Complexity v. Simplicity: Designing Attack Graphs for Usability

As attack surfaces expand it is increasingly important that attack surface management (ASM) strategies consider how to visualize and conceptualize them. Proper visualization can aid in better risk management, and understanding of attack paths a cybercriminal may use.

Graph-based visualization strategies have often been suggested as the right attack surface management tool for this challenge. The only question is how to balance the complexity of the attack surfaces represented in these graphs with a simplicity that makes them easily usable.

What is attack surface management?

Attack surface management is a security strategy which maps and monitors all digital assets connected to your IT infrastructure. These assets can include web applications, apps, end-use devices like laptops, cloud storage and more. External attack surface management specifically only focuses on assets which are internet-facing.

The goal of attack surface management is to identify and assess all internal and external assets for possible risks to your organization.

What is an attack graph?

An attack graph visualizes an attack surface as a graph with linked assets. Graph-based visualization strategies help to map attack paths a cybercriminal might take to exploit an asset. They help to identify vulnerabilities in a company’s IT infrastructure, providing important information to defense teams. As such, attack graphs act as an effective attack surface management tool

Why are attack graphs important for attack surface management?

1. Attack graphs help you to keep track of rapidly expanding assets

2. Attack graphs help you to visualize how interconnected assets make up your attack surface

Attack graphs help you to keep track of rapidly expanding assets

Attack surfaces are rapidly expanding. The pandemic spearheaded the rise of multi-cloud work-from-home strategies leading to a decentralization of company IT infrastructure. With such an expansion 30 - 40% of a company’s digital assets remain unknown to security teams. Attack graphs which take into consideration assets across multiple platforms are useful for keeping track of constantly evolving attack surfaces.

Attack graphs help you to visualize how interconnected assets make up your attack surface

Digital assets do not exist in a vacuum and its’ important to think about how they fit together when doing attack surface analysis. An attack on one asset can allow for lateral movement through a system that results in an attack on another asset.

Attack graphs link assets through clustering, nodes and visuals as simple as strike lines. These links help defense teams to consider vulnerabilities in one asset in the context of the wider system, and strengthen external attack surface management.

The struggle of complexity versus simplicity

While attack graphs are useful for keeping track of expanding external attack surfaces, there is increasingly an issue of scale. Attack surface management tools often must consider 10s of 1000s of assets.

In their study of scaling attack maps Ou and Boyer suggest that it is desirable for an attack graph to compute for enterprises with 1000 to 10 000 hosts. However, the scale often results in a level of complexity that is difficult for a user to make sense of.

Complexity stems from the fact that not all assets are necessarily relevant to defense teams. When the purpose of an attack graph is to help a defense team understand core security problems certain portions of the graph may be less important. Less relevant parts lead to clutter rather than helping with insights.

For example, an asset may be considered irrelevant to a security team for any of the following reasons:

• The asset has no risk or is not connected to another asset that has risk

• The asset involves a low-rated risk

• The asset is a standalone asset that is not related to another asset

In addition, Homer, Variluti, Ou and McQueen note how one of the complexities of attack graphs is that there are many edges directed towards one asset. For example, one server could be the destination of multiple different attacks that take paths through different assets. Understanding where the overlap is relevant versus where it is redundant is important to being able to make effective defense decisions.

How Hadrian’s ASM tool balances complexity vs simplicity

1. Multifunctional attack maps which consider end goals of different types of users

2. Clustering of relevant and similar digital assets

3. Easily usable querying and search functions

Tailored attack maps which consider end goals of different types of users

Hadrian prioritizes the customer throughout the process of building an attack map. Feedback loops ensure that a customer’s attack surface management goals are taken into consideration, and iterations are made.

Hadrian’s UI/UX designer Yujie Shan emphasizes that attack maps become more useful when you consider your target users. A CISO might be interested in a broader and more holistic map that contains all assets. In contrast, a security analyst might find it more useful to see a map that contains only assets which have changed in a given time frame.

Hadrian works together with our customers to strip away complexity and zero in on their security goals.

Clustering of relevant and similar digital assets

Clustering of relevant and similar digital assets is often a solution to balancing complexity and simplicity in attack maps. Homer, Varikuti, Ou and McQueen argue that grouping similar attack steps and assets can help to make complex network systems easily understandable.

Hadrian also aims to use clustering, and our attack maps feature grouping behavior. Tags for specific types of assets reveal when users zoom in and out of their attack map similar to Google Maps. Hadrian’s clients can focus and gain deeper understandings of a specific part of the attack surface.

The ideal attack map allows you to move through different layers of asset groupings. At the top level would be assets connected via IP’s. Underneath that layer a user could zoom in to see the kind of application or service running behind the IP address and the data that is attached to it.

Easily usable query, navigation and search functions

Product Designer Vincent de Bel, and UI/UX Designer Yujie Shan, also note the importance of a dashboard being interactive in order to better help users meet their end goals. Giving users the ability to access different views of the dashboard increases their engagement and use of the tool for attack surface management.

Yujie Shan notes that as the dashboard evolves there will be different search and query functions. These functions will be used to navigate the attack map. One view might allow you to look at one specific risk and see all the assets connected to it. A different view might look at only assets connected to a certain port, or accessible by a certain endpoint.

As well, functions such as search, and query allow users to constantly change the dashboard to fit their current goal. As security needs within a company evolve this ensures that the data presented in the attack map is always relevant.

Overall attack maps are incredibly useful to attack surface management. While they can be complex, making them easy to use does not mean sacrificing the level of detail. By prioritizing the security goals of the user Hadrian centers customer needs. Thus, a balance is found between complexity and usability.