Don’t Tell Me, Show Me. How Attack Paths Create a Common Language of Risk for IT and Security

Posted by: Matthew Quinn & Gali Rahamim
September 04, 2023
Getting your Trinity Audio player ready...

Anyone who’s ever been in a relationship knows that there can be a vast gap between what you say and what others hear. The same is true organizationally – notably between IT and Security, as we’ve discussed previously. The trick, in relationships and in cybersecurity, is not just to facilitate communication, but to facilitate understanding. No matter how many Slack channels we devote to the IT-Security interface, if they’re not speaking the same language, it just won’t work.

The sensitive subject of vulnerabilities is a great example. The average security organization tracks an overwhelmingly long list of vulnerabilities. How long? According to research, 2/3 of security organizations have a vulnerability backlog of over 100,000 vulnerabilities, and the majority of these teams are able to patch less than 50% of this backlog.

Now in most big organizations, we’ve got security and IT teams. The security team sees its role as finding security issues. Part of the IT team’s job is to fix these. Simple, right? But if 50% of issues cannot possibly be resolved (and from my experience this percentage is actually much higher), then who decides which vulnerabilities get remediated? And by which criteria? Security may want to address a Johnny-come-lately vulnerability that IT understands really is not a threat – whereas IT may favor a quick win over a complex fix that involves a legacy, mission-critical system that nobody wants to touch for fear of breaking it.

And this is where, despite the best efforts at communication between IT and Security, understanding tends to break down. 

Luckily, this can be fixed.

Vulnerabilities: Not Necessarily Exposures

In an ideal world, we would assess a cyber exposure by first defining it clearly. We consult measurements relevant to the given threat vector, gather data from the applicable security program, evaluate our readiness to face that specific exposure, and only then act to mitigate it.

With regards to vulnerabilities, this doesn’t usually happen. Of the 27,363 reported since January 1, 2023 (as of this writing), 8395 (that’s 30%) have a CVSS score of 9.0–10.0 – making them “critical.” Clearly CVSS score is not sufficient to define what constitutes an actual exposure. So what does?

Risk Based Vulnerability Management (RBVM) tools score vulnerabilities based on the business impact if a given asset were to be compromised. Yet these scores are notoriously inaccurate and not always timely. Similarly, penetration testing and Breach and Attack Simulation (BAS) solutions check vulnerabilities based on predefined parameters – not the creative inroads most attackers rely on. 

This leaves most organizations with a ridiculously long list of vulnerabilities, and a slightly shorter list of possible exposures – meaning, viable threats to critical business systems or goals. But even this is too much. The average organization has some 11,000 security exposures attackers could exploit at any given time – and 75% of these lead to dead ends that can’t reach critical assets. 

So how can Security know what’s actually urgent, and communicate the urgency of a given exposure to IT? By using the rule that every editor tells his or her writers: don’t tell me, show me.

Attack Paths: A Common Language of Risk

Using effective attack path management tools, Security can clearly demonstrate risk in a way that IT understands. 

Let’s illustrate this point with a short anecdote we recently came across:  

During a routine meeting with a customer in the local government space, the CISO mentioned that he was having a very hard time getting IT to perform the vast majority of the remediations they requested. We met with the IT manager to get a better understanding of the holdup and engage the different IT departments so we could push remediations.

 “Yes, I know these remediations are important, but we simply don’t have time to do them,” he confessed. 

Valid? Yes. Does that matter? Not so much.

So that’s when we used the attack graph to present the findings in the AD and the Local Credentials. We also showed him the top 5 things we had discovered in their environment. To boot, they had 583 critical assets at risk and over 5000 affected entities. 

Not to get too dramatic, but for a moment, the guy was speechless. 

“Okay, I get it now. Send me a list of the top 10 things to fix and my team will get started immediately.” Thanks to being able to see the attack path, he gained context of which critical assets were at most risk. This understanding helped the risk level of each exposure become clear, demystifying the handful of exposures that actually posed risk among the many thousands that they had

Now the manager was now able to understand the need for the requested remediations in a much more profound and real way. And now they are now in the process of remediating them, with their security posture continuing to improve on a constant basis. 

Attack Paths: The Lingua Franca of Risk

The first step to bridging the divide between IT and Security is creating mutual understanding. As vulnerabilities inundate Security teams, the IT-Security chasm widens. But this can be rectified by translating vulnerabilities into actual exposures – showcasing risks in a language IT comprehends. Attack Path Management can be the lingua franca of risk. Leveraging clearly defined, clearly demonstrable attack paths, Security no longer has to just tell IT where the real threats are, they can show them.


Matthew Quinn & Gali Rahamim

Find and fix the exposures that put your critical assets at risk with ultra-efficient remediation.

See what attackers see, so you can stop them from doing what attackers do.