A Tacky Graph and Listless Defenders: Looking Beneath the Attack Surface

Preliminary Research into Attack Paths

In this paper from the JupiterOne research and development and data science teams, we'll discuss the early findings from our ongoing attack surface research, pose open questions about the attack surface we should all be thinking about, and discuss specific use cases for using list or graph-based analysis.

There's an inconvenient truth that is not often acknowledged: defending is harder than attacking.

John Lambert, a well-known, distinguished engineer at Microsoft, famously said, “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” 

The difficulty with “thinking in graphs” is it’s an entirely new skill set to learn. On the other hand, attackers have it much easier. They simply need to steal credentials and try paths until they eventually find a high-value asset. This highlights the fact that defenders have to be right every time, while attackers only need to be right once. 

List-based and graph-based analysis both have their use cases, and our research suggests that using a graph will become more necessary as attack surfaces continue to expand.

This paper includes preliminary research into attack surfaces and paths from more than 2,000 organizations, seeking to answer key questions like:

current-state-enterprise-cyber-assets_icon emerging-patterns-findings-policies_icon topology-attack-surface-management_icon
How dynamic are attack surfaces and paths? What do 880m triplets reveal about attack surfaces and paths? What do connectivity and local and global risk exposure reveal about control coverage?

Our research included analysis of:

  • 2,285 organizations
  • 272m nodes
  • 880m triplets
    • 329m deleted triplets
    • 550m living triplets