Attack Path Management
Attack Path Management (APM) continuously identifies all possible attack paths in the corporate network, from the entry point to critical assets—and prioritizes countermeasures based on actual exploitation risk, not CVSS scores.
Attack Path Management (APM) solves a fundamental problem in vulnerability management: CVSS scores tell us how dangerous a vulnerability is in theory—but not whether an attacker can actually exploit it in our specific network to reach critical assets.
The Problem with CVSS-Based Prioritization
In a typical enterprise, there are thousands of vulnerabilities—many of them with a CVSS score of 7.0 or higher. Not all are equally critical:
- A CVSS 9.8 vulnerability on an isolated system with no network access is less urgent than a CVSS 5.5 vulnerability on a system that can directly lead to domain controller compromise.
- APM thinks in chains, not in individual vulnerabilities.
How Attack Path Management Works
-
Asset Discovery and Graph Construction
- Identify all assets: servers, workstations, AD objects, cloud resources, credentials
- Model connections: network access points, AD trust relationships, software dependencies
- Result: directed graph of the corporate network
-
Attack Path Analysis
- Define "entry points" (e.g., external email, VPN, public web apps)
- Define "targets" (e.g., domain controllers, production data, ERP systems)
- Algorithm calculates all possible paths from the entry point to the target
- Factors considered: vulnerabilities, misconfigurations, AD permissions (BloodHound logic)
-
Risk Prioritization
- Which vulnerability is on the shortest/easiest attack path?
- Chokepoints: Which node blocks the most paths when hardened?
- Recommendation: "If you fix this one misconfiguration, 73% of attack paths to the DC will be blocked"
-
Continuous Monitoring
- For every change (new asset, new vulnerability, new AD group) → new path analysis
- Alert: "New critical attack path detected" following a change event
APM Tools
Specialized APM Tools:
| Tool | Description |
|---|---|
| XM Cyber | Continuous attack path simulation, cloud support |
| Cymulate | Breach and attack simulation + APM combined |
| AttackIQ | MITRE ATT&CK-based simulation + path analysis |
| Skybox Security | Network-centric, firewall rules in path analysis |
Open Source / Free:
| Tool | Description |
|---|---|
| BloodHound | AD-specific attack path analysis (gold standard for AD) |
| BloodHound CE | Community Edition (SpecterOps) |
| Adalanche | BloodHound alternative with a different UI |
CNAPP with APM functionality:
| Tool | Description |
|---|---|
| Wiz | Cloud-specific attack paths (AWS/Azure/GCP) |
| Orca Security | Cloud asset graph with attack paths |
| Prisma Cloud | Palo Alto, cloud + on-premise |
APM vs. Vulnerability Scan vs. Penetration Test
| Feature | Vulnerability Scan | Penetration Test | Attack Path Management |
|---|---|---|---|
| Perspective | Single system | Attacker (manual) | Attacker (automated) |
| Context | None | Yes (experience) | Yes (graph-based) |
| Continuity | Periodic | Once a year | Continuous |
| Prioritization | CVSS Score | Manual Assessment | Path Criticality |
| Effort | Low | High | Medium (after setup) |
APM complements penetration tests—it does not replace them. A manual penetration tester identifies business logic flaws and creative attack vectors that an algorithm might overlook.
