Attack Path Analysis Overview

Overview

Watch Video Summary

By combining exposure path visualizations with data about what’s actively happening in production, the Lacework Polygraph® Data Platform empowers you to easily prioritize the most impactful attack vectors in your cloud environment. You can easily and accurately pinpoint risks, collaborating across teams to investigate and remediate from a single source of truth.

Attack path analysis is essential to uncovering and preventing malicious behavior. With these new capabilities, Lacework helps you track which assets an attacker could target when they enter a cloud environment.

Lacework leverages our platform to show possible attack paths within a cloud environment by correlating multiple risk factors - vulnerabilities, network reachability, secrets, and identity and access management (IAM) roles - from sources including configuration data, activity data, and runtime data. Lacework uses this information to create Exposure Polygraphs to tie together risk factors to illustrate potential attack chains to assets in your cloud environment. Lacework generates Exposure Polygraphs if critical vulnerabilities are associated with a cloud asset and they are exposed to the internet.

Requirements

Recommended

To take full advantage of Lacework capabilities, integrate all of the following:

• Cloud configuration integration (AWS, Azure, Google Cloud) - Provides compliance violations.
• Log analysis integration (AWS CloudTrail, Azure Activity Log, Google Cloud Audit Log) - Provides cloud log activity data.
• Lacework agents - Provide context from workload data and vulnerabilities where the Lacework agent is installed.
  For AWS, the node and cluster collectors are required to view Kubernetes service attack paths. Read how to set up node and cluster collectors.
• Agentless workload scanning (AWS, Google Cloud) - Provides vulnerabilities and secrets. Agentless workload scanning is not available for Azure.

Minimum

Attack path analysis requires:

• Cloud configuration integration (AWS, Azure, Google Cloud) - Provides compliance violations.

Plus one of the following:

• Lacework agents - Provide context from workload data and vulnerabilities where the Lacework agent is installed.
  For AWS, the node and cluster collectors are required to view Kubernetes service attack paths. Read how to set up node and cluster collectors.
• Agentless workload scanning (AWS, Google Cloud) - Provides vulnerabilities and secrets. Agentless workload scanning is not available for Azure.

Limitations

AWS

• Exposure Polygraphs currently support EC2-backed services (Native EC2, ECS, and EKS) as the target of the path.
• Special network ACLs are not considered.
• IAM roles currently list only trust policies.

Azure

• Attack paths for Azure do not support secrets detection.

Refresh Frequency

Lacework generates Exposure Polygraphs every 24 hours. The information is based on cloud configuration and the availability of asset information, which is ingested every 24 hours.