Skip to main content

Exposure Polygraph

The Exposure Polygraph provides an additional layer of risk context for alerts that have hosts exposed to the internet. Once a day, Lacework generates this topology graph from cloud configuration data for every known host in your environment.

View Internet Exposed Vulnerabilities

The Exposure Polygraph derives a value for internet exposure (yes, no, unknown) that determines if a host is exposed to the internet, and then makes this information available as a filter for host vulnerabilities and includes it as context for the host vulnerability risk score.

View Alerts with Exposure Polygraphs

Alerts that have hosts exposed to the internet have the Exposure Polygraph risk context. The Exposure tab displays details about host reachability, critical vulnerabilities, exposed secrets, misconfigurations, and more.

  1. Select Alerts.
  2. If the Internet Exposure filter is not visible, click Show more to display additional filters.
  3. For the Internet Exposure filter, select Yes and show the results, refined to show only alerts associated with instances that are exposed to the internet.
  4. Click the desired alert and then the Exposure tab.

exposure-polygraph-alert.png

View Exposure Risk Context

When an alert is associated with multiple hosts and EC2 instances, you can search for and select a host/instance ID from the drop-down menu to view that instance's exposure information.

Exposure Polygraph

The Exposure Polygraph provides exposure analysis for the instance that is linked to the alert. The Exposure Polygraph visually displays the pathway from the internet through the internet gateway to the security group and highlights the instance and indicates if there are any IAM roles associated with that instance.

exposure-polygraph.png

The Exposure Polygraph uses nodes to depict the topology. Possible nodes:

  • Internet
  • Internet gateway
  • Security group
  • Load balancer
  • EC2 instance or host
  • IAM role

The Exposure Polygraph includes badges to depict the types of risks that are present. From the following risks in the Exposure Polygraph, you can see that if an attacker were to compromise this machine, they could leverage these coverage gaps to achieve privilege escalation or extend the compromise futher with lateral movement.

exposure-polygraph-badges.png

Hover over the EC2 node for additional information about the detected risks. Possible badges:

  • Vulnerabilities
  • Secrets
    • SSH keys
    • API keys
    • Passwords
  • Compliance/misconfiguration

EC2 Instance

This section provides tabs with the following contextualized information.

  • Machine details - Hostname, IP address, and any associated vulnerabilities
  • Vulnerabilities - CVEs, severity, CVSS score, vulnerability impact score, and package name
  • Secrets - Secret type (SSH key, API key, password), identifier, file path, and number of connected resources
  • Compliance violations - Failed policy, ID, status, and severity
  • Users - Separate tables for user login activity, user authentication summary, and bad (failed) logins

Secrets Detection

Lacework logs details about any secret credentials and associated file metadata. The files are identified as secrets if they adhere to a common format (the format depends on the type of credential). The actual content of any secret credentials is not logged.

The types of credentials detected and examples filesystem locations are shown in the table below:

Credential TypeExample Filesystem Locations
SSH private keys/home/ec2-user/.ssh/id_rsa
AWS Access Key IDs (if a secret key is associated)/home/ec2-user/.aws/credentials
/root/.aws/credentials
GCP Service Account and User Credentials files/etc/keys.json
/home/user/.config/gcloud/keys.json
Kubernetes user tokens & certificate private keys/root/.kube/config
/home/user/.kube/config
Authorized Keys files/home/user/.ssh/authorized_keys
/root/.ssh/authorized_keys
Authentication log/var/log/auth.log
note

Whilst the authorized_keys and auth.log files are not secrets, the data is used in combination with the detection of SSH private keys to determine whether keys are authorized and/or used on hosts.

Security Group

This section provides contextualized information related to configuration and CloudTrail logs. This provides full details for the security group to give additional context on exposed services such as inbound and outbound ports are allowed and trusted IP addresses.

Load Balancer

This section provides contextualized information related to configuration and CloudTrail logs.

IAM Role

This section shows the IAM role configuration history for the role associated with the instance.