Risk is a condition that pre-exists an incident. If you reduce security risk, you will reduce security incidents. Epiphany is a new risk detection and quantification platform that highlights, qualifies and quantifies the risks that occur within the technical structure and users of a network, giving the security team the opportunity to eliminate the risk before an incident.
The Epiphany Intelligence Platform from DigitalWare gathers information on the IT infrastructure and its users, and then uses adversarial modeling and countermeasure analysis to locate risks and quantify the likelihood of adversarial success against that risk. In this way, it can be seen as automatic risk triaging in the same way as analysts manually triage alerts — but before the alert stage is reached.
The system gathers information on every node on the network, examining both its users and connections to other nodes. With its knowledge of exploits and vulnerabilities, Epiphany can plot a potential attacker’s route from entry to target asset, and measure the success likelihood of this route being exploited.
The results are reported in a manner that will be as meaningful to business leaders as they are to security leaders. For example, at one level risk is measured and reported as a success percentage: a risk given a success rate of 70% or above is a serious risk that needs to be remediated immediately. Anything measured at 30% or below could be left until more time is available. But from this very high level, the reporting can drill down to individual nodes or assets and show how they can be exploited for network traversal.
An example of Epiphany’s risk detection can be found in phishing. Phishing is a risk that cannot be eliminated. However, Epiphany can plot the risk arising from the successful phish of any user’s credentials. It knows what assets can be accessed by those credentials, and what potential routes can be opened by those credentials. It evaluates and reports on the ability of existing security controls to block those routes.
“We look at the nexus between the state of the asset the user is operating on, and the user’s operational context,” Rob Bathurst, DigitalWare CTO, told SecurityWeek; “meaning what permissions do they have, what kind of domain are they on, what groups do they belong to — and then we look at that user’s importance to the business. Is the user in executive management, does he or she have important connections to other people. If we understand the structure of the organization, and we understand the technical attributes associated with the account — its domain presence — does this make the user less safe or more safe in a given operational scenario. It’s really the difference between whether the user is driving down the road in an armored car are they driving down the freeway on a bicycle. The risk is completely different.”
The customer organization tells Epiphany what its critical assets are, and Epiphany builds all the routes by which those assets can be reached and compromised. The many thousands of potential routes are compressed into the most likely routes — the main avenues — by which a compromise could be achieved. “The attacker could use this combination of accounts and vulnerabilities and configuration issues and accesses to move from the entry point to target,” continued Bathurst, “which could be anything from a domain admin account to an application or database,” A report on the routes found not only gives the potential attack route, but the method that can be exploited to move from one node to the next en route to the critical asset.
“Epiphany thinks the same way an adversary would in the environment and it gives you more or less the treasure map that if you were an attacker you could use to traverse the network to reach the target.”
Passwords are another risk found and measured by Epiphany. It looks at common risks, like passwords over 180 days old, or whether domain admin accounts are being used as service accounts. It looks at commonality of keys, where SSH keys might be shared across different privilege levels. It can examine the entire Active Directory structure for the whole organization or different divisions within the organization. “The user’s persona, all of the accounts and all of the accesses, is captured by Epiphany,” said Bathurst. “So, we can say that if this user is compromised in any way, the attacker now gains access to all these additional credentials.”
This risk visibility can also be provided within the Operational Technology (OT) network. “It can find attack paths from device to device inside the OT network, which your typical vulnerability scanner cannot,” he continued. “If you look at the BlackEnergy attack that took place in the Ukraine, that was actually a controller to controller attack — they never left the OT network. It went through one PLC to another PLC. Epiphany would have been able to model the connection between them to show that if an attacker were able to get here, they could then directly attack this other vulnerable PLC without ever going back to the core network.”
Epiphany provides the data for business to understand the risks that lurk in the network, and the security team to understand which risks are most urgent. It does not currently attempt to fix the risks automatically, but simply provides the data to the security team. It is working on increased automation, but is concentrating on areas where it can include ‘a human in the loop’ condition where a human will approve the change before it happens.
Related: OT Networks Essential Components of IT Risk Management, Governance
Related: Knowing Value of Data Assets is Crucial to Cybersecurity Risk Management
Related: Stop Using CVSS to Score Risk
Related: Risk-Based Vulnerability Management is a Must for Security & Compliance