The correct answer ismapping trust relationships between identity systems. Hybrid identity environments introduce complex trust boundaries that attackers routinely exploit.
Modern breaches increasingly involveidentity pivoting, where attackers compromise a cloud identity and abuse synchronization, federation, or conditional access misconfigurations to escalate into on-prem Active Directory. These attack paths often do not rely on software vulnerabilities at all.
Option A is too narrow and focuses only on technical exploits. Option C measures severity but does not model movement. Option D analyzes traffic but does not explain privilege escalation pathways.
By mapping trust relationships—such as Azure AD Connect synchronization, service principals, hybrid admin roles, and conditional access exclusions—defenders can identifychained attack pathsthat enable privilege escalation without exploiting code.
From a threat hunting standpoint, this modeling enables:
Hypothesis-driven hunts
Detection of abnormal role assumptions
Visibility into identity abuse
This approach aligns withattack path modeling, a critical evolution of traditional threat modeling for identity-centric environments. Therefore, optionBis correct.
