Exposure Polygraph
The Exposure Polygraph provides an additional layer of risk context for alerts that have hosts exposed to the internet. Once a day, Lacework generates this topology graph from cloud configuration data for every known host in your environment.
View Internet Exposed Vulnerabilities
The Exposure Polygraph derives a value for internet exposure (yes, no, unknown) that determines if a host is exposed to the internet, and then makes this information available as a filter for host vulnerabilities and includes it as context for the host vulnerability risk score.
View Alerts with Exposure Polygraphs
Alerts that have hosts exposed to the internet have the Exposure Polygraph risk context. The Exposure tab displays details about host reachability, critical vulnerabilities, exposed secrets, misconfigurations, and more.
- Select Alerts.
- If the Internet Exposure filter is not visible, click Show more to display additional filters.
- For the Internet Exposure filter, select Yes and show the results, refined to show only alerts associated with instances that are exposed to the internet.
- Click the desired alert and then the Exposure tab.
View Exposure Risk Context
When an alert is associated with multiple hosts and EC2 instances, you can search for and select a host/instance ID from the drop-down menu to view that instance's exposure information.
Exposure Polygraph
The Exposure Polygraph provides exposure analysis for the instance that is linked to the alert. The Exposure Polygraph visually displays the pathway from the internet through the internet gateway to the security group and highlights the instance and indicates if there are any IAM roles associated with that instance.
The Exposure Polygraph uses nodes to depict the topology. Possible nodes:
- Internet
- Internet gateway
- Security group
- Load balancer
- EC2 instance or host
- IAM role
The Exposure Polygraph includes badges to depict the types of risks that are present. From the following risks in the Exposure Polygraph, you can see that if an attacker were to compromise this machine, they could leverage these coverage gaps to achieve privilege escalation or extend the compromise futher with lateral movement.
Hover over the EC2 node for additional information about the detected risks. Possible badges:
- Vulnerabilities
- Secrets
- SSH keys
- API keys
- Passwords
- Compliance/misconfiguration
EC2 Instance
This section provides tabs with the following contextualized information.
- Machine details - Hostname, IP address, and any associated vulnerabilities
- Vulnerabilities - CVEs, severity, CVSS score, vulnerability impact score, and package name
- Secrets - Secret type (SSH key, API key, password), identifier, file path, and number of connected resources
- Compliance violations - Failed policy, ID, status, and severity
- Users - Separate tables for user login activity, user authentication summary, and bad (failed) logins
Secrets Detection
Lacework logs details about any secret credentials and associated file metadata. The files are identified as secrets if they adhere to a common format (the format depends on the type of credential). The actual content of any secret credentials is not logged.
The types of credentials detected and examples filesystem locations are shown in the table below:
| Credential Type | Example Filesystem Locations |
|---|---|
| SSH private keys | /home/ec2-user/.ssh/id_rsa |
| AWS Access Key IDs (if a secret key is associated) | /home/ec2-user/.aws/credentials /root/.aws/credentials |
| GCP Service Account and User Credentials files | /etc/keys.json /home/user/.config/gcloud/keys.json |
| Kubernetes user tokens & certificate private keys | /root/.kube/config /home/user/.kube/config |
| Authorized Keys files | /home/user/.ssh/authorized_keys /root/.ssh/authorized_keys |
| Authentication log | /var/log/auth.log |
note
Whilst the authorized_keys and auth.log files are not secrets, the data is used in combination with the detection of SSH private keys to determine whether keys are authorized and/or used on hosts.
Security Group
This section provides contextualized information related to configuration and CloudTrail logs. This provides full details for the security group to give additional context on exposed services such as inbound and outbound ports are allowed and trusted IP addresses.
Load Balancer
This section provides contextualized information related to configuration and CloudTrail logs.
IAM Role
This section shows the IAM role configuration history for the role associated with the instance.