Impact overview

Use Impact to understand administrative rights in the Active Directory environment for your organization and the potential impact if a compromise occurs. Manage lateral movement impact within your organization by identifying, prioritizing and remediating access rights and dependencies to reduce attack surface, prioritize actions, and scope incidents.

Reduce attack surface

Identify and quantify the user accounts that have administrative access to key systems, such as high-profile workstations or Active Directory domain controllers. By limiting administrative access to these systems, you can reduce your attack surface.

Prioritize actions

Quickly identify the user accounts and systems that would have the most significant impact if compromised. With this information, you can focus on these high-impact accounts or systems to limit potential lateral movement in the event of an attack.

Scope incidents

If a user account or system is compromised, use Impact to quickly determine the potential lateral movement of the attack and take action to prevent additional compromise.

Credential dumping and lateral movement

When a user logs in to a computer, either locally or remotely, a session is created that caches the user credentials in memory, typically until a restart. Attackers can use malicious tools, often referred to as credential dumpers, to access these cached credentials. Attackers then use the credentials to impersonate the compromised user and gain access to other systems in your environment. This potential lateral movement is more severe if the compromised user is a member of privileged groups, which might contain additional nested groups, and can rapidly compromise a large number of systems in your environment.

For more information, see MITRE ATT&CK: Credential Dumping and MITRE ATT&CK: Lateral Movement.

In Impact, this potential lateral movement is broken down further into outbound impact and inbound impact.

outbound impact

The other systems or users that an attacker can breach from the endpoint, user, or group (asset).

inbound impact

The other systems or users that an attacker can use to breach the asset.

Impact analyzes both direct control and indirect control when evaluating the potential movement of an endpoint, user, or group.

direct control

The user has administrative rights to a system through a direct entry in the local Administrators object on the system, not through an Active Directory group membership.

indirect control

The user has administrative rights to a system through an Active Directory group or nested group that has an entry in the local Administrators object on the system.

Figure  1:  Using lateral movement to prioritize decision making

Impact rating

Impact analyzes the data from synchronized domains and calculates an impact rating for each endpoint, user, or group. Four factors influence an impact rating:

  • Potential inbound impact by users
  • Potential inbound impact by endpoints
  • Potential outbound impact by users
  • Potential outbound impact by endpoints

Impact calculates a percentage for each factor based on the total number of endpoints, users, and groups in the synchronized domains. Using this percentage, points are assigned to each factor:

  • 0% - 25% of total users or endpoints: 1 point
  • 26% - 50% of total users or endpoints: 2 points
  • 51% - 75% of total users or endpoints: 3 points
  • 76% - 100% of total users or endpoints: 4 points

Impact tallies the points for each factor and applies the following schema to reach the final impact rating:

  • Low: 4 points
  • Medium: 5 - 8 points
  • High: 9 - 12 points
  • Critical: 13 - 16 points

Endpoints, users, and groups with a critical impact rating have the highest potential lateral movement and are likely to be targeted for compromise. Potential inbound movement, which can compromise the endpoint, user, or group, and potential outbound movement, which can compromise other endpoints, users, and groups, are used to calculate this rating.

Example

Consider an organization that has synchronized two domains with Impact. These domains contain 1,000 users and 2,000 endpoints, for a total of 3,000 assets.

User A has the following inbound and outbound impact:

  • Inbound impact by users: 620 users (62% of all users, 3 points)
  • Inbound impact by endpoints: 630 endpoints (31.5% of all endpoints, 2 points)
  • Outbound impact by users: 400 users (40% of all users, 2 points)
  • Outbound impact by endpoints: 600 endpoints (30% of all endpoints, 2 points)

The points for all four factors total 9, so the impact rating for User A is High.

Integration with other Tanium products

Impact has built in integration with Tanium™ Trends and Tanium™ Threat Response for additional visibility and reporting of related data.

Trends

Impact features a Trends board that provides data visualization of Impact concepts. The Impact board contains the following panels:

Impact Coverage Status

Shows the percentage of total Tanium-managed Windows endpoints where Impact is optimal, needs attention, or is not supported.

Impact Severity Rating for All Endpoints

Shows the severity rating for all domain-joined endpoints.

Impact Severity Rating for All Users

Shows the severity rating for all domain users.

Impact Severity Rating for All Groups

Shows the severity rating for all domain groups.

Threat Response

Use Impact with Threat Response to see details from Impact in alerts. The Threat Response alerts results grid includes an Outbound Impact column, and the Impact Details section of the alert details provides information from Impact on the potential lateral movement of the endpoint to help prioritize alert remediation. For more information, see Threat Response User Guide: Manage the impact of lateral movement with Tanium Impact.