# 🎯 Advanced Attack Path Discovery

> **Learning Objective:** Master sophisticated attack path analysis techniques for real-world threat hunting

## 🎓 What You'll Learn
- **Multi-hop Attack Analysis:** Complex attack chains across cloud services
- **Privilege Escalation Detection:** Finding unauthorized access paths
- **Cross-Cloud Attack Paths:** Multi-cloud environment vulnerabilities
- **Attack Path Optimization:** Shortest vs. stealthiest attack routes
- **Real-World Scenarios:** Practical threat hunting techniques

---

## 🔍 Advanced Attack Path Concepts

### Beyond Simple Connections
In **01-Graph-Fundamentals**, you learned basic attack paths. Now we'll explore:

- **Multi-hop Attacks:** Complex chains spanning multiple services
- **Conditional Paths:** Attacks requiring specific conditions
- **Stealth vs. Speed:** Different attack strategies
- **Attack Surface Analysis:** Understanding exposure points

In [None]:
# Advanced Attack Path Analysis Setup
import sys
!{sys.executable} -m pip install neo4j matplotlib networkx plotly pandas numpy seaborn

import matplotlib.pyplot as plt
import networkx as nx
import plotly.graph_objects as go
import plotly.express as px
from neo4j import GraphDatabase
import pandas as pd
import numpy as np
import seaborn as sns
from collections import defaultdict

# Enhanced educational connection class
class AdvancedSecurityAnalysis:
    def __init__(self, uri="bolt://neo4j:7687", user="neo4j", password="cloudsecurity"):
        """
        Advanced security graph analysis for threat hunting education
        """
        self.driver = GraphDatabase.driver(uri, auth=(user, password))
        self.attack_patterns = []
        print("🎯 Advanced Attack Path Analysis Ready!")
        print("🔍 Now equipped for sophisticated threat hunting")
    
    def analyze_attack_complexity(self, query, description=""):
        """
        Analyze attack paths with complexity metrics
        """
        if description:
            print(f"🎓 Analysis: {description}")
        
        with self.driver.session() as session:
            result = session.run(query)
            paths = [record for record in result]
            
            if paths:
                # Calculate complexity metrics
                path_lengths = [p.get('PathLength', 0) for p in paths]
                avg_complexity = np.mean(path_lengths)
                max_complexity = max(path_lengths)
                min_complexity = min(path_lengths)
                
                print(f"\n📊 Attack Complexity Analysis:")
                print(f"   • Total Attack Paths: {len(paths)}")
                print(f"   • Average Complexity: {avg_complexity:.1f} hops")
                print(f"   • Easiest Attack: {min_complexity} hops")
                print(f"   • Most Complex: {max_complexity} hops")
                
            return paths

# Initialize advanced analysis
adv_analysis = AdvancedSecurityAnalysis()

## 🚀 Multi-Hop Attack Analysis

Real attackers don't just make single jumps. They chain together multiple access points to reach their targets.

In [None]:
# ADVANCED ANALYSIS 1: Multi-Hop Privilege Escalation
privilege_escalation_query = """
MATCH path = (start:User)-[*2..5]->(target:Service)
WHERE start.access_level = 'developer' 
  AND (target.contains_pii = true OR target.type = 'S3Bucket')
WITH path, 
     length(path) as PathLength,
     [node in nodes(path) | labels(node)[0] + ': ' + node.name] as FullPath,
     [rel in relationships(path) | type(rel)] as Relations
RETURN 
    FullPath[0] as StartPoint,
    FullPath[-1] as Target,
    PathLength,
    FullPath as CompleteAttackPath,
    Relations as AttackMethods
ORDER BY PathLength, StartPoint
"""

escalation_paths = adv_analysis.analyze_attack_complexity(
    privilege_escalation_query,
    "Multi-hop privilege escalation from developers to sensitive resources"
)

print("\n🎯 Detailed Attack Path Analysis:")
for i, path in enumerate(escalation_paths[:5], 1):
    print(f"\n🔍 Attack Scenario #{i}:")
    print(f"   From: {path['StartPoint']}")
    print(f"   To: {path['Target']}")
    print(f"   Complexity: {path['PathLength']} steps")
    print(f"   Methods: {' → '.join(path['AttackMethods'])}")
    print(f"   Full Path: {' → '.join([p.split(': ')[1] for p in path['CompleteAttackPath']])}")

# Educational visualization of attack complexity
if escalation_paths:
    path_lengths = [p['PathLength'] for p in escalation_paths]
    
    plt.figure(figsize=(10, 6))
    plt.hist(path_lengths, bins=range(1, max(path_lengths)+2), alpha=0.7, color='red', edgecolor='black')
    plt.xlabel('Attack Path Length (Number of Hops)')
    plt.ylabel('Number of Attack Paths')
    plt.title('Distribution of Attack Path Complexity\n(Lower = More Dangerous)')
    plt.grid(True, alpha=0.3)
    
    # Add educational annotations
    plt.axvline(np.mean(path_lengths), color='orange', linestyle='--', 
                label=f'Average: {np.mean(path_lengths):.1f} hops')
    plt.legend()
    plt.tight_layout()
    plt.show()
    
    print(f"\n🎓 Security Insight:")
    short_paths = len([p for p in path_lengths if p <= 3])
    print(f"• {short_paths}/{len(path_lengths)} paths are 3 hops or less (HIGH RISK)")
    print(f"• Attackers prefer shorter paths for speed and stealth")
    print(f"• Focus defense on blocking the shortest attack routes")

## 🌐 Cross-Cloud Attack Path Analysis

Modern environments span multiple cloud providers. Let's analyze attack paths that cross cloud boundaries:

In [None]:
# ADVANCED ANALYSIS 2: Cross-Cloud Attack Chains
cross_cloud_query = """
MATCH path = (azure:AzureUser)-[*1..4]->(aws:AWSService)
WITH path,
     length(path) as PathLength,
     [node in nodes(path) | 
      CASE 
        WHEN 'AzureUser' IN labels(node) THEN 'Azure: ' + node.name
        WHEN 'AWSService' IN labels(node) THEN 'AWS: ' + node.name
        WHEN 'AWSRole' IN labels(node) THEN 'AWS: ' + node.name
        ELSE 'Bridge: ' + node.name
      END
     ] as CrossCloudPath,
     [rel in relationships(path) | type(rel)] as TrustMechanisms
RETURN 
    CrossCloudPath[0] as AzureStart,
    CrossCloudPath[-1] as AWSTarget,
    PathLength,
    CrossCloudPath as FullCrossCloudPath,
    TrustMechanisms as FederationMethods
ORDER BY PathLength
"""

cross_cloud_paths = adv_analysis.analyze_attack_complexity(
    cross_cloud_query,
    "Cross-cloud attack paths from Azure to AWS resources"
)

print("\n🌐 Cross-Cloud Attack Analysis:")
for i, path in enumerate(cross_cloud_paths, 1):
    print(f"\n🔍 Cross-Cloud Attack #{i}:")
    print(f"   Origin: {path['AzureStart']}")
    print(f"   Target: {path['AWSTarget']}")
    print(f"   Federation Hops: {path['PathLength']}")
    print(f"   Trust Methods: {' → '.join(path['FederationMethods'])}")
    print(f"   Cross-Cloud Route:")
    for step in path['FullCrossCloudPath']:
        print(f"     • {step}")

# Educational insight on cross-cloud risks
if cross_cloud_paths:
    print(f"\n🎓 Cross-Cloud Security Insights:")
    print(f"• Found {len(cross_cloud_paths)} cross-cloud attack paths")
    print(f"• Cross-cloud attacks are often overlooked in security reviews")
    print(f"• Federation trust relationships create hidden attack surfaces")
    print(f"• Monitor cross-cloud access patterns for unusual activity")
else:
    print("\n💡 No cross-cloud paths found - this could indicate good isolation!")

## 🔍 Attack Surface Analysis

Let's analyze which assets are most exposed to attacks by counting incoming attack paths:

In [None]:
# ADVANCED ANALYSIS 3: Attack Surface Quantification
attack_surface_query = """
MATCH path = (start)-[*1..4]->(target)
WHERE (target.contains_pii = true OR target.type IN ['S3Bucket', 'SecretsManager'])
WITH target,
     count(DISTINCT path) as IncomingAttackPaths,
     collect(DISTINCT start.name) as AttackOrigins,
     collect(DISTINCT labels(start)[0]) as OriginTypes
RETURN 
    target.name as SensitiveAsset,
    labels(target)[0] as AssetType,
    IncomingAttackPaths,
    size(AttackOrigins) as UniqueAttackers,
    AttackOrigins[0..3] as SampleAttackers,
    OriginTypes as AttackerTypes,
    CASE 
        WHEN IncomingAttackPaths > 10 THEN 'CRITICAL'
        WHEN IncomingAttackPaths > 5 THEN 'HIGH'
        WHEN IncomingAttackPaths > 2 THEN 'MEDIUM'
        ELSE 'LOW'
    END as RiskLevel
ORDER BY IncomingAttackPaths DESC
"""

attack_surface = adv_analysis.analyze_attack_complexity(
    attack_surface_query,
    "Quantifying attack surface exposure for sensitive assets"
)

print("\n🎯 Attack Surface Analysis:")
print("(Assets with most incoming attack paths = highest risk)\n")

for asset in attack_surface:
    risk_color = {
        'CRITICAL': '🔴',
        'HIGH': '🟠', 
        'MEDIUM': '🟡',
        'LOW': '🟢'
    }.get(asset['RiskLevel'], '⚪')
    
    print(f"{risk_color} {asset['SensitiveAsset']} ({asset['AssetType']})")
    print(f"   • Attack Paths: {asset['IncomingAttackPaths']}")
    print(f"   • Unique Attackers: {asset['UniqueAttackers']}")
    print(f"   • Risk Level: {asset['RiskLevel']}")
    print(f"   • Sample Attackers: {', '.join(asset['SampleAttackers'])}")
    print()

# Visualize attack surface distribution
if attack_surface:
    # Create attack surface visualization
    assets = [a['SensitiveAsset'] for a in attack_surface]
    attack_counts = [a['IncomingAttackPaths'] for a in attack_surface]
    risk_levels = [a['RiskLevel'] for a in attack_surface]
    
    # Color mapping for risk levels
    color_map = {'CRITICAL': '#ff4444', 'HIGH': '#ff8800', 'MEDIUM': '#ffaa00', 'LOW': '#00aa00'}
    colors = [color_map[risk] for risk in risk_levels]
    
    plt.figure(figsize=(12, 8))
    bars = plt.barh(range(len(assets)), attack_counts, color=colors)
    plt.yticks(range(len(assets)), assets)
    plt.xlabel('Number of Incoming Attack Paths')
    plt.title('Attack Surface Analysis - Asset Exposure Risk\n(More paths = Higher priority for defense)')
    
    # Add risk level legend
    unique_risks = list(dict.fromkeys(risk_levels))
    legend_elements = [plt.Rectangle((0,0),1,1, color=color_map[risk], label=risk) for risk in unique_risks]
    plt.legend(handles=legend_elements, title='Risk Level', loc='lower right')
    
    plt.tight_layout()
    plt.show()
    
    # Educational summary
    critical_assets = len([a for a in attack_surface if a['RiskLevel'] == 'CRITICAL'])
    high_assets = len([a for a in attack_surface if a['RiskLevel'] == 'HIGH'])
    
    print(f"\n🎓 Attack Surface Insights:")
    print(f"• {critical_assets} assets have CRITICAL exposure (>10 attack paths)")
    print(f"• {high_assets} assets have HIGH exposure (6-10 attack paths)")
    print(f"• Focus security controls on the most exposed assets first")
    print(f"• Consider network segmentation to reduce attack path counts")

## ⚡ Attack Speed vs. Stealth Analysis

Different attackers have different strategies. Let's analyze the trade-offs between fast attacks and stealthy ones:

In [None]:
# ADVANCED ANALYSIS 4: Attack Strategy Comparison
attack_strategies_query = """
MATCH path = (user:User)-[*1..5]->(target:Service)
WHERE user.access_level = 'developer' AND target.contains_pii = true
WITH path,
     length(path) as PathLength,
     [rel in relationships(path) | type(rel)] as Methods,
     [node in nodes(path)[1..-1] | 
      CASE 
        WHEN 'Role' IN labels(node) THEN 'permission_escalation'
        WHEN 'Service' IN labels(node) THEN 'service_access'
        ELSE 'lateral_movement'
      END
     ] as AttackTechniques
RETURN 
    PathLength,
    Methods,
    AttackTechniques,
    CASE 
        WHEN PathLength <= 2 THEN 'SPEED_FOCUSED'
        WHEN PathLength >= 4 THEN 'STEALTH_FOCUSED'
        ELSE 'BALANCED'
    END as AttackStrategy,
    CASE 
        WHEN 'ASSUMES_ROLE' IN Methods THEN 'High_Privilege_Required'
        WHEN 'CAN_ESCALATE_TO' IN Methods THEN 'Privilege_Escalation'
        ELSE 'Standard_Access'
    END as RequiredCapabilities
ORDER BY PathLength
"""

strategy_analysis = adv_analysis.analyze_attack_complexity(
    attack_strategies_query,
    "Analyzing different attack strategies: speed vs. stealth"
)

# Analyze strategy distribution
if strategy_analysis:
    strategies = [s['AttackStrategy'] for s in strategy_analysis]
    strategy_counts = pd.Series(strategies).value_counts()
    
    print("\n⚡ Attack Strategy Analysis:")
    print("\n📊 Strategy Distribution:")
    for strategy, count in strategy_counts.items():
        percentage = (count / len(strategies)) * 100
        print(f"   • {strategy.replace('_', ' ')}: {count} paths ({percentage:.1f}%)")
    
    # Detailed breakdown by strategy
    print("\n🎯 Strategy Characteristics:")
    
    for strategy_type in ['SPEED_FOCUSED', 'BALANCED', 'STEALTH_FOCUSED']:
        strategy_paths = [s for s in strategy_analysis if s['AttackStrategy'] == strategy_type]
        if strategy_paths:
            avg_length = np.mean([p['PathLength'] for p in strategy_paths])
            common_methods = pd.Series([method for p in strategy_paths for method in p['Methods']]).value_counts().head(3)
            
            print(f"\n🔍 {strategy_type.replace('_', ' ')} Attacks:")
            print(f"   • Count: {len(strategy_paths)} attack paths")
            print(f"   • Average Length: {avg_length:.1f} hops")
            print(f"   • Common Methods: {', '.join(common_methods.index.tolist())}")
            
            # Strategy implications
            if strategy_type == 'SPEED_FOCUSED':
                print(f"   • Detection: Easier to detect due to direct access patterns")
                print(f"   • Defense: Focus on access controls and privilege restrictions")
            elif strategy_type == 'STEALTH_FOCUSED':
                print(f"   • Detection: Harder to detect, looks like normal activity")
                print(f"   • Defense: Behavioral analysis and anomaly detection")
            else:
                print(f"   • Detection: Moderate detection difficulty")
                print(f"   • Defense: Balanced approach with monitoring and controls")
    
    # Create strategy visualization
    plt.figure(figsize=(12, 5))
    
    # Subplot 1: Strategy distribution
    plt.subplot(1, 2, 1)
    colors = ['#ff4444', '#ffaa00', '#4444ff']
    plt.pie(strategy_counts.values, labels=strategy_counts.index, autopct='%1.1f%%', 
            colors=colors, startangle=90)
    plt.title('Attack Strategy Distribution')
    
    # Subplot 2: Path length distribution by strategy
    plt.subplot(1, 2, 2)
    for i, strategy_type in enumerate(['SPEED_FOCUSED', 'BALANCED', 'STEALTH_FOCUSED']):
        strategy_lengths = [s['PathLength'] for s in strategy_analysis if s['AttackStrategy'] == strategy_type]
        if strategy_lengths:
            plt.hist(strategy_lengths, alpha=0.6, label=strategy_type.replace('_', ' '), 
                    color=colors[i], bins=range(1, max(strategy_lengths)+2))
    
    plt.xlabel('Attack Path Length')
    plt.ylabel('Number of Paths')
    plt.title('Path Length by Strategy')
    plt.legend()
    plt.grid(True, alpha=0.3)
    
    plt.tight_layout()
    plt.show()


## 🛡️ Defensive Analysis: Chokepoint Identification

From a defensive perspective, let's identify critical nodes that, if secured, would block the most attack paths:

In [None]:
# ADVANCED ANALYSIS 5: Critical Security Chokepoints
chokepoint_analysis_query = """
MATCH path = (start:User)-[*1..4]->(target:Service)
WHERE target.contains_pii = true
UNWIND nodes(path)[1..-1] as intermediate_node
WITH intermediate_node,
     count(DISTINCT path) as PathsThrough,
     collect(DISTINCT start.name) as AttackingSources,
     collect(DISTINCT target.name) as ReachableTargets
WHERE PathsThrough > 1
RETURN 
    intermediate_node.name as ChokepointNode,
    labels(intermediate_node)[0] as NodeType,
    PathsThrough as AttackPathsBlocked,
    size(AttackingSources) as UniqueAttackers,
    size(ReachableTargets) as SensitiveTargets,
    AttackingSources[0..3] as SampleAttackers,
    ReachableTargets[0..3] as SampleTargets,
    CASE 
        WHEN PathsThrough > 8 THEN 'CRITICAL_CHOKEPOINT'
        WHEN PathsThrough > 4 THEN 'HIGH_IMPACT_NODE'
        WHEN PathsThrough > 2 THEN 'MODERATE_IMPACT_NODE'
        ELSE 'LOW_IMPACT'
    END as DefensePriority
ORDER BY AttackPathsBlocked DESC
LIMIT 10
"""

chokepoints = adv_analysis.analyze_attack_complexity(
    chokepoint_analysis_query,
    "Identifying critical security chokepoints for maximum defense impact"
)

print("\n🛡️ Critical Security Chokepoints:")
print("(Securing these nodes blocks the most attack paths)\n")

for i, chokepoint in enumerate(chokepoints, 1):
    priority_icon = {
        'CRITICAL_CHOKEPOINT': '🔴🛡️',
        'HIGH_IMPACT_NODE': '🟠🛡️',
        'MODERATE_IMPACT_NODE': '🟡🛡️',
        'LOW_IMPACT': '🟢🛡️'
    }.get(chokepoint['DefensePriority'], '⚪🛡️')
    
    print(f"{priority_icon} #{i}: {chokepoint['ChokepointNode']} ({chokepoint['NodeType']})")
    print(f"   • Attack Paths Blocked: {chokepoint['AttackPathsBlocked']}")
    print(f"   • Attackers Affected: {chokepoint['UniqueAttackers']}")
    print(f"   • Targets Protected: {chokepoint['SensitiveTargets']}")
    print(f"   • Defense Priority: {chokepoint['DefensePriority'].replace('_', ' ')}")
    print(f"   • Sample Impact: Blocks {', '.join(chokepoint['SampleAttackers'])} from reaching sensitive data")
    print()

# Create chokepoint impact visualization
if chokepoints:
    names = [c['ChokepointNode'] for c in chokepoints]
    impacts = [c['AttackPathsBlocked'] for c in chokepoints]
    priorities = [c['DefensePriority'] for c in chokepoints]
    
    # Color mapping
    priority_colors = {
        'CRITICAL_CHOKEPOINT': '#cc0000',
        'HIGH_IMPACT_NODE': '#ff6600', 
        'MODERATE_IMPACT_NODE': '#ffaa00',
        'LOW_IMPACT': '#00aa00'
    }
    colors = [priority_colors[p] for p in priorities]
    
    plt.figure(figsize=(14, 8))
    bars = plt.barh(range(len(names)), impacts, color=colors)
    plt.yticks(range(len(names)), names)
    plt.xlabel('Attack Paths Blocked by Securing This Node')
    plt.title('Security Chokepoint Analysis - Defensive Impact\n(Higher bars = Greater defense value)')
    
    # Add impact numbers on bars
    for i, (bar, impact) in enumerate(zip(bars, impacts)):
        plt.text(bar.get_width() + 0.1, bar.get_y() + bar.get_height()/2, 
                str(impact), va='center', fontweight='bold')
    
    # Legend
    unique_priorities = list(dict.fromkeys(priorities))
    legend_elements = [plt.Rectangle((0,0),1,1, color=priority_colors[p], 
                                   label=p.replace('_', ' ').title()) for p in unique_priorities]
    plt.legend(handles=legend_elements, title='Defense Priority', loc='lower right')
    
    plt.tight_layout()
    plt.show()
    
    # Strategic recommendations
    critical_nodes = len([c for c in chokepoints if c['DefensePriority'] == 'CRITICAL_CHOKEPOINT'])
    total_paths_blocked = sum(c['AttackPathsBlocked'] for c in chokepoints[:3])
    
    print(f"\n🎓 Strategic Defense Recommendations:")
    print(f"• {critical_nodes} nodes identified as critical chokepoints")
    print(f"• Securing top 3 nodes would block {total_paths_blocked} attack paths")
    print(f"• Focus on access controls, monitoring, and hardening for these nodes")
    print(f"• Consider multi-factor authentication and privilege restrictions")
    print(f"• Implement behavioral monitoring on high-impact nodes")

## 🎯 Hands-On Challenge: Advanced Threat Hunting

Apply your advanced skills to solve a realistic threat hunting scenario!

In [None]:
# ADVANCED CHALLENGE: Threat Hunting Scenario
print("🎯 ADVANCED CHALLENGE: Supply Chain Attack Investigation")
print("="*60)
print()
print("🚨 SCENARIO:")
print("A compromised NPM package has been detected in your environment.")
print("Your task: Find all potential attack paths from compromised packages")
print("to sensitive data stores.")
print()
print("🎯 YOUR MISSION:")
print("1. Find attack paths starting from compromised NPM packages")
print("2. Identify what sensitive data could be reached")
print("3. Calculate the risk level of each path")
print("4. Recommend defense priorities")
print()
print("💡 HINTS:")
print("• Look for nodes with 'compromised: true'")
print("• Follow paths to SecretsManager or services with PII")
print("• Consider path length and intermediate nodes")
print("• Think about detection and prevention strategies")
print()

# Challenge workspace
challenge_query = """
# Your challenge query here!
# Find supply chain attack paths from compromised packages

MATCH path = (pkg:NPMPackage)-[*1..5]->(target)
WHERE pkg.compromised = true 
  AND (target.contains_pii = true OR 'SecretsManager' IN labels(target))
RETURN 
    path,
    pkg.name as CompromisedPackage,
    target.name as SensitiveTarget,
    length(path) as AttackComplexity,
    [node in nodes(path) | labels(node)[0] + ': ' + node.name] as AttackChain,
    [rel in relationships(path) | type(rel)] as AttackMethods
ORDER BY AttackComplexity
"""

try:
    supply_chain_paths = adv_analysis.analyze_attack_complexity(
        challenge_query.strip(),
        "Supply chain attack path analysis"
    )
    
    if supply_chain_paths:
        print("\n✅ Excellent detective work! Analysis complete.")
        print("\n🔍 Supply Chain Attack Findings:")
        
        for i, path in enumerate(supply_chain_paths, 1):
            risk_level = "HIGH" if path['AttackComplexity'] <= 3 else "MEDIUM" if path['AttackComplexity'] <= 5 else "LOW"
            risk_icon = "🔴" if risk_level == "HIGH" else "🟡" if risk_level == "MEDIUM" else "🟢"
            
            print(f"\n{risk_icon} Attack Path #{i} - {risk_level} RISK")
            print(f"   Source: {path['CompromisedPackage']}")
            print(f"   Target: {path['SensitiveTarget']}")
            print(f"   Complexity: {path['AttackComplexity']} steps")
            print(f"   Methods: {' → '.join(path['AttackMethods'])}")
            print(f"   Full Chain: {' → '.join([c.split(': ')[1] for c in path['AttackChain']])}")
        
        # Challenge evaluation
        high_risk_paths = len([p for p in supply_chain_paths if p['AttackComplexity'] <= 3])
        unique_targets = len(set(p['SensitiveTarget'] for p in supply_chain_paths))
        
        print(f"\n🎓 Your Investigation Results:")
        print(f"• Total attack paths discovered: {len(supply_chain_paths)}")
        print(f"• High-risk paths (≤3 steps): {high_risk_paths}")
        print(f"• Unique sensitive targets at risk: {unique_targets}")
        
        print(f"\n🛡️ Recommended Defense Actions:")
        print(f"• Immediately review and quarantine compromised packages")
        print(f"• Strengthen CI/CD pipeline security controls")
        print(f"• Implement supply chain monitoring and dependency scanning")
        print(f"• Add behavioral monitoring for unusual package activity")
        
        print(f"\n🏆 Challenge Status: COMPLETED SUCCESSFULLY!")
        print(f"You've demonstrated advanced threat hunting skills!")
        
    else:
        print("\n🤔 No supply chain paths found. Check your query logic!")
        
except Exception as e:
    print(f"\n❌ Query error: {e}")
    print("💡 Debug your query and try again!")

## 📊 Advanced Knowledge Assessment

Test your advanced attack path analysis skills:

In [None]:
# ADVANCED KNOWLEDGE ASSESSMENT
def advanced_knowledge_check():
    """
    Comprehensive assessment of advanced attack path concepts
    """
    print("🧠 ADVANCED KNOWLEDGE ASSESSMENT")
    print("="*40)
    print("\nTesting your mastery of advanced attack path analysis...\n")
    
    score = 0
    total_questions = 5
    
    # Question 1: Attack Strategy
    print("1. An attacker chooses a 5-hop path instead of a 2-hop path to the same target.")
    print("   What is their likely motivation?")
    print("   a) They want to attack faster")
    print("   b) They want to avoid detection (stealth)")
    print("   c) They made a mistake")
    
    answer1 = input("Your answer (a/b/c): ").strip().lower()
    if answer1 == 'b':
        print("✅ Correct! Longer paths can appear more like normal activity.")
        score += 1
    else:
        print("❌ Incorrect. Longer paths are often chosen for stealth, not speed.")
    
    # Question 2: Chokepoint Defense
    print("\n2. You identify a node that appears in 15 different attack paths.")
    print("   What should be your defense priority for this node?")
    print("   a) Low priority - it's too connected to secure")
    print("   b) High priority - securing it blocks many attacks")
    print("   c) Medium priority - focus on endpoints instead")
    
    answer2 = input("Your answer (a/b/c): ").strip().lower()
    if answer2 == 'b':
        print("✅ Correct! High-impact chokepoints offer maximum defensive value.")
        score += 1
    else:
        print("❌ Incorrect. Nodes in many paths are high-priority defense targets.")
    
    # Question 3: Cross-Cloud Security
    print("\n3. Cross-cloud attack paths are particularly dangerous because:")
    print("   a) They are faster than single-cloud attacks")
    print("   b) They often involve overlooked trust relationships")
    print("   c) They require fewer privileges")
    
    answer3 = input("Your answer (a/b/c): ").strip().lower()
    if answer3 == 'b':
        print("✅ Correct! Federation trusts are often under-monitored.")
        score += 1
    else:
        print("❌ Incorrect. Cross-cloud attacks exploit trust relationships.")
    
    # Question 4: Attack Surface Analysis
    print("\n4. An asset has 20 incoming attack paths. This indicates:")
    print("   a) The asset is well-protected")
    print("   b) The asset has high attack surface exposure")
    print("   c) The asset is not valuable to attackers")
    
    answer4 = input("Your answer (a/b/c): ").strip().lower()
    if answer4 == 'b':
        print("✅ Correct! More attack paths = larger attack surface.")
        score += 1
    else:
        print("❌ Incorrect. Many paths indicate high exposure and risk.")
    
    # Question 5: Supply Chain Analysis
    print("\n5. In supply chain attack analysis, you should prioritize paths that:")
    print("   a) Are the longest and most complex")
    print("   b) Start from compromised components and reach sensitive data")
    print("   c) Only involve internal systems")
    
    answer5 = input("Your answer (a/b/c): ").strip().lower()
    if answer5 == 'b':
        print("✅ Correct! Focus on compromised sources reaching valuable targets.")
        score += 1
    else:
        print("❌ Incorrect. Compromised-to-sensitive paths are highest priority.")
    
    # Final assessment
    percentage = (score / total_questions) * 100
    print(f"\n🎯 Final Score: {score}/{total_questions} ({percentage:.0f}%)")
    
    if score == total_questions:
        print("🏆 OUTSTANDING! You've mastered advanced attack path analysis!")
        print("🎓 Ready for expert-level security analytics and machine learning.")
    elif score >= 4:
        print("🎖️ Excellent work! You have strong advanced analysis skills.")
        print("📚 Review missed concepts and proceed to ML-based analysis.")
    elif score >= 3:
        print("👍 Good foundation! Practice more complex scenarios.")
        print("🔄 Revisit challenging concepts before advancing.")
    else:
        print("📖 Keep learning! Review the advanced concepts and try again.")
        print("💪 Focus on understanding attack strategies and defense priorities.")
    
    return score

# Run the advanced assessment
advanced_score = advanced_knowledge_check()

## 🎯 Mastery Summary & Next Steps

Congratulations on completing Advanced Attack Path Discovery!

### 🏆 Advanced Skills Mastered:
✅ **Multi-hop Attack Analysis** - Complex attack chains and escalation paths  
✅ **Cross-Cloud Security** - Federation risks and multi-cloud attack paths  
✅ **Attack Surface Quantification** - Risk-based asset exposure analysis  
✅ **Attack Strategy Analysis** - Speed vs. stealth trade-offs  
✅ **Defensive Chokepoint Identification** - Maximum impact security controls  
✅ **Supply Chain Threat Hunting** - Advanced investigation techniques  

### 🚀 Your Advanced Analysis Toolkit:
- **Complex path queries** with multi-hop analysis
- **Risk quantification** methods for prioritization
- **Strategic defense** planning based on chokepoint analysis
- **Threat hunting** methodologies for real incidents

### 📈 Next Learning Journey:
1. **03-MITRE-Analysis.ipynb** - Industry framework integration
2. **04-Asset-Discovery-Analysis.ipynb** - Cartography and discovery workflows
3. **05-Anomaly-Detection-ML.ipynb** - Machine learning for threat detection

### 💡 Key Professional Insights:
- **Prioritize based on data** - Use attack path counts to guide security investments
- **Think like an attacker** - Consider both speed and stealth strategies
- **Focus on chokepoints** - Maximum security impact with minimum resources
- **Cross-cloud awareness** - Don't forget federation and trust relationships

---

**🎓 Ready for MITRE ATT&CK Framework integration?** 

Continue to **03-MITRE-Analysis.ipynb** to learn how to map your attack path discoveries to industry-standard threat intelligence frameworks!

In [None]:
# Session cleanup and progress tracking
if 'adv_analysis' in locals():
    adv_analysis.driver.close()
    print("✅ Advanced analysis session complete!")
    print(f"🎯 Knowledge assessment score: {advanced_score}/5")
    print("🏆 Advanced Attack Path Discovery: MASTERED")
    print("\n🚀 Ready for the next challenge: MITRE ATT&CK Analysis!")