Impact overview

Use Impact to understand administrative rights in the Active Directory environment for your organization and the potential impact if a compromise occurs. Manage lateral movement impact within your organization by identifying, prioritizing and remediating access rights and dependencies to reduce attack surface, prioritize actions, and scope incidents.

Reduce attack surface

Identify and quantify the user accounts that have administrative access to key systems, such as high-profile workstations or Active Directory domain controllers. By limiting administrative access to these systems, you can reduce your attack surface.

Prioritize actions

Quickly identify the user accounts and systems that would have the most significant impact if compromised. With this information, you can focus on these high-impact accounts or systems to limit potential lateral movement in the event of an attack.

Scope incidents

If a user account or system is compromised, use Impact to quickly determine the potential lateral movement of the attack and take action to prevent additional compromise.

Credential dumping and lateral movement

When a user logs in to a computer, either locally or remotely, a session is created that caches the user credentials in memory for 72 hours and until a restart. Attackers can use malicious tools, often referred to as credential dumpers, to access these cached credentials. Attackers then use the credentials to impersonate the compromised user and gain access to other systems in your environment. This potential lateral movement is more severe if the compromised user is a member of privileged groups, which might contain additional nested groups, and can rapidly compromise a large number of systems in your environment.

For more information, see MITRE ATT&CK: Credential Dumping and MITRE ATT&CK: Lateral Movement.

In Impact, this potential lateral movement is broken down further into outbound impact and inbound impact.

outbound impact

The endpoints or users that an attacker can breach from the current endpoint, user, or group (asset). Use outbound impact to answer the question: what endpoints, users, and groups can an attacker potentially breach through lateral movement if this asset is compromised?

inbound impact

The endpoints or users that an attacker can use to breach the current endpoint, user, or group. Use inbound impact to answer the question: what lateral movement could an attacker potentially use to breach this asset?

Impact analyzes both direct control and indirect control when evaluating the potential movement of an endpoint, user, or group.

direct control

The user has administrative rights to a system through a direct entry in the local Administrators object on the system, not through an Active Directory group membership.

indirect control

The user has administrative rights to a system through an Active Directory group or nested group that has an entry in the local Administrators object on the system.

Using lateral movement to prioritize decision making

In scenario A in the preceding figure, the attacker compromises the database server, on which User_A has an open session. You can visualize the outbound impact of this breach and potential lateral movement by running an Outbound Impact search on the Database Server, IM-WN-2204.

The attacker uses User_A’s session to obtain the credentials for User_A. Because User_A is a member of a user group, the attacker now has access to all endpoints on which there is an entry in the local Administrators object on the endpoint for this user group, which is shown in Impact through indirect control analysis.




In scenario B in the preceding figure, suppose the target endpoint is the CEO’s laptop. To determine how an attacker could potentially breach this high profile endpoint, run an Inbound Impact search for the endpoint, IMP-WN-2808.

The analysis by Impact shows that if an attacker breaches the Web Server, on which User_D has an open session, the attacker can use User_D’s credentials to gain administrator access to this endpoint. Click a hop in the hop map to display the specific endpoints, users, and groups that are part of the potential lateral movement.



In scenario C in the preceding figure, the attacker could potentially use both direct and indirect control to breach the Active Directory server. Impact provides multiple methods to analyze the various ways that an attacker could move through your network. For example, you can analyze the indirect and direct control for User_Group_1 to see which endpoints can be reached by this group, either through direct membership on an endpoint or nested groups.

You can run an Inbound Impact search on the Active Directory server to how an attacker might gain access to that server.

You can run an Outbound Impact search on the developer’s system to determine what users, endpoints, and groups might be compromised through potential lateral movement if an attacker breaches that endpoint.

If you do not have specific users, endpoints, or groups that you want to analyze, use the Impact ratings to quickly identify critical and high risk assets.

Impact rating

Impact analyzes the data from synchronized domains and calculates an impact rating for each endpoint, user, or group. Four factors influence an impact rating:

  • Potential inbound impact by users
  • Potential inbound impact by endpoints
  • Potential outbound impact by users
  • Potential outbound impact by endpoints

Impact calculates a percentage for each factor based on the total number of endpoints, users, and groups in the synchronized domains. Using this percentage, points are assigned to each factor:

  • 0% - 25% of total users or endpoints: 1 point
  • 26% - 50% of total users or endpoints: 2 points
  • 51% - 75% of total users or endpoints: 3 points
  • 76% - 100% of total users or endpoints: 4 points

Impact tallies the points for each factor and applies the following schema to reach the final impact rating:

  • Low: 4 points
  • Medium: 5 - 8 points
  • High: 9 - 12 points
  • Critical: 13 - 16 points

The Impact workbench displays the impact rating (Low, Medium, High, Critical) for each endpoint, user, or group. For simplicity, the workbench does not display the points. The total number of points for an endpoint, user, or group are available in the CSV and JSON outputs. For more information, see Exporting Impact data.

Endpoints, users, and groups with a critical impact rating have the highest potential lateral movement and are likely to be targeted for compromise. Potential inbound movement, which can compromise the endpoint, user, or group, and potential outbound movement, which can compromise other endpoints, users, and groups, are used to calculate this rating.

Example

Consider an organization that has synchronized two domains with Impact. These domains contain 1,000 users and 2,000 endpoints, for a total of 3,000 assets.

User A has the following inbound and outbound impact:

  • Inbound impact by users: 620 users (62% of all users, 3 points)
  • Inbound impact by endpoints: 630 endpoints (31.5% of all endpoints, 2 points)
  • Outbound impact by users: 400 users (40% of all users, 2 points)
  • Outbound impact by endpoints: 600 endpoints (30% of all endpoints, 2 points)

The points for all four factors total 9, so the impact rating for User A is High.

Interoperability with other Tanium products

Impact works with Tanium™ Connect, Tanium™ Criticality, Tanium™ Trends, and Tanium™ Threat Response for additional visibility and reporting of related data.

Connect

Use Connect to send Impact data to destinations, such as email, HTTP, socket receiver, Splunk, and SQL Server. For more information, see Connect User Guide: Connect overview.

Criticality

Impact uses Active Directory and criticality data from Criticality. For more information, see Tanium Criticality User Guide: Criticality overview.

Trends

Impact features a Trends board that provides data visualization of Impact concepts. The Impact board contains the following panels:

Impact Coverage Status

Shows the percentage of total Tanium-managed Windows endpoints where Impact is optimal, needs attention, or is not supported.

Impact Severity Rating for All Endpoints

Shows the severity rating for all domain-joined endpoints.

Impact Severity Rating for All Users

Shows the severity rating for all domain users.

Impact Severity Rating for All Groups

Shows the severity rating for all domain groups.

Threat Response

Use Impact with Threat Response to see details from Impact in alerts. The Threat Response alerts results grid includes an Outbound Impact column, and the Impact Details section of the alert details provides information from Impact on the potential lateral movement of the endpoint to help prioritize alert remediation. For more information, see Threat Response User Guide: Manage the impact of lateral movement with Tanium Impact.