If a bad actor infiltrated your network, where would they go? While no one has a crystal ball, attack path modeling can go a long way to helping you find out. And, for teams without the resources to do it themselves, there’s a new CIS tool available to bridge the gap.

What is attack path modeling?

Think of Mission Impossible (any one of the seven will do). Tom Cruise rappels down into enemy territory and has to find his way to the payload. There are a number of different options to get there, and he usually ends up exhausting them all. Taking a page from his playbook, attackers will do the same thing. Attack path modeling gives you, the organization, an overhead view of any possible attack avenues that can be exploited and how likely they are to successfully let a threat actor through. The only difference here is that you are the good guy.

Also known as attack path validation, this methodology reaches beyond normal vulnerability scanning and includes new and previously undiscovered attack vectors that lead to critical assets within the network. This requires simulating all possible pathways to your data, which means not only vulnerability management but also penetration testing and red teaming. And to be truly effective, the latter two need to be performed using the same adversarial techniques as today’s advanced attackers. For any company, and especially for smaller ones, it can be quite a job.

This is why the Center for Internet Security (CIS) recently rolled out a new tool that focuses on the risks and likelihood of an attack, before an organization goes down the path of modeling every attack scenario.

Exploring the new CIS tool

There’s a new tool in town, and it can help you determine how likely you are to be affected by a ransomware attack.

For context, the CIS Critical Security Controls set forth prioritized Safeguards, which, if adhered to, cover a host of lower-level ills that attackers exploit all the time. In other words, they outline the security basics that should be standard practice for every organization with a security strategy to speak of. Check out Implementation Guideline 1 (IG1) for a view of the nuts and bolts, and you’ll find “essential cyber hygiene” practices like multi-factor authentication, access control, privilege management, and more.

The CIS Controls aim to demystify the cybersecurity process and provide easy-to-understand guidelines for companies of any maturity level, and it is especially level-setting for those just starting out in their cyber maturity journey. In that same vein, CIS sought to establish a tool that could meet growing security teams where they were and enable them to map attack potentials like the pros – because everyone’s at risk.

The CIS CSAT Ransomware Business Impact Analysis Tool v1.1.0 (yes, that’s the whole name) helps users:

• Forecast what will happen if their business is hit by ransomware
• Estimate how likely they are to get hit in the next 12 months, based on their implementation of the CIS Controls
• Calculate the financial risk to their organization
• Make information security decisions based on that risk
• Engage non-technical stakeholders in managing risk
• Prioritize security efforts based on the above

As stated on the CIS website:
“The CIS CSAT Ransomware Business Impact Analysis tool helps organizations better understand how likely a ransomware attack might be for their organization and how impactful it might be if the organization were to suffer a ransomware attack. The reporting from the tool can be used to enhance the discussion on ransomware risk at an enterprise level, ultimately enabling organizations to better invest in protection against these attacks”

And all without having to invest in extensive measures and extensive mapping. This tool is being offered for free and only requires a login to start.

One way or another

The takeaway here is that attack path modeling is essential, and companies should find a way to do it. Whether that way, be it through traditional means or a time-saving tool that helps you assess the risks first. Organizations can’t fly blind in the face of potential attacks, ransomware or otherwise.

Once the focus shifts to attack path management, it’ll give you a bird’s eye view of your network and speeds up incident response by understanding the secret tunnels where attackers could hide. It gives you the upper hand in defending your assets and prevents you from being caught flat-footed.

In the event of an actual ransomware attack, many systems will be thrown into play. Is that the time to break the news to the higher-ups and let them total out the potential costs? Is that the time to ask for more security funding (when they might ask why you hadn’t asked for it sooner)? We’ve reached a point in the industry where companies need to start playing a proactive game.