Select a Remediation Recommendation
A guide to the workflow for selecting the appropriate recommendation.
Last updated
A guide to the workflow for selecting the appropriate recommendation.
Last updated
Selecting a remediation recommendation is the first phase of actions to help reduce your exposure, but not the last. For the Epiphany-specific process we'll use the following workflow:
Manually or automatically (in the Top Recommendations), select a relationship you'd like to consider for remediation.
Evaluate your options for breaking or altering the attack path in that relationship.
Determine the best course of action for remediation.
Create an action.
Epiphany's Top Recommendation Engine is driven by how an attacker can use relationships between nodes in the attack path to cause an impact to your organization. Wherever you see the "fix it" icon (or ), you can select it to see a recommendation from Epiphany.
The ranking of the Top Recommendations on the Risk Explorer is always relative to the specific path you're examining and then by the ability for that relationship to affect other paths. Whereas the dashboard Attack Path component's Top Recommendations is ranked by overall paths that lead to prizes.
The Path Finder includes the quick access icon () for the Top Recommendations. Selecting this icon displays the list of prioritized recommendations for you to evaluate. Selecting any recommendation displays details about the relationship.
Depending on the complexity of the path, there can be several different areas for you to focus on:
Title. What recommendation. For example, "Remove admin rights from HELPDESK_ADMINS@DEMO.EIP.IO".
Icon. An icon represents what the recommendation affects. It could be a user, group, vulnerability, device, or network.
Modified. When the relationship last needed to be modified. "N/A" means the relationship has not changed.
Paths Broken. The number of paths relative to this path's objective that will be broken by implementing the recommendation.
Footholds Resolved. The number of footholds relative to this path that will be resolved by the change. Resolution means that there are no longer any existing configuration issues or vulnerabilities that would allow an attacker to use the device as a Foothold.
The recommendation is for this relationship only and is highlighted in yellow so that it is easier to locate.
When a relationship is first highlighted it will display the Recommendation Engine window so you can see Epiphany's analysis of the relationship.
The Recommendation Engine pane shows you all the critical information about the relationship as well as the actions you can take within Epiphany for the recommendation.
The Recommendation Engine window shows several important data points to help you consider the course of action you'd like to take.
The sections of the Recommendation Engine pane are:
Recommendation Selector. Epiphany's Recommendation Engine can find multiple ways to break or manipulate any relationship within an attack path. If there is more than one recommendation, you view them by selecting a tab. Recommendations are ranked by their ability to break paths or create resistance. Recommendations that do not break paths are always displayed last.
The Relationship. The relationship is a mini-representation of the more detailed relationship. It depicts the start node, the relationship, and the follow-on node.
Recommendation. This is Epiphany's recommendation for how to break the relationship. It is be displayed using the grammar (Action) (Subject). The Recommendation section also displays an explanation of how this relationship causes risk.
Outcomes. The outcomes in Epiphany are always measured in Exposure Reduced, or simply how many paths Epiphany can break with the change. The first measure is Paths to the Target, which means how many paths to the Objective of the attack path are broken. The second is overall paths, which is a measure of the number of attack paths across the entire environment broken by this change.
Actions. These are the actions available to you for remediation of this relationship. You can do the following:
Ticket. Create a ticket within Epiphany to be assigned to a person or group to take action on the risk.
Assign. Assign an Epiphany user to review the relationship. This will trigger an alert for them when they login.
Notify. Set a notification trigger inside of Epiphany for any time this relationship occurs again. This will generate a notification for you when you login.
Accept. This tells Epiphany to accept this relationship as a known risk. This must be approved by someone designated a Risk Approver in Epiphany and is suppressed for a limited time.
Within the attack path you will most likely see multiple different relationships you could remediate and multiple recommendations within the relationships. The first goal of any action you take should be to protect the business, and with that, reduce exposure. When evaluating the relationships look across multiple recommendations from the Recommendation Engine to determine the best course of action.
In this example of an Active Directory misconfiguration, Epiphany identified that the HELPDESK_ADMINS group is exposed to the attacker and RICHARD.KLEINSCHMIDT's (a domain administrator) account being used on a non-domain controller as higher risks than the misconfiguration shown above. This is due to their ability to impact the entire organization if the attacker gains access to the targets, but through exploration of the recommendations it's quickly evident that this exposure was directly caused by the misconfiguration and that is most likely the easiest place to start remediation.
Once a suitable remediation recommendation is found (or multiple recommendations), it's time to take action. It's possible that you may have multiple actions from a single attack path. Using the Actions on the Recommendation Engine window for the relationship, it's easy to dispatch a recommendation and begin to track progress.
