Path Investigation
Overview
The Path investigation page contains all detected attack paths, their associated Exposure Polygraphs, and contextualized information about the attack path so you can investigate and review issues. Lacework generates an attack path only if a critical vulnerability is associated with a cloud asset and that asset is exposed to the internet.
View Attack Paths
Use the Path investigation page to begin investigating and remediating the issues behind potential attack paths to your cloud assets.
- Use the filters if you want to display a specific set of attack paths. By default, the table displays all attack paths sorted by path severity in descending order.
- Locate and click the attack path you want to investigate.
- Scroll down to see the attack path's Exposure Polygraph. Below the Exposure Polygraph is the attack path's contextualized information.
- In the Exposure Polygraph hover over a node with badges above it. This displays a window that contains details about the issues, including the number of issues and links to the related information.
- Click a link within the hover window to go to the investigation section for the related information.
- Continue to investigate and gather information about the attack path from the available sections and tabs.
- Follow your organization's prescribed workflows for remediating the issues.
When the page displays your desired attack paths, click Save or Create view in the top right corner. This allows you to access the saved view later. You can also copy the link to a saved view by opening the list of saved views and clicking the Share view icon of the view you want to share. You can then send that link to others so they can see the same view. For more details about saved views, refer to Views Management.
Attack Path List
Each attack path has the following details.
The counts in each row represent the combined total found across all nodes in the attack path, not just the nodes with badges.
| Column | Description |
|---|---|
| Name | The name of the attack path. |
| Cloud provider | The asset's cloud provider. |
| Account/Project/Subscription | The cloud account/project/subscription associated with the asset. The number of cross accounts that are connected is displayed if applicable. |
| Resource type | The type of resource exposed in the attack path. |
| Path severity | The severity of the attack path. See Path Severity for details. |
| Vulnerabilities | The number of vulnerabilities in the path. |
| Secrets | The number of exposed secrets in the path. |
| Compliance violations | The number of compliance violations in the path. |
Multiple attack paths can have the same name with different attack path severities, but they are associated with different asset criteria (hostname, container image).
Exposure Polygraph
The Exposure Polygraph indicates that there is a potential attack path to your cloud environment assets. The Exposure Polygraph visually displays the exact attack path a potential attacker could use to access those assets.
The Exposure Polygraph uses nodes to represent each step along the path. Badges depict the types of risks that make the path possible.
For information about the detected issues, hover over a node that has badges. Possible badges:
- Vulnerabilities
- Secrets
- SSH keys
- API keys
- Passwords
- Compliance/misconfiguration
Single-hop and Two-hop Attack Paths
A single-hop path has an asset that is directly exposed to the internet and has critical vulnerabilities.
A two-hop path traverses an asset, such as an EC2 instance or a Kubernetes service (which is exposed to the internet and has critical vulnerabilities), before reaching the asset that is the target node. The target node is not directly exposed to the internet but would be accessible from the intermediate asset if it were compromised. The target node also has critical vulnerabilities.
Exposure Polygraph Nodes
Exposure Polygraphs contain one or more of the following nodes (depending on cloud provider and attack path) and their related information:
- Container images
- Data assets
- Amazon RDS
- Amazon S3
- Azure Blob Storage
- Azure Database (SQL, PostgreSQL)
- Google Cloud SQL
- Hosts
- AWS EC2 instances
- Azure Virtual Machines
- Google Cloud Compute instances
- Identities
- AWS IAM roles
- Kubernetes services
- Load balancers
- Traffic control
- AWS security groups
- Azure security groups
- Google Cloud firewall rules
Attack Path Details
Container Images
This section provides tabs with the following contextualized information.
- Image details - Separate tables for container images and active containers
- Vulnerabilities
- Hosts - A list of hosts (each linked to a single machine dashboard) that the container image has run on with associated information
Data Assets
Database Services
Supported database services:
- Amazon RDS
- Azure Database (SQL, PostgreSQL)
- Google Cloud SQL
This section provides tabs with the following contextualized information.
- Configuration - To view the JSON version of the configuration, click View JSON file. Viewing the JSON gives you the option to see its details in the cloud console and to download the JSON file.
- Compliance violations
Storage Services
Supported storage services:
- Amazon S3
- Azure Blob Storage
For S3, this section provides the following information: S3 bucket name, creation time, and compliance violations. Expand the compliance violation value for detailed failed policy information.
For Azure Blob Storage, this section provides the following contextualized information.
- Configuration - To view the JSON version of the configuration, click View JSON file. Viewing the JSON gives you the option to download the JSON file.
- Compliance violations
S3 Cluster Names
Lacework clusters S3 buckets according to which ones an EC2 instance can access through a specific AWS role. These Lacework-defined bucket clusters are grouped and named using the following rules:
- If there is only one S3 bucket in the cluster, Lacework uses that bucket's name
- If there are many buckets matched by a single regular expression, Lacework uses this name:
<regex> (Regex-based cluster name) - If there are many buckets matched by many different regular expressions, Lacework uses this name:
<common-prefix-of-regexes> (Regexed-based cluster name)
The cluster names appear on the Path investigation page in these locations:
- Name in attack paths table
- S3 node in the Exposure Polygraph
- S3 details section
Hosts
Supported hosts:
- AWS EC2 instances
- Azure VMs
- Google Cloud Compute instances
This section provides tabs with the following contextualized information.
- Machine details
- Vulnerabilities
- Secrets - Secret type (can be SSH key, API key, or password), identifier, file path, and number of connected resources. For more information about the types of credentials detected, refer to Secrets Detection.note
Secrets detection is available only when agentless workload scanning (AWLS) (AWS, Google Cloud) is enabled.
- Compliance violations
- Users
- Exposed ports
Hosts in multi-hop attack paths can have an additional level of selections.
Identities
Identities include AWS IAM roles. This section provides tabs with the following contextualized information about the identity. Click the identities icon to view details in an identities context.
Summary
For identities, this tab provides a summary of identity details and a trend chart for Granted vs. used (in the past 180 days) entitlements. AWS instance profiles also display an Associated EC2 instances chart.
The risk severity is the highest severity of the risks that are associated with the identity.
To view the identity in a resource context, click the View in Resource Explorer icon. To view access key details, hover over the access key. For risk details, click individual risk information icons.
Entitlements
This tab displays the percentage and number of the total granted entitlements that are unused for each service. Click a service in the left panel to display its details.
The table has the following information:
| Column | Description |
|---|---|
| Resource name | The ARN or expression of the resource that the identity has privileges for. |
| Permissions | The permissions that the entitlements allow. If a non-expanded wildcard is present, it means that none of the permissions within that wildcard are used. Wildcards are expanded if any discrete permissions within the service are used. |
| Status | The status can be Excessive, Used, or Unknown. Excessive means there are unused permissions that should be removed. Used means the entitlement was used in the last 180 days. Unknown means this data is not recorded in event logs so usage cannot be determined. |
| Account | The account identifier from the cloud service provider. |
| Last used | The last time the entitlement was used. |
| Last used date/time | The last time the entitlement was used. No means it has not been used in the last 180 days. |
Linked Identities
This tab contains two separate subtabs with the following information:
- Inbound - The selected identity's privileges can be assumed by these identities.
- Outbound - The selected identity can assume the privileges of these identities.
The tables have the following information:
| Column | Description |
|---|---|
| Principal ID | The principal ID from the cloud service provider. |
| Name | Name of the identity. |
| Account ID | The account ID from the cloud service provider. |
| Account alias | The account alias from the cloud service provider. |
| Provider | The cloud service provider. |
| Relation type | How the privileges relate. |
The More actions icon lets you access actions such as View identity details and View in Resource Explorer.
Remediations
This tab provides information about available remediations.
To view the suggested fix and rationale for remediating the risk, click a remediation.
If you choose to remediate the issue, follow your organization's change workflow.
Kubernetes Services
The node and cluster collectors are required to view Kubernetes service attack paths. Read how to set up node and cluster collectors.
The node and cluster collectors provide data about service, pod, and node resources. The data identifies the workload that owns each pod. Each service lists the container images that its pods run. The vulnerability count for the service is the sum of the vulnerabilities in its containers.
This section provides tabs with the following contextualized information.
- Service details - Separate tables for properties and the label summary
- Vulnerabilities
- Exposed ports
- Container images
- Ingress rules
Kubernetes services in multi-hop attack paths can have an additional level of selections.
Load Balancers
This section provides tabs with the following contextualized information.
- Configuration - To view the JSON version of the load balancer configuration, click View JSON file. Viewing the JSON gives you the option to see its details in the cloud console and to download the JSON file.
- CloudTrail logs/Audit logs/Activity logs
Traffic Control
Supported traffic controls:
- AWS security groups
- Azure security groups
- Google Cloud firewall rules
This section provides tabs with the following contextualized information.
- Configuration - To view the JSON version of the configuration, click View JSON file. Viewing the JSON gives you the option to see its details in the cloud console and to download the JSON file.
- CloudTrail logs/Audit logs/Activity logs
- Compliance violations
Traffic controls in multi-hop attack paths can have an additional level of selections.
Cross Accounts
Lacework considers an attack path to have a cross account if a cloud entity in one account is exposed to the internet and the transit gateway allows traffic to another account. Transit gateways are represented by dedicated nodes in the Exposure Polygraph. Entities that are connected through transit gateways have an account name column with a corresponding account attribute added to the related attack path details tables. For example, an EC2 instance would have the cross account name added to the Machine properties table in the Machine details tab.