for example.
Mapping and addressing choke points that attackers move though is a key approach to remediation efficiency and ultimately reducing risk to critical assets. By identifying where attack paths converge, teams can understand which issues pose the greatest risk to their critical assets. Then they can use guided remediation to cut off those entities, and make multiple exposures irrelevant in one fix.
Focusing on choke points is key to achieving ultra-efficient remediation processes, an important advantage for perennially understaffed/under-provisioned IT & Security departments. By seeing how attackers can potentially leverage exposures across the environment, organizations can build a complete attack graph and identify key choke points where attack paths converge on their way towards critical assets. And when you cut exposures off at those key choke points, you can eliminate multiple risks in one decisive course of action, creating ultra-efficient exposure management.
In fact, our own research found that 75 percent of exposures lead to “dead ends” – exposures that cannot impact critical assets, and therefore, represent minimal risk. Just as importantly, only two percent of security exposures are actually located on choke points. By focusing efforts on remediating exposures on choke points, organizations can maximize risk reduction, while minimizing remediation workload among Security and IT teams.
Directing resources to fix issues at specific choke points represents a whole new way of working, enabling teams to quickly reduce overall risk and lower the number of attack paths available to potential attackers. Now organizations can understand the fewest number of actions they need to perform, in order to have the greatest impact on risk.
By focusing on choke points, teams can finally stop addressing an endless list of issues and instead, slash multiple exposures in one fix. This ability to identify and address the most impactful areas first helps overstretched security teams use their resources most efficiently and create a stronger security posture at the same time.