Use Impact to understand administrative rights in the Active Directory environment for your organization and the potential impact if a compromise occurs. Manage lateral movement impact within your organization by identifying, prioritizing and remediating access rights and dependencies to reduce attack surface, prioritize actions, and scope incidents.
Identify and quantify the user accounts that have administrative access to key systems, such as high-profile workstations or Active Directory domain controllers. By limiting administrative access to these systems, you can reduce your attack surface.
Quickly identify the user accounts and systems that would have the most significant impact if compromised. With this information, you can focus on these high-impact accounts or systems to limit potential lateral movement in the event of an attack.
If a user account or system is compromised, use Impact to quickly determine the potential lateral movement of the attack and take action to prevent additional compromise.
When a user logs in to a computer, either locally or remotely, a session is created that caches the user credentials in memory for 72 hours and until a restart. Attackers can use malicious tools, often referred to as credential dumpers, to access these cached credentials. Attackers then use the credentials to impersonate the compromised user and gain access to other systems in your environment. This potential lateral movement is more severe if the compromised user is a member of privileged groups, which might contain additional nested groups, and can rapidly compromise a large number of systems in your environment.
In Impact, this potential lateral movement is broken down further into outbound impact and inbound impact.
The endpoints or users that an attacker can breach from the current endpoint, user, or group (asset). Use outbound impact to answer the question: what endpoints, users, and groups can an attacker potentially breach through lateral movement if this asset is compromised?
The endpoints or users that an attacker can use to breach the current endpoint, user, or group. Use inbound impact to answer the question: what lateral movement could an attacker potentially use to breach this asset?
Impact analyzes both direct control and indirect control when evaluating the potential movement of an endpoint, user, or group.
The user has administrative rights to a system through a direct entry in the local Administrators object on the system, not through an Active Directory group membership.
The user has administrative rights to a system through an Active Directory group or nested group that has an entry in the local Administrators object on the system.
In scenario A in the preceding figure, the attacker compromises the database server, on which User_A has an open session. You can visualize the outbound impact of this breach and potential lateral movement by running an Outbound Impact search on the Database Server, IM-WN-2204.
The attacker uses User_A’s session to obtain the credentials for User_A. Because User_A is a member of a user group, the attacker now has access to all endpoints on which there is an entry in the local Administrators object on the endpoint for this user group, which is shown in Impact through indirect control analysis.
In scenario B in the preceding figure, suppose the target endpoint is the CEO’s laptop. To determine how an attacker could potentially breach this high profile endpoint, run an Inbound Impact search for the endpoint, IMP-WN-2808.
The analysis by Impact shows that if an attacker breaches the Web Server, on which User_D has an open session, the attacker can use User_D’s credentials to gain administrator access to this endpoint. Click a hop in the hop map to display the specific endpoints, users, and groups that are part of the potential lateral movement.
In scenario C in the preceding figure, the attacker could potentially use both direct and indirect control to breach the Active Directory server. Impact provides multiple methods to analyze the various ways that an attacker could move through your network. For example, you can analyze the indirect and direct control for User_Group_1 to see which endpoints can be reached by this group, either through direct membership on an endpoint or nested groups.
You can run an Inbound Impact search on the Active Directory server to how an attacker might gain access to that server.
You can run an Outbound Impact search on the developer’s system to determine what users, endpoints, and groups might be compromised through potential lateral movement if an attacker breaches that endpoint.
If you do not have specific users, endpoints, or groups that you want to analyze, use the Impact ratings to quickly identify critical and high risk assets.
Impact analyzes the data from synchronized domains and calculates an impact rating for each endpoint, user, or group. Four factors influence an impact rating:
- Potential inbound impact by users
- Potential inbound impact by endpoints
- Potential outbound impact by users
- Potential outbound impact by endpoints
Impact calculates a percentage for each factor based on the total number of endpoints, users, and groups in the synchronized domains. Using this percentage, points are assigned to each factor:
- 0% - 25% of total users or endpoints: 1 point
- 26% - 50% of total users or endpoints: 2 points
- 51% - 75% of total users or endpoints: 3 points
- 76% - 100% of total users or endpoints: 4 points
Impact tallies the points for each factor and applies the following schema to reach the final impact rating:
- Low: 4 points
- Medium: 5 - 8 points
- High: 9 - 12 points
- Critical: 13 - 16 points
The Impact workbench displays the impact rating (Low, Medium, High, Critical) for each endpoint, user, or group. For simplicity, the workbench does not display the points. The total number of points for an endpoint, user, or group are available in the CSV and JSON outputs. For more information, see Exporting Impact data.
Endpoints, users, and groups with a critical impact rating have the highest potential lateral movement and are likely to be targeted for compromise. Potential inbound movement, which can compromise the endpoint, user, or group, and potential outbound movement, which can compromise other endpoints, users, and groups, are used to calculate this rating.
Consider an organization that has synchronized two domains with Impact. These domains contain 1,000 users and 2,000 endpoints, for a total of 3,000 assets.
User A has the following inbound and outbound impact:
- Inbound impact by users: 620 users (62% of all users, 3 points)
- Inbound impact by endpoints: 630 endpoints (31.5% of all endpoints, 2 points)
- Outbound impact by users: 400 users (40% of all users, 2 points)
- Outbound impact by endpoints: 600 endpoints (30% of all endpoints, 2 points)
The points for all four factors total 9, so the impact rating for User A is High.
Impact has built in integration with Tanium™ Connect, Tanium™ Criticality, Tanium™ Trends, and Tanium™ Threat Response for additional visibility and reporting of related data.
Use Connect to send Impact data to destinations, such as email, HTTP, socket receiver, Splunk, and SQL Server. For more information, see Connect User Guide: Connect overview.
Impact uses Active Directory and criticality data from Criticality. For more information, see Tanium Criticality User Guide: Criticality overview.
Impact features a Trends board that provides data visualization of Impact concepts. The Impact board contains the following panels:
Impact Coverage Status
Shows the percentage of total Tanium-managed Windows endpoints where Impact is optimal, needs attention, or is not supported.
Impact Severity Rating for All Endpoints
Shows the severity rating for all domain-joined endpoints.
Impact Severity Rating for All Users
Shows the severity rating for all domain users.
Impact Severity Rating for All Groups
Shows the severity rating for all domain groups.
Use Impact with Threat Response to see details from Impact in alerts. The Threat Response alerts results grid includes an Outbound Impact column, and the Impact Details section of the alert details provides information from Impact on the potential lateral movement of the endpoint to help prioritize alert remediation. For more information, see Threat Response User Guide: Manage the impact of lateral movement with Tanium Impact.
Last updated: 1/31/2023 1:41 PM | Feedback