Closing the Gaps: How Attack Path Management Improves Vulnerability Management Programs

In conversation: Pete McKernan & Luke Luckett

As organizations seek to wrap their arms around potential cybersecurity exposures, CIOs and CISOs are increasingly pushing their vulnerability management teams to widen scope. With such a focus, the growing concept of continuous threat exposure management (CTEM) aims to prioritize whatever most threatens the enterprise, whether or not such threats come with a known CVE or are even an unclassified vector for a ransomware attack.

Wherever an organization ranks on the path to CTEM and vulnerability management maturity, IT and cyber leaders are rapidly reducing business risk by adding attack path management (APM) to their programs. The following is a condensed version of a conversation on the topic between Luke Luckett, Director of Product Marketing, and Pete McKernan, Strategic Partner Engineer, who collaborate on Attack Path Management education at SpecterOps.

Luke Luckett: Good morning, Pete. Great to be with you today. In a recent conversation with one of our enterprise customers, you mentioned that Attack Path Management should be a critical part of every organization’s vulnerability management process. That got me curious and I wanted to learn more. So let’s start from the top: what are the key elements of a robust vulnerability management program?

Pete McKernan: Sure. The key elements of any security program start with having a security operations center (SOC) that’s responsible for both maintaining the security baseline of systems and monitoring the environment for any security events. Vulnerability management falls under that umbrella, and it’s about ensuring that systems run as they should. This ties in directly with Attack Path Management, which aligns with vulnerability management in terms of maintaining security over time.

Then, you have SOC analysts using various event monitoring tools to correlate different events and identify risks before things go haywire. Essentially, vulnerability management and Attack Path Management are like twin pillars of a defensive operation — each one is critical to ensuring that systems remain secure.

Luke Luckett: That makes sense. How does Attack Path Management (or APM, as it’s commonly known) fit into that structure?

Pete McKernan: APM complements vulnerability management. Think of vulnerability management as handling patching and configuration of the organization’s software and networks, but it only covers a portion of the environment. APM, particularly with tools like Bloodhound Enterprise, goes deeper by focusing on identity-related risks that traditional vulnerability management tools don’t handle. For example, vulnerability management is great for securing software and checking network configurations, but it doesn’t address how an attacker could exploit an identity system like Active Directory or Entra ID to move laterally across the network.

APM fills this gap by identifying hidden relationships within the environment — using graph theory, for instance — to find weak spots that aren’t immediately visible. This approach supports a “better together” strategy, where traditional vulnerability management tools work hand-in-hand with APM to provide a more complete security picture.

Identity Attack Path Management is a critical part of a robust CTEM and Vulnerability Management strategy. APM helps solve the problem of attack paths, which are often attackers’ quickest path to lateral movement, unauthorized escalations and domain takeovers.

Luke Luckett: That’s really interesting. So how are you seeing security leaders go about integrating Attack Path Management into an existing CTEM or vulnerability management process?

Pete McKernan: The first step is education. The CISO needs to understand what Attack Path Management is and how it fits within the organization’s broader security landscape. Once they grasp the basics, they should engage their vulnerability management team to start a conversation about identity security. Many organizations already have tools (and even separate identity teams) that monitor identity-related risks, but they may not be leveraging them effectively.

I recommend starting with BloodHound’s Community Edition, running it in their environment, and letting the data speak for itself. BloodHound helps blue teams and red teams better understand privileged relationships (attack paths) in Active Directory, Entra, and hybrid environments — so they can eliminate those attack paths. Once teams see the results and the risks highlighted, they can take the next steps to engage further with tools like BloodHound Enterprise. From there, it’s about fusing the data from APM and vulnerability management to get a full picture of the organization’s security posture. You don’t need to build an entirely new program — just empower your current team to see the other half of the picture.

Luke Luckett: It sounds like Attack Path Management provides that extra layer of visibility.

Pete McKernan: Exactly. Vulnerability management typically focuses on the software and network side of things, ensuring that patches are applied, configurations are secure, and no known vulnerabilities are present. But APM looks at how attackers could exploit identities within the organization. For example, if an attacker exploits a vulnerable application on the perimeter, they can use the application’s identity in Active Directory to move laterally and escalate privileges. This is why securing identity is so crucial — it’s often the preferred method of attack in today’s environment.

Luke Luckett: So, how does APM help in real-world scenarios?

Pete McKernan: With APM platforms like Bloodhound Enterprise, we see everything that traditional vulnerability management tools don’t. For example, vulnerability management tools don’t track identities or monitor how they interact across the network. Attackers often weave in and out of both identity and technology silos, meaning they’ll exploit a vulnerable technology and then leverage compromised identities to move through the network.

APM can map out these hidden pathways that attackers might use to gain access to sensitive areas, providing a level of visibility that’s just not available through traditional means. It helps organizations take proactive measures by identifying the vulnerabilities in their identity infrastructure — like dormant accounts with excessive permissions or forgotten groups nested deep within the network.

Luke Luckett: That brings us to the integration process. It sounds like the SOC and vulnerability management teams can easily add APM into their existing workflows.

Pete McKernan: Absolutely. APM integrates almost seamlessly with vulnerability management workflows. Both processes involve scanning systems, analyzing data and taking action based on the findings. Where APM really shines is in the fusion of identity data with the results of vulnerability scans. Once you have that complete picture, you can make far more informed decisions about the security of your environment. Integrating APM data becomes very simple for organizations utilizing data lakes and SIEMs to orchestrate action.

The key is to enable the teams you already have. They’re likely trained and capable of doing this work, but they need the right tools to see both the technological and identity-related risks. Once they have that, you don’t need to build a new program — just add the data and leverage the expertise you already have in place.

Luke Luckett: That makes a lot of sense. Really appreciate your time and expertise on this important topic, Pete! Thank you.

Closing the Gaps: How Attack Path Management Improves Vulnerability Management Programs was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.

Article Link: Closing the Gaps: How Attack Path Management Improves Vulnerability Management Programs | by Luke Luckett | Oct, 2024 | Posts By SpecterOps Team Members