The Claroty Blog

Feature Spotlight: Attack Vector Mapping

| Shlomit Alon

This post is part of our Feature Spotlight series which dives into specific features and capabilities of The Claroty Platform. You can find more posts like this in our the Feature Spotlight section of the Claroty Blog.

 

As much as an organization tries to secure its operational technology (OT) environments, vulnerabilities are a fact of life. Unlike IT networks where frequent patching is possible and encouraged, OT networks can only be safely patched during typically infrequent maintenance windows. Compensating controls are crucial in situations where critical vulnerabilities cannot be patched in a timely manner, but implementing adequate controls can be difficult because it requires a keen grasp on the specific risk each vulnerability poses to the network. Helping organizations gain visibility into OT networks is something that we are deeply familiar with and, once achieved, can lead to powerful information that helps you identify and understand the vulnerabilities and risks that persist within your organization.

At Claroty, we take this a step further to not only help you pinpoint and assess the vulnerabilities in your network, but to actually simulate what an attack on your network may look like and what steps you can take to remediate the risk. This capability within Claroty Continuous Threat Detection (CTD) is called Attack Vector Mapping.

 

What is Attack Vector Mapping?

CTD’s Attack Vector Mapping feature identifies the most at-risk assets and zones in your network and simulates the various means through which an attacker could penetrate that network. Assets are considered at-risk based on simulations that reveal possible lateral movement scenarios between assets and zones.

In order to determine the likeliest attack vectors, CTD evaluates all possible types of communication flows along the path, whether OT- or IT-based, that could eventually allow the asset to become compromised. These simulations are built on criteria determined by Claroty’s team of OT security experts and researchers.

 

What Information Does This Provide?

Alongside the visual representation of the attack vector shown in the image below, CTD provides an attack chain that details why this particular attack vector was identified as a path of attack.

 

Screen Shot 2020-05-21 at 11.28.32 AM

 

For example, If an external asset has the option to communicate via remote desktop protocol (RDP) protocol with an engineering station, the attacker can leverage OT protocols over a RDP session to provide OT commands to a PLC. The visual representation of the attack vector shown beside this information helps the user understand the movements of the potential attack throughout the network.

 

What Does It All Mean?

By utilizing the information provided by the Attack Vector Mapping tool, you are able to check if potential attackers have a clear path into your network. This allows you to prioritize remediation efforts to ensure compensating controls can be established until maintenance windows allow for patching. You can also use this information as an investigation tool to hunt for threats existing within the network when threatened zones are detected.

Attack Vector Mapping provides a contextualized, visual representation of one of the many ways in which CTD helps users to manage the vulnerabilities and risks present within their network. Take a look at our latest CISO Series post to learn more about the importance of vulnerability prioritization, or if you’d like to see the Attack Vector Mapping feature in action, request a demo.

 

Subscribe to the Blog