Skip to main content

Path Investigation

Overview

The Path investigation page contains all detected attack paths, their associated Exposure Polygraphs, and contextualized information about the attack path so you can investigate and review issues. Lacework generates an attack path only if a critical vulnerability is associated with a cloud asset and that asset is exposed to the internet.

View Attack Paths

Use the Path investigation page to begin investigating and remediating the issues behind potential attack paths to your cloud assets.

  1. Use the filters if you want to display a specific set of attack paths. By default, the table displays all attack paths sorted by path severity in descending order.
  2. Locate and click the attack path you want to investigate.
  3. Scroll down to see the attack path's Exposure Polygraph. Below the Exposure Polygraph is the attack path's contextualized information.
  4. In the Exposure Polygraph hover over a node with badges above it. This displays a window that contains details about the issues, including the number of issues and links to the related information.
  5. Click a link within the hover window to go to the investigation section for the related information.
  6. Continue to investigate and gather information about the attack path from the available sections and tabs.
  7. Follow your organization's prescribed workflows for remediating the issues.

When the page displays your desired attack paths, click Save or Create view in the top right corner. This allows you to access the saved view later. You can also copy the link to a saved view by opening the list of saved views and clicking the Share view icon of the view you want to share. You can then send that link to others so they can see the same view. For more details about saved views, refer to Views Management.

Attack Path List

Each attack path has the following details.

tip

The counts in each row represent the combined total found across all nodes in the attack path, not just the nodes with badges.

ColumnDescription
NameThe name of the attack path.
Cloud providerThe asset's cloud provider.
Account/Project/SubscriptionThe cloud account/project/subscription associated with the asset. The number of cross accounts that are connected is displayed if applicable.
Resource typeThe type of resource exposed in the attack path.
Path severityThe severity of the attack path. See Path Severity for details.
VulnerabilitiesThe number of vulnerabilities in the path.
SecretsThe number of exposed secrets in the path.
Compliance violationsThe number of compliance violations in the path.
note

Multiple attack paths can have the same name with different attack path severities, but they are associated with different asset criteria (hostname, container image).

Exposure Polygraph

The Exposure Polygraph indicates that there is a potential attack path to your cloud environment assets. The Exposure Polygraph visually displays the exact attack path a potential attacker could use to access those assets.

The Exposure Polygraph uses nodes to represent each step along the path. Badges depict the types of risks that make the path possible.

For information about the detected issues, hover over a node that has badges. Possible badges:

  • Vulnerabilities
  • Secrets
    • SSH keys
    • API keys
    • Passwords
  • Compliance/misconfiguration

Single-hop and Two-hop Attack Paths

A single-hop path has an asset that is directly exposed to the internet and has critical vulnerabilities.

A two-hop path traverses an asset, such as an EC2 instance or a Kubernetes service (which is exposed to the internet and has critical vulnerabilities), before reaching the asset that is the target node. The target node is not directly exposed to the internet but would be accessible from the intermediate asset if it were compromised. The target node also has critical vulnerabilities.

Exposure Polygraph Nodes

Exposure Polygraphs contain one or more of the following nodes (depending on cloud provider and attack path) and their related information:

Attack Path Details

Container Images

This section provides tabs with the following contextualized information.

  • Image details - Separate tables for container images and active containers
  • Vulnerabilities
  • Hosts - A list of hosts (each linked to a single machine dossier) that the container image has run on with associated information

Data Assets

Database Services

Supported database services:

  • Amazon RDS
  • Azure Database (SQL, PostgreSQL)
  • Google Cloud SQL

This section provides tabs with the following contextualized information.

  • Configuration - To view the JSON version of the configuration, click View JSON file. Viewing the JSON gives you the option to see its details in the cloud console and to download the JSON file.
  • Compliance violations

Storage Services

Supported storage services:

  • Amazon S3
  • Azure Blob Storage

For S3, this section provides the following information: S3 bucket name, creation time, and compliance violations. Expand the compliance violation value for detailed failed policy information.

For Azure Blob Storage, this section provides the following contextualized information.

  • Configuration - To view the JSON version of the configuration, click View JSON file. Viewing the JSON gives you the option to download the JSON file.
  • Compliance violations
S3 Cluster Names

Lacework clusters S3 buckets according to which ones an EC2 instance can access through a specific AWS role. These Lacework-defined bucket clusters are grouped and named using the following rules:

  • If there is only one S3 bucket in the cluster, Lacework uses that bucket's name
  • If there are many buckets matched by a single regular expression, Lacework uses this name:
    <regex> (Regex-based cluster name)
  • If there are many buckets matched by many different regular expressions, Lacework uses this name:
    <common-prefix-of-regexes> (Regexed-based cluster name)

The cluster names appear on the Path investigation page in these locations:

  • Name in attack paths table
  • S3 node in the Exposure Polygraph
  • S3 details section

Hosts

Supported hosts:

  • AWS EC2 instances
  • Azure VMs
  • Google Cloud Compute instances

This section provides tabs with the following contextualized information.

  • Machine details
  • Vulnerabilities
  • Secrets - Secret type (can be SSH key, API key, or password), identifier, file path, and number of connected resources. For more information about the types of credentials detected, refer to Secrets Detection.
    note

    Secrets detection is available only when agentless workload scanning (AWLS) (AWS, Google Cloud) is enabled.

  • Compliance violations
  • Users
  • Exposed ports

Hosts in multi-hop attack paths can have an additional level of selections.

Identities

Identities include AWS IAM roles. This section provides tabs with the following contextualized information about the identity. Click the identities icon to view details in an identities context.

Summary

For identities, this tab provides a summary of identity details and a trend chart for Granted vs. used (in the past 180 days) entitlements. AWS instance profiles also display an Associated EC2 instances chart.

The risk severity is the highest severity of the risks that are associated with the identity.

To view the identity in a resource context, click the View in Resource Explorer icon. To view access key details, hover over the access key. For risk details, click individual risk information icons.

Entitlements

This tab displays the percentage and number of the total granted entitlements that are unused for each service. Click a service in the left panel to display its details.

The table has the following information:

ColumnDescription
Resource nameThe ARN or expression of the resource that the identity has privileges for.
PermissionsThe permissions that the entitlements allow. If a non-expanded wildcard is present, it means that none of the permissions within that wildcard are used. Wildcards are expanded if any discrete permissions within the service are used.
StatusThe status can be Excessive, Used, or Unknown. Excessive means there are unused permissions that should be removed. Used means the entitlement was used in the last 180 days. Unknown means this data is not recorded in event logs so usage cannot be determined.
AccountThe account identifier from the cloud service provider.
Last usedThe last time the entitlement was used.
Last used date/timeThe last time the entitlement was used. No means it has not been used in the last 180 days.

Linked Identities

This tab contains two separate subtabs with the following information:

  • Inbound - The selected identity's privileges can be assumed by these identities.
  • Outbound - The selected identity can assume the privileges of these identities.

The tables have the following information:

ColumnDescription
Principal IDThe principal ID from the cloud service provider.
NameName of the identity.
Account IDThe account ID from the cloud service provider.
Account aliasThe account alias from the cloud service provider.
ProviderThe cloud service provider.
Relation typeHow the privileges relate.

The More actions icon lets you access actions such as View identity details and View in Resource Explorer.

Remediations

This tab provides information about available remediations.

To view the suggested fix and rationale for remediating the risk, click a remediation.

If you choose to remediate the issue, follow your organization's change workflow.

Kubernetes Services

info

The node and cluster collectors are required to view Kubernetes service attack paths. Read how to set up node and cluster collectors.

The node and cluster collectors provide data about service, pod, and node resources. The data identifies the workload that owns each pod. Each service lists the container images that its pods run. The vulnerability count for the service is the sum of the vulnerabilities in its containers.

This section provides tabs with the following contextualized information.

  • Service details - Separate tables for properties and the label summary
  • Vulnerabilities
  • Exposed ports
  • Container images
  • Ingress rules

Kubernetes services in multi-hop attack paths can have an additional level of selections.

Load Balancers

This section provides tabs with the following contextualized information.

  • Configuration - To view the JSON version of the load balancer configuration, click View JSON file. Viewing the JSON gives you the option to see its details in the cloud console and to download the JSON file.
  • CloudTrail logs/Audit logs/Activity logs

Traffic Control

Supported traffic controls:

  • AWS security groups
  • Azure security groups
  • Google Cloud firewall rules

This section provides tabs with the following contextualized information.

  • Configuration - To view the JSON version of the configuration, click View JSON file. Viewing the JSON gives you the option to see its details in the cloud console and to download the JSON file.
  • CloudTrail logs/Audit logs/Activity logs
  • Compliance violations

Traffic controls in multi-hop attack paths can have an additional level of selections.

Cross Accounts

Lacework considers an attack path to have a cross account if a cloud entity in one account is exposed to the internet and the transit gateway allows traffic to another account. Transit gateways are represented by dedicated nodes in the Exposure Polygraph. Entities that are connected through transit gateways have an account name column with a corresponding account attribute added to the related attack path details tables. For example, an EC2 instance would have the cross account name added to the Machine properties table in the Machine details tab.