Critical Path

Looking to the right in the High Value Assets table, we find the Critical Path icons to every asset.

Clicking on for instance the Critical Path icon of Customer records / Write, will show the most likely attack path that securiCAD has found.

What we see here is the most likely attack path. Every bubble is an attack step and the arrows in between them indicates how hard each “jump” is expected to be and also how important it is to the attacker.

Red arrows indicate that an attack step is quickly achieved and yellow ones indicate attack steps that will take more time. Thick arrows indicate attack steps that are important to the attacker while thin arrows indicate less important attack steps where the attacker has more alternative options to use.

At first, the attack steps are floating around trying to automatically adjust themselves. If we rearrange the attack steps a bit, we will see the attack path more clearly.

The above set of attack steps illustrate the beginning of the simulated attack. To a penetration tester, this is trivial but useful to illustrate how attack steps are drawn.

  • The attacker’s starting point is the Workstation 1 host.
  • This gives access to dumping the memory of the LSASS process as well as the RDP Client installed on the host.
  • The LSASS dump is not encrypted (enough to present a problem). The attacker finds the (local) Administrator credentials in it.
  • The RDP Client can be used to use (Request) the RDP Session dataflow which in turn gives the attacker possibility to Connect to the RDP Service.
  • Having access to the RDP Session dataflow, in combination with having found the Administrator UserAccount, gives the attacker RootShellLogin on the RDP Service.
  • Succeeding with RootShellLogin on RDP Service gives Compromise on the Stage srv 1 host since the RDP service is running with SYSTEM privileges in the model.

This way you can investigate different parts of an attack path or a kill chain to review it or to see possible mitigations related to this particular attack path.

However, depending on your security analysis approach, this might not be necessary at all.