Skip to main content

Attack Path FAQ

What must be installed in order to get internet exposure information?

Either agents or agentless integrations are needed. The information is based on cloud configuration and the availability of ingested asset information. For AWS, the hosts must be EC2 assets, which includes EKS and ECS.

Where is the internet exposure filter available?

The internet exposure filter is available on the Alerts page, the Host Vulnerabilities page, and the Container Vulnerabilities page. Set internet exposure = yes to see all assets that are internet exposed.

What are the conditions for internet exposure = yes?

AWS

  • Instance has public IP address or instance is targeted by an internet-facing load balancer
  • Security group rule on the instance or load balancer permits 0.0.0.0/0
  • Subnet of instance is public (meaning, it has a route to an internet gateway)

Azure

  • Network interface must have a public IP address

Google Cloud

  • Network must have a default route to 0.0.0.0/0
  • Network must have a public IP address
  • There must not be a firewall rule that blocks access

When I set the filter to internet exposure = yes, why don’t I see any items in my alerts or host vulnerability pages?

It's possible that there are no alerts that have assets exposed to the internet.

If assets are internet exposed, how else does Lacework use that information?

Internet exposure is also a factor in the host or container image risk score.

Where is the Exposure Polygraph available?

The Exposure Polygraph is available in these locations in the Lacework Console:

  • Individual alerts that have assets exposed to the internet display the Exposure Polygraph in the Exposure tab.
  • Single machine dossiers display the Exposure Polygraph in the Exposure tab.
  • The Attack path > Path investigation page lists attack paths that you can click to view their Exposure Polygraphs.

How quickly does the Exposure Polygraph get updated after changes are made such as to a security group/firewall rule or internet gateway?

The Exposure Polygraph is generated once every 24 hours.

Why don’t I see Exposure Polygraph information for machines?

Not all machines will have Exposure Polygraph information:

  • Because cloud configuration data is scraped once per day, only the instances that are up at that time will be present.
  • Transient instances that may have agents/agentless scans that aren’t captured in the cloud configuration snapshot won't have Exposure Polygraph information.

What must be installed in order to see attack path information?

A cloud configuration integration is required. Additionally, agent and/or agentless workload scanning is required to populate the vulnerabilities on the attack path.

For the most complete experience, Lacework recommends you deploy all available components (cloud configuration, log analysis, agents, and agentless workload scanning).

What internet exposure path scenarios are supported?

Lacework supports analyzing internet gateways and two-layer load balancers. Analyzing API gateways is not currently supported. This means that any paths through API gateways are not represented in Exposure Polygraphs.