Analyzing the impact

Overview

With Impact, you can build graphs that analyze the rights, dependencies, and relationships for assets (endpoints, users, and groups). Use these graphs to visualize potential lateral movement and identify assets in your organization with a high impact score.

Use this data to determine and prioritize where you should reduce administrative privileges, especially for critical assets, to reduce attack surface.

Before you begin

Configure a connection to one or more Active Directory domains. For more information, see Configure connections to domains.

Impact analyzes data from domain-joined, Tanium-managed Windows endpoints whose domain is configured and synchronized within Impact.

Analyze the impact for a specific asset

Search for an asset to see detailed graphs that you can use to analyze that asset's potential impact.

  1. Go to the Impact Home page or select Impact Details from the Impact menu.
  2. In the Asset Search section, select Outbound Impact or Inbound Impact.
  3. Specify the endpoint, group, or user for which you want to analyze potential impact.

Searching for an asset generates an Impact Graph that displays summary information and details about that asset's potential impact if compromised. You can select In/Dir Control, Outbound, Inbound, or Sessions to explore the potential impact of the asset. The graph starts with Outbound or Inbound selected, depending on whether you selected Outbound Impact or Inbound Impact when you searched for the asset.

Impact Graphs

An asset search generates an Impact Graph that contains a Root Node with summary information and additional graphs that you can select to display detailed information: In/Dir Control, Outbound, Inbound, Sessions, and Members (displays only for groups).

The Users, Endpoints, and Groups tables below the graph display the details for the associated asset type. You can click values in these tables to examine that data for the corresponding asset, such as direct control on an endpoint.

Use the breadcrumbs in the Asset Search section to return to the original asset as you explore different assets in the Users, Endpoints, and Groups tables.

Root Node

The Root Node section of the graph displays summary information about the asset and the analysis.



General Information section:

  • Asset Type: The type of asset that was analyzed: User, Computer, or Group.
  • Operating System: Displays only for computers. The operating system on the computer, including version.
  • IP Address: Displays only for computers. The IP address for the computer.

Active Directory section:

Displays the details from the asset's Active Directory record:

  • Location
  • Description
  • Managed By

Click the Detailed Information link to display additional information from the asset's Active Directory record.

These details are pulled from Active Directory. If a field does not display information, that field in the asset's Active Directory record is not populated.

Insights section:

Displays summarized details of the impact for the asset:

  • Direct Ctrl:
    • Users: The number of endpoints on which the asset has administrative rights through a direct entry in the local Administrators object on the system, not through an Active Directory group membership.
    • Computers: The number of users that have administrative rights to the computer through a direct entry in the local Administrators object on the system, not through an Active Directory group membership.
    • Groups: The number of endpoints on which the group has administrative rights through a direct entry in the local Administrators object on the system, not through group nesting.
  • Indirect Ctrl:
    • Users: The number of endpoints on which the user has administrative rights through an Active Directory group or nested group that has an entry in the local Administrators object on the system.
    • Computers: The number of users that have administrative rights to the computer through an Active Directory group or nested group that has an entry in the local Administrators object on the system.
    • Groups: The number of endpoints on which the group has administrative rights through group nesting in the local Administrators object on the system.
  • Sessions:
    • Users: The number of active sessions the user has open on computers.
    • Computers: The number of active sessions on the computer.
    • Groups: The number of active sessions that are using the group for access.
  • Inbound Impact:
    • Users: The number of user accounts and endpoints that can be used to breach this user through potential lateral movement.
    • Computers: The number of user accounts and endpoints that can be used to breach this computer through potential lateral movement.
    • Groups: The number of user accounts and endpoints that can be used to breach this group through potential lateral movement.
  • Outbound Impact:
    • Users: The number of user accounts and endpoints that this user can be used to breach through potential lateral movement.
    • Computers: The number of user accounts and endpoints that this computer can be used to breach through potential lateral movement.
    • Groups: The number of user accounts and endpoints that this group can be used to breach through potential lateral movement.

Indirect / Direct Control

Select In/Dir Control to display the Indirect / Direct Control graph.

The details displayed here depend on the type of asset that you are analyzing:

  • Users: Displays a hop map that shows the endpoints on which the user has administrative access, either through direct control or indirect control.
  • Computers: Displays a hop map that shows the users and groups that have administrative access to the computer, either through direct control or indirect control.
  • Groups: Displays a hop map that shows the endpoints on which the group has administrative access, either through direct control or indirect control.

The Users, Endpoints, and Groups tables below the hop map display the details for the associated asset type. Click a node in the hop map to filter the tables based on that hop.

Outbound

Select Outbound to analyze the outbound impact for the asset. This graph displays by default when you select Outbound Impact for an asset search.

A hop map displays that shows the endpoints, groups, and users that the asset could reach with potential outbound lateral movement. The Users, Endpoints, and Groups tables below the hop map display the details for the associated asset type. Click a node in the hop map to filter the tables based on that hop.

Inbound

Select Inbound to analyze the inbound impact for the asset. This graph displays by default when you select Inbound Impact for an asset search.

A hop map displays that shows the endpoints, groups, and users that could reach the asset with potential inbound lateral movement. The Users, Endpoints, and Groups tables below the hop map display the details for the associated asset type. Click a node in the hop map to filter the tables based on that hop.

Sessions

Select Sessions to analyze the open sessions for the asset.

A hop map displays that shows the open sessions for that asset. The Users, Endpoints, and Groups tables below the hop map display the details for the associated asset type. Click a node in the hop map to filter the tables based on that hop.

Members

Displays only for groups. Select Members to analyze the direct and indirect members of the group.

A hop map displays that shows the users (direct members) and nested groups (indirect members) in that group.

Shortest Path maps

Click the target icon next to a user or endpoint in one of the Users or Endpoints tables to display a Shortest Path map from that user or endpoint to the asset. The Shortest Path map shows the shortest path from the target endpoint or user by means of direct access, group membership, or open sessions.

What to do next

Use the data that you gathered to prioritize the assets for which administrative rights should be modified to implement a least-privilege security model for your Active Directory environment. For more information, see Reference: Remediation resources.