Analyzing the impact

Overview

Analyze users, groups, and endpoints that have the highest impact ratings determine and prioritize where you should reduce administrative privileges, especially for critical assets, to reduce attack surface.

With Impact, you can build graphs that analyze the rights, dependencies, and relationships for endpoints, users, and groups. Use these graphs to visualize potential lateral movement and identify assets in your organization with a high impact rating.

Before you begin

Configure a connection to one or more Active Directory domains. For more information, see Configure connections to domains.

Impact analyzes data from domain-joined, Tanium-managed Windows endpoints with a domain that is configured and synchronized within Impact.

Analyze the impact for a specific user, group, or endpoint

Look up a specific user, group, or endpoint to analyze the potential impact.

  1. From the Main menu, go to Modules > Impact to open the Impact Overview page.
  2. In the Impact Lookup section, select Outbound Impact or Inbound Impact.
  3. Specify the endpoint, group, or user for which you want to analyze potential impact.

The resulting Impact Graph shows summary information and details about the potential impact if the asset is compromised. You can select In/Dir Control, Outbound, Inbound, or Sessions to explore the potential impact. The graph starts with Outbound or Inbound selected, depending on whether you selected Outbound Impact or Inbound Impact for your lookup.

Explore impact graphs

A lookup generates an Impact Graph that contains a Root Node with summary information and additional graphs that you can select to see detailed information: In/Dir Control, Outbound, Inbound, Sessions, and Members (shows only for groups).

The Users, Endpoints, and Groups tables show the details for the associated asset type. You can click values in these tables to examine that data for the corresponding asset, such as direct control on an endpoint.

Use the breadcrumbs in the Asset Search section to return to the original asset as you explore different assets in the Users, Endpoints, and Groups tables.

View summary

The Root Node section of the graph provides summary information about the asset and the analysis.



The General Information and Active Directory sections show details about the endpoint, user, or group. Details in these sections are pulled from Active Directory. If a field is empty, that field in the Active Directory record for the asset is not populated.

The Insights section shows summarized details of the impact for the endpoint, user, or group:

  • Direct Ctrl:
    • Users: The number of endpoints on which the asset has administrative rights through a direct entry in the local Administrators object on the system, not through an Active Directory group membership.
    • Computers: The number of users that have administrative rights to the computer through a direct entry in the local Administrators object on the system, not through an Active Directory group membership.
    • Groups: The number of endpoints on which the group has administrative rights through a direct entry in the local Administrators object on the system, not through group nesting.
  • Indirect Ctrl:
    • Users: The number of endpoints on which the user has administrative rights through an Active Directory group or nested group that has an entry in the local Administrators object on the system.
    • Computers: The number of users that have administrative rights to the computer through an Active Directory group or nested group that has an entry in the local Administrators object on the system.
    • Groups: The number of endpoints on which the group has administrative rights through group nesting in the local Administrators object on the system.
  • Sessions:
    • Users: The number of active sessions the user has open on computers.
    • Computers: The number of active sessions on the computer.
    • Groups: The number of active sessions that are using the group for access.
  • Inbound Impact:
    • Users: The number of user accounts and endpoints that can be used to breach this user through potential lateral movement.
    • Computers: The number of user accounts and endpoints that can be used to breach this computer through potential lateral movement.
    • Groups: The number of user accounts and endpoints that can be used to breach this group through potential lateral movement.
  • Outbound Impact:
    • Users: The number of user accounts and endpoints that this user can be used to breach through potential lateral movement.
    • Computers: The number of user accounts and endpoints that this computer can be used to breach through potential lateral movement.
    • Groups: The number of user accounts and endpoints that this group can be used to breach through potential lateral movement.

View indirect / direct control

Select In/Dir Control to show the Indirect / Direct Control graph.

The details shown depend on the type of asset that you are analyzing:

  • Users: Shows a hop map that shows the endpoints on which the user has administrative access, either through direct control or indirect control.
  • Computers: Shows a hop map that shows the users and groups that have administrative access to the computer, either through direct control or indirect control.
  • Groups: Shows a hop map that shows the endpoints on which the group has administrative access, either through direct control or indirect control.

The Users, Endpoints, and Groups tables show the details for the associated asset type. Click a node in the hop map to filter the tables based on that hop.

View outbound impact

Select Outbound to analyze the outbound impact for the asset. This graph shows by default when you select Outbound Impact for an asset search.

A hop map shows the endpoints, groups, and users that the asset could reach with potential outbound lateral movement. The Users, Endpoints, and Groups tables show the details for the associated asset type. Click a node in the hop map to filter the tables based on that hop.

View inbound impact

Select Inbound to analyze the inbound impact for the asset. This graph shows by default when you select Inbound Impact for an asset search.

A hop map shows the endpoints, groups, and users that could reach the asset with potential inbound lateral movement. The Users, Endpoints, and Groups tables show the details for the associated asset type. Click a node in the hop map to filter the tables based on that hop.

View sessions

Select Sessions to analyze the open sessions for the asset.

A hop map shows the open sessions for that asset. The Users, Endpoints, and Groups tables show the details for the associated asset type. Click a node in the hop map to filter the tables based on that hop.

View members

Shows only for groups. Select Members to analyze the direct and indirect members of the group.

A hop map shows the users (direct members) and nested groups (indirect members) in that group.

View shortest path maps

Click the target icon next to a user or endpoint in one of the Users or Endpoints tables to show a Shortest Path map from that user or endpoint to the asset. The Shortest Path map shows the shortest path from the target endpoint or user by means of direct access, group membership, or open sessions.

What to do next

Implement a least-privilege security model for your Active Directory environment, modifying assets that need administrative rights reduced based on your Impact data analysis. For more information, see Reference: Remediation resources.