Create attack vector reports

Attack vector reports show a chain of vulnerable devices in a specified attack path, for devices detected by a specific OT network sensor. Simulate an attack on a specific target in your network to discover vulnerable devices and analyze attack vectors in real time.

Attack vector reports can also help evaluate mitigation activities to ensure that you're taking all required steps to reduce the risk to your network. For example, use an attack vector report to understand whether a software update would disrupt the attacker's path, or if an alternate attack path still remains.

Prerequisites

To create attack vector reports, you must be able to access the OT network sensor you want to generate data for, as an Admin or Security Analyst user.

For more information, see On-premises users and roles for OT monitoring with Defender for IoT

Generate an attack vector simulation

Generate an attack vector simulation so that you can view the resulting report.

To generate an attack vector simulation:

  1. Sign into the sensor console and select Attack vector on the left.

  2. Select Add simulation and enter the following values:

    Property Description
    Name Simulation name
    Maximum Vectors The maximum number of attack vectors you want to include in the simulation.
    Show in Device Map Select to show the attack vector as a group in the Device map.
    Show All Source Devices Select to consider all devices as a possible attack source.
    Attack Source Appears only, and required, if the Show All Source Devices option is toggled off. Select one or more devices to consider as the attack source.
    Show All Target Devices Select to consider all devices as possible attack targets.
    Attack Target Appears only, and required, if the Show All Target Devices option is toggled off. Select one or more devices to consider as the attack target.
    Exclude Devices Select one or more devices to exclude from the attack vector simulation.
    Exclude Subnets Select one or more subnets to exclude from the attack vector simulation.
  3. Select Save. Your simulation is added to the list, with the number of attack paths indicated in parenthesis.

  4. Expand your simulation to view the list of possible attack vectors, and select one to view more details on the right.

    For example:

    Screen shot of Attack vectors report.

View an attack vector in the Device Map

The Device map provides a graphical representation of vulnerable devices detected in attack vector reports. To view an attack vector in the Device map:

  1. In the Attack vector page, make sure your simulation has Show in Device map toggled on.

  2. Select Device map from the side menu.

  3. Select your simulation and then select an attack vector to visualize the devices in your map.

    For example:

    Screen shot of Device map.

For more information, see Investigate sensor detections in the Device map.

Next steps