Other resources

Release Notes

Impact overview

Use Impact to understand administrative rights in the Active Directory environment for your organization and the potential impact if a compromise occurs. Manage lateral movement impact within your organization by identifying, prioritizing and remediating access rights and dependencies to reduce attack surface, prioritizing actions, and scoping incidents.

Reduce attack surface

Identify and quantify the user accounts that have administrative access to key systems, such as high-profile workstations or Active Directory domain controllers. By limiting administrative access to these systems, you can reduce your attack surface.

Prioritize actions

Quickly identify the user accounts and systems that would have the most significant impact if compromised. With this information, you can focus on these high-impact accounts or systems to limit potential lateral movement in the event of an attack.

Scope incidents

If a user account or system is compromised, use Impact to quickly determine the potential lateral movement of the attack and take action to prevent additional compromise.

Credential dumping and lateral movement

When a user logs in to a computer, either locally or remotely, a session is created that caches user credentials in memory, typically until a restart. Attackers can use malicious tools, often referred to as credential dumpers, to access these cached credentials. Attackers then use the credentials to impersonate the compromised user and gain access to other systems in your environment. This potential lateral movement is more severe if the compromised user is a member of privileged groups, which might contain additional nested groups, and can rapidly compromise a large number of systems in your environment.

For more information, see MITRE ATT&CK: Credential Dumping and MITRE ATT&CK: Lateral Movement.

In Impact, this potential lateral movement is broken down further into outbound impact and inbound impact.

outbound impact

The other systems or users that an attacker can breach from the endpoint, user, or group.

inbound impact

The other systems or users that an attacker can use to breach the endpoint, user, or group.

Impact analyzes both direct control and indirect control when evaluating the potential movement of an endpoint, user, or group.

direct control

The user has administrative rights to a system through a direct entry in the local Administrators object on the system, not through an Active Directory group membership.

indirect control

The user has administrative rights to a system through an Active Directory group or nested group that has an entry in the local Administrators object on the system.

Figure  1:  Using lateral movement to prioritize decision making

Impact rating

Impact analyzes the data from synchronized domains and calculates an impact rating for each asset. Four factors influence an impact rating:

  • Potential inbound impact by users
  • Potential inbound impact by endpoints
  • Potential outbound impact by users
  • Potential outbound impact by endpoints

Impact calculates a percentage for each factor based on the total number of endpoints, users, and groups in the synchronized domains. Using this percentage, points are assigned to each factor:

  • 0% - 25% of total users or endpoints: 1 point
  • 26% - 50% of total users or endpoints: 2 points
  • 51% - 75% of total users or endpoints: 3 points
  • 76% - 100% of total users or endpoints: 4 points

Impact tallies the points for each factor and applies the following schema to reach the final impact rating:

  • Low: 4 points
  • Medium: 5 - 8 points
  • High: 9 - 12 points
  • Critical: 13 - 16 points

Endpoints, users, or groups with a critical impact rating have the highest potential lateral movement and are the highest targets. Potential Inbound movement, which can compromise the endpoint, user, or group, and outbound movement, which can compromise other endpoints, users, or groups, are used to calculate this rating.

Example

Consider an organization that has synchronized two domains with Impact. These domains contain 1,000 users and 2,000 endpoints, for a total of 3,000 assets.

User A has the following inbound and outbound impact:

  • Inbound impact by users: 620 users (62% of all users, 3 points)
  • Inbound impact by endpoints: 630 endpoints (31.5% of all endpoints, 2 points)
  • Outbound impact by users: 400 users (40% of all users, 2 points)
  • Outbound impact by endpoints: 600 endpoints (30% of all endpoints, 2 points)

The points for all four factors total 9, so the impact rating for User A is High.

Integration with other Tanium products

Impact has built in integration with Taniumâ„¢ Threat Response for additional visibility and reporting of related data.

Threat Response

Use Impact with Threat Response to see details from Impact in alerts. An Outbound Impact column displays in the Threat Response alerts results grid, and the Impact Details section of the alert details provides information from Impact on the potential lateral movement of the endpoint to help prioritize alert remediation. For more information, see Threat Response User Guide: Manage the impact of lateral movement with Tanium Impact.