Path Investigation
Attack paths for Google Cloud and identities are currently in preview.
Overview
The Path investigation page contains all detected attack paths, their associated Exposure Polygraphs, and contextualized information about the attack path so you can investigate and review issues. Lacework generates an attack path only if a critical vulnerability is associated with a cloud asset and that asset is exposed to the internet.
View Attack Paths
Use the Path investigation page to begin investigating and remediating the issues behind potential attack paths to your cloud assets.
- Use the filters if you want to display a specific set of attack paths. By default, the table displays all attack paths sorted by path severity in descending order.
- Locate and click the attack path you want to investigate.
- Scroll down to see the attack path's Exposure Polygraph. Below the Exposure Polygraph is the attack path's contextualized information.
- In the Exposure Polygraph hover over a node with badges above it. This displays a window that contains details about the issues, including the number of issues and links to the related information.
- Click a link within the hover window to go to the investigation section for the related information.
- Continue to investigate and gather information about the attack path from the available sections and tabs.
- Follow your organization's prescribed workflows for remediating the issues.
Attack Path List
Each attack path has the following details.
The counts in each row represent the combined total found across all nodes in the attack path, not just the nodes with badges.
| Column | Description |
|---|---|
| Name | The name of the attack path. |
| Account | The cloud account associated with the asset. |
| Resource type | The type of resource exposed in the attack path. |
| Path severity | The severity of the attack path. See Path Severity for details. |
| Vulnerabilities | The number of vulnerabilities in the path. |
| Secrets | The number of exposed secrets in the path. |
| Compliance violations | The number of compliance violations in the path. |
Multiple attack paths can have the same name with different attack path severities, but they are associated with different asset criteria (hostname, container image).
Exposure Polygraph
The Exposure Polygraph indicates that there is a potential attack path to your cloud environment assets. The Exposure Polygraph visually displays the exact attack path a potential attacker could use to access those assets.
The Exposure Polygraph uses nodes to represent each step along the path. Badges depict the types of risks that make the path possible.
For information about the detected issues, hover over a node that has badges. Possible badges:
- Vulnerabilities
- Secrets
- SSH keys
- API keys
- Passwords
- Compliance/misconfiguration
Single-hop and Two-hop Attack Paths
A single-hop path has an asset that is directly exposed to the internet and has critical vulnerabilities/compliance violations.
A two-hop path traverses an asset, such as an EC2 instance or a Kubernetes service (which is exposed to the internet and has critical vulnerabilities/compliance violations), before reaching the asset that is the endpoint. The endpoint is not directly exposed to the internet but would be accessible from the intermediate asset if it were compromised. The endpoint also has critical vulnerabilities.
Exposure Polygraph Nodes
Exposure Polygraphs contain one or more of the following nodes (depending on cloud provider and attack path) and their related information:
- Container images
- Data assets
- Amazon RDS
- Google Cloud Cloud SQL
- Amazon S3
- Hosts
- AWS EC2 instances
- Google Cloud Compute instances
- Identities
- AWS IAM roles
- Kubernetes services
- Load balancers
- Traffic control
- AWS security groups
- Google Cloud firewall rules
Attack Path Details
Container Images
This section provides tabs with the following contextualized information.
- Image details - Separate tables for container images (repository, image tag, container type, created time, size, container count, machine count, user count, OS, vulnerabilities, image scan status, and scan action) and list of active containers (container ID, pod name, pod namespace, start time, Kubernetes cluster, hostname, vulnerabilities, and image repository)
- Vulnerabilities - CVE, severity, score, package name, current version, fix version, and introduced in layer
- Hosts - A list of hosts (each linked to a single machine dossier) that the container image has run on with associated information: IAM role, vulnerabilities, secrets, and compliance violations.
Data Assets
Database Services
Supported database services:
- Amazon RDS
- Google Cloud Cloud SQL
This section provides tabs with the following contextualized information.
- Configuration - To view the JSON version of the configuration, click View JSON file. Viewing the JSON gives you the option to see its details in the cloud console and to download the JSON file.
- Compliance violations - Failed policy, ID, status, and severity
S3
Attack paths for S3 are currently in preview.
This section provides the following information: S3 bucket name, creation time, and compliance violations. Expand the compliance violation value for detailed failed policy information.
Hosts
Supported hosts:
- AWS EC2 instances
- Google Cloud Compute instances
This section provides tabs with the following contextualized information.
- Machine details - Separate tables for machine properties (hostname, IP address, and any associated vulnerabilities) and machine tab summary (tag name and tag value)
- Vulnerabilities - CVEs, severity, CVSS score, vulnerability impact score, and package name
- Secrets - Secret type (can be SSH key, API key, or password), identifier, file path, and number of connected resources
- Compliance violations - Failed policy, ID, status, and severity
- Users - Separate tables for user login activity (username, hostname, login time, logoff time, source IP), user authentication summary (username, user ID, successful logins, and failed logins), and bad login (IP address, username, and count)
- Exposed ports - Port number, machines, applications, and protocol
Hosts in multi-hop attack paths can have an additional level of selections.
Secrets Detection
Secrets detection is available only when agentless workload scanning (AWLS) (AWS, Google Cloud) is enabled.
Hosts in multi-hop attack paths can have an additional level of selections.
Identities
Identities include AWS IAM roles. This section provides tabs with the following contextualized information about the identity. Click the view identity icon to view identity details in the entitlement management context.
Summary
For identities, this tab provides a summary of identity details and a trend chart for Granted vs used (in the past 180 days) entitlements.
The risk severity is the highest severity of the risks that are associated with the identity.
To view the identity in a resource context, click the View in Resource Explorer icon. To view access key details, hover over the access key. For risk details, click individual risk information icons.
Entitlements
This tab displays the percentage and number of the total granted entitlements that have been used for each service. Click a service in the left panel to display its details.
The table has the following information:
| Column | Description |
|---|---|
| Resource name | The name of the resource that the identity has privileges for. |
| Account ID | The account ID from the cloud service provider. |
| Actions | The actions that the entitlements allow. |
| Used? | The last time the identity was used. No means it has not been used in the past 180 days. |
| Policy name | The name of the policy that defines the identity's permissions. |
Linked Identities
This tab contains two separate subtabs with the following information:
- Inbound - The selected identity's privileges can be assumed by these identities.
- Outbound - The selected identity can assume the privileges of these identities.
The tables have the following information:
| Column | Description |
|---|---|
| Principal ID | The principal ID from the cloud service provider. |
| Name | Name of the identity. |
| Account ID | The account ID from the cloud service provider. |
| Account alias | The account alias from the cloud service provider. |
| Provider | The cloud service provider. |
| Relation type | How the privileges relate. |
The More actions icon lets you access actions such as View identity details and View in Resource Explorer.
Remediations
This tab provides information about available remediations.
To view the suggested fix and rationale for remediating the risk, click a remediation.
If you choose to remediate the issue, follow your organization's change workflow.
Kubernetes Services
Kubernetes agent collectors are required to view Kubernetes service attack paths. Read how to set up Kubernetes agent collectors.
The Kubernetes agent collector data provides service, pod, and node resources. The data identifies the workload that owns each pod. Each service lists the container images that its pods run. The vulnerability count for the service is the sum of the vulnerabilities in its containers.
This section provides tabs with the following contextualized information.
- Service details - Separate tables for properties (cluster name, name, namespace, type, workload name, workload kind, pod count, and creation time) and label summary
- Vulnerabilities - Repository, vulnerability, package, package namespace, severity, CVSS score, package status, current version, and fix version
- Exposed ports - Name, node port (where the container is exposed), target port (where the container listens), protocol, and container
- Container images - Container name, container image name, image ID, and port count
- Ingress rules - Ingress name, class, host, path, path type, and target port
Kubernetes services in multi-hop attack paths can have an additional level of selections.
Load Balancers
This section provides tabs with the following contextualized information.
- Configuration - To view the JSON version of the load balancer configuration, click View JSON file. Viewing the JSON gives you the option to see its details in the cloud console and to download the JSON file.
- Audit logs (AWS CloudTrail, Google Cloud Audit Logs) - Account/Project, region, service, API, event hour, source IP, count, request parameters, and user identity
Traffic Control
Supported traffic controls:
- AWS security groups
- Google Cloud firewall rules
This section provides tabs with the following contextualized information.
- Configuration - To view the JSON version of the configuration, click View JSON file. Viewing the JSON gives you the option to see its details in the cloud console and to download the JSON file.
- Audit logs (AWS CloudTrail, Google Cloud Audit Logs) - Account/Project, region, service, API, event hour, source IP, count, request parameters, and user identity
- Compliance violations - Failed policy, ID, status, and severity
Traffic controls in multi-hop attack paths can have an additional level of selections.