Cyber Asset Relationships Matter - Analyzing Relationship Mapping

by

In Cyber Asset Relationships Matter  – Part One, we defined what the term "cyber asset relationship" means and explained the importance of modeling those relationships. We'll continue that discussion here, and include a walk-through video of how to use a J1 Relationship Map to explore and discover relationships within complex systems.

Analyze Cyber Assets with Dynamic Relationship Mapping

It's easiest to explain mapping with a simple, video example. Erkang Zheng walks through a basic query for a single person to explore the assets affected by that person. Following the video is a breakdown of the various steps as we expand the graph.

 

 

The example starts with finding the relationships between a Developer ("Carter"), his end-user device, the code repo he has opened a pull request to, and which AWS Lambda Function the code defines (or that the code is deployed to).

Query

Find Device
that owns Person with name~='Carter'
that is User
that opened PR
that has CodeRepo
that defines Function
return TREE

Basic Graph

JupiterOne Relationship Mapping - 01

Device and HostAgent

  • the host security policy applied to the device, and
  • the 360 alerts/findings associated with Carter's device
JupiterOne Relationship Mapping - 02

Person

If you expand on the Person (employee), you can see:

  • all the other user accounts that Carter has (what he has access to),
  • and other relationships, such as his manager (Phil), training assigned/completed (not in this graph)
JupiterOne Relationship Mapping - 03

Code Repo

Expand on the Code Repo (jupiter-questions-service), and you will see:

  • it is part of the "JupiterOne" product/project,
  • three other code repos uses it (as a dependency) and it uses (depends on) 12 other repos (because of micro-services architecture), and
  • it has 11 code analysis findings (from Snyk), which means the 3 other repos depending on it might also be impacted by these vulnerabilities
JupiterOne Relationship Mapping - 04

Infrastructure

If you expand a few times on the infrastructure side (Lambda function, security groups, API gateway, etc.), you will get:

  • what can trigger the function to execute (the API gateway),
  • how the API gateway is connected to the Internet (via a Cloudfront Gateway),
  • which SSL/TLS certificate is used,
  • which DNS record points to the gateway,
  • the Web Application Firewall (WAF) rule that protects the internet facing application resource, and
  • the IAM roles/policies that allow access to the lambda function.

On the more internal side, you can see the 3 private subnets the lambda function has access to — if you expand further into those subnets, which I did not in this graph, you'll also see what other resources (server instances, database instances, etc) are in those subnets and be able to get an idea that if the lambda function is vulnerable and compromised, what could be the blast radius and downstream impact.

JupiterOne Relationship Mapping - 05

Summary

This was a high level overview of the capabilities for making cyber assets visible through a JupiterOne Relationship Map. As you get more comfortable with the concept, you can trigger alerts and automation on any of the information, graphs, and subgraph changes.

In modern systems, it's impossible to keep track of your assets without an automated tool to discover and document those assets. The simplest solution we have found is to dynamically display those assets in an expandable/contractable graph, giving you full visibility into your cyber assets, with the additional advantage of being able to manage those assets within a single dashboard.

Join the J1 Community (info is below) to get notified as we release more videos in this multi-part series.

Additional Resources

JupiterOne Team
JupiterOne Team

The JupiterOne Team is a diverse set of engineers and developers who are working on the next generation of cyber asset visibility and monitoring.

Keep Reading

How CTEM Prioritizes Critical Threats and Safeguards Your Most Valuable Assets | JupiterOne
October 9, 2024
Blog
How CTEM Prioritizes Critical Threats and Safeguards Your Most Valuable Assets

Learn how CTEM helps organizations reduce their attack surface, protect valuable assets, and stay ahead of attackers. Download our white paper to get started with CTE

Cybersecurity Awareness Month: Fix Your Flaws Before You Celebrate
October 3, 2024
Blog
Marketing wouldn't let me call this "Before Preaching, Stop Punching Yourself"

It’s Cybersecurity Awareness Month, but before you send out those animated videos and "helpful" phishing tips, take a hard look at your own practices.

Mitigating Cloud Risks: How CAASM Helps Manage Permissions and Stop Privilege Escalation | JupiterOne
September 26, 2024
Blog
Mitigating Cloud Risks: How CAASM Helps Manage Permissions and Stop Privilege Escalation

JupiterOne helps organizations manage cloud permissions and prevent privilege escalation across AWS, Azure, and Google Cloud.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.