Attack Path Analysis FAQs
What must be installed in order to get internet exposure information?
Either agents or agentless integrations are needed. The only required condition is that the hosts are EC2 assets (which includes EKS and ECS). The information is based on AWS configuration and the availability of ingested EC2 asset information.
Where is the internet exposure filter available?
The internet exposure filter is available on the Alerts page, the Host Vulnerabilities page, and the Container Vulnerabilities page. Set internet exposure = yes to see all items that are internet exposed.
What are the conditions for internet exposure = yes?
- Instance has public IP or instance is targeted by an internet-facing load balancer
- Security group on the instance or load balancer permits 0.0.0.0/0
- Subnet of instance is public (meaning, it has a route to an internet gateway)
When I set the filter to internet exposure = yes, why don’t I see any items in my alerts or host vulnerability pages?
It's possible that there are no alerts that have hosts exposed to the internet.
If assets are internet exposed, how else does Lacework use that information?
Internet exposure is also a factor in the host or image risk score.
Where is the Exposure Polygraph available?
The Exposure Polygraph is available in these locations in the Lacework Console:
- Individual alerts that have hosts exposed to the internet present the Exposure Polygraph in the Exposure tab.
- Single machine dossiers present the Exposure Polygraph in the Exposure tab.
How quickly does the Exposure Polygraph get updated after changes are made to resources such as a security group or internet gateway?
The Exposure Polygraph is generated once every 24 hours.
Why don’t I see Exposure Polygraph information for machines?
Not all machines will have Exposure Polygraph information:
- Because AWS configuration data is scraped once per day, only the instances that are up at that time will be present.
- Transient instances that may have agents/agentless scans that aren’t captured in the AWS configuration snapshot won't have Exposure Polygraph information.
What must be installed in order to see attack path information?
An integrated cloud configuration is required. Additionally, agent and/or agentless workload scanning is required to populate the vulnerabilities on the attack path.
For the most complete experience, Lacework recommends you deploy all available components (cloud configuration, log analysis/CloudTrail, agents, and Agentless Workload Scanning).
What are the differences between the Exposure Polygraph and the Attack Path Polygraph?
The Exposure Polygraph depicts only the first-level internet-exposed EC2 or container image.
The Attack Path Polygraph requires the existence of attack path risk factors that allow Lacework to build a path on the workload. Currently, Lacework generates an attack path only if a critical vulnerability is associated with the host instance or container image.
What internet exposure path scenarios are supported?
Lacework supports analyzing internet gateways and two-layer load balancers. Analyzing API gateways is not currently supported. This means that any paths through API gateways are not represented in Exposure Polygraphs.