Topics / Reading attack paths
IT security as a network: how do I read attack paths?
The problem as a graph
Three network levels interlock: identities (who), permissions (what may be done) and systems (on what). The glowing edges form the active attack path — from a compromised account through a privilege escalation to the target database. The pale, empty edge is a never-used relationship (such as segmentation or MFA) that can be activated as a cut or redirect point.
Graph as text
- Phishing email → User account (active)
- User account → Admin rights (active)
- Admin rights → Application server (active)
- Application server → Target database (active)
- MFA / segmentation → User account (empty)
Step by step
- Sketch the network: place identities (accounts, service accounts), permissions (roles, groups) and systems (servers, databases) as nodes, separated by level.
- Draw the relations as directed edges: who can access what, which system trusts which? Mark every actually usable relationship as active.
- Determine entry and target nodes: where could an attacker land (phishing, an exposed service), and which node is the crown jewel?
- Trace the chain of active relations from entry to target — that is the attack path. There are often several; look for the shortest.
- Find the one critical relation through which all paths run (a choke point) and cut it — for example by removing a permission or segmenting the network.
- Activate previously empty protective relations (MFA, just-in-time rights, logging) as a redirect target, so an attack's energy runs into nothing or into detection.
Seen through the model
Picture a small company as a network. A phishing email activates a first relation: an employee reveals their password, and the user account becomes an active node. From there an edge leads to a group with admin rights, from the admin rights another to the application server, and from the server finally to the customer database. Four active relations in a row — that is the attack path.
Defense does not fight every single edge; it looks for the node where the chain becomes thin. If everything hinges on the user account sitting in the admin group, then that very relation is the lever: remove it and the path breaks. In addition, you activate a previously empty relation — MFA on the account — so that the captured signal ‘stolen password’ no longer triggers an active edge.
This is one way to see security — a lens. Real systems have fractally many more nodes and paths; the model helps with sorting but does not replace an audit.
Frequently asked
What is attack path mapping?
Attack path mapping is finding and depicting the chain of accesses and trust relationships an attacker uses to move from an entry point to a valuable target. In the network lens it is an unbroken series of active relations between identity, permission and system nodes. Made visible, it shows which single edge to cut instead of defending everywhere at once.
How do I find weaknesses in a system?
Sketch the system as a network and trace every chain of active relations from a possible entry to the target. A weakness is a relation that grants more access than needed — an over-broad permission or implicit trust. Especially critical are nodes through which many paths run. This is a way of thinking for sorting, not a replacement for scanners, pentests or audits.
How do identities, permissions and systems connect?
They form three network levels. Identities (accounts) connect via relations to permissions (roles, groups), and permissions via further relations to systems (servers, data). An attacker uses not a single node but the edges between them: hopping from identity through permission to system. This split into levels mirrors the W3C PROV model of Agent, Activity and Entity.
Keep thinking
Related terms: Entity, Relation, The three states: empty, active, passive, Network level