Get Started

Getting Started

Deploy

Onboard and Manage Accounts

Amazon Web Services (AWS)

Google Cloud Platform (GCP)

Microsoft Azure

Oracle Cloud Infrastructure (OCI)

Additional Providers

Collect and Integrate Data

Harvesting & Event-Driven Harvesting

Integrations

Understand Data

Visibility & Reporting

Inventory

Query Filters & Insights

Manage and Act on Data

Bots & Automation

Infrastructure as Code (IaC) Security

Cloud IAM Governance

Vulnerability Management

Workload Security

Manage System Settings

InsightCloudSec System Configuration

Developer Resources

APIs

Support

Attack Paths

The Attack Paths feature provides the simplest and easiest way to examine and remediate the attack paths within your onboarded cloud accounts. Using the data that InsightCloudSec already harvests from your accounts and associated services, we can determine the source, target, and severity of each attack path.

From your InsightCloudSec installation, locate "Security" in the main navigation and select "Attack Paths" to open the page. Attack Paths provides access to search functionality, filters, as well as a table/list display of attack paths.

Prerequisites

AWS
- For PII-related attack paths, Amazon Macie must be enabled
Azure
- For additional Azure-based attack paths to display, Azure Defender for Cloud must be enabled

GCP Support

GCP attack path support does not require additional configuration.

Explore Attack Paths

In InsightCloudSec, navigate to Security > Attack Paths to start reviewing Attack Paths into your environment.

Filter

Attack Paths has searching and filtering functionality to effectively narrow the scope of and navigate the data.

Add Filter

Filtering allows for narrowing the scope of the resources list using properties like cloud accounts, clusters, resource groups, etc. Some things to note about filtering behavior:

Each selected filter updates dynamically with options appropriate for the property selected.
After selecting an initial property, click + Add Filter to add an additional filter and further narrow the scope.
If filtering on a Resource Tag:
- Searching for a tag is case insensitive.
- New tags are harvested every 12 hours by the ResourceTypeTrigramsProcess background job (see System Settings for more information).

To add a filter:

Click the Add Filters button to open the side panel.
Select and configure a property to get started.
After configuring your desired filters, click Apply to update the scope for the feature.

Save Filters (Optional)

After Adding a Filter, you can save it so that it can easily be reused the next time you access the feature. Saved filters are feature-specific (since options vary between features), i.e., a saved filter in Feature "A" will only be available in Feature "A" and will not be available in Feature "B".

To save a filter:

Once filter(s) have been applied, ensure the filters list is expanded by clicking the arrow (>)
Click the ellipsis (...) button, then click Save Filter.
Provide a name for the filter and an optional description.
Select the checkbox for Set as Default Filter to set this filter as the default for the feature.
Select the checkbox for Make this a Public Filter to allow other users to see the filter.
Click OK.

Once a filter has been successfully saved, it can be accessed (along with other saved filters) or edited from the same ellipsis menu.

Data Display

This display contains all the data analyzed within Attack Paths. The data display also includes the functionality for:

Search -- Type into the search bar and the list of Attack Paths will automatically filter to match the criteria.
Download -- To save a copy of the information found in the resource list, click Download next to the search bar and select either CSV or JSON. The file will be prepared in the background until it is ready to be downloaded by your web browser. If the file preparation takes longer than 10 minutes, it will timeout, so it's best to narrow the scope prior to downloading.

Column	Description
+ (Expand)	Click to expand and display the ID, Author, and Age of the unique path(s) associated with the Attack Path group. Groupings are created for the same Attack Path discovered on various resources within the same account.
Severity	The severity of the attack path if utilized. Currently, only Critical and High severity attack paths are available; Medium and Low will be enabled in the future
Attack Path Name	The proper name for the attack path as well as its category. Review Attack Paths for more information or you can use the List Attack Path Names and Categories endpoint to view all available names/categories
Count	The total number of paths for this Attack Path
Target Resource Acct.	The CSP and name for the account where the target resource resides
Target Resource	The name of the target resource, including its normalized resource name as calculated by InsightCloudSec (if available)
Attack Path Source	The name of the attack path source, including its normalized resource name as calculated by InsightCloudSec (if available)

Map the Attack Path

You can access the Attack Path graph in two ways:

Click the Attack Path Name. This will open the graph for the first listed instance within the Attack Path grouping.
Expand an Attack Path group and then click an Attack Path ID to view the graph for the desired instance.

The graph provides similar information to the data display, but with a visualization of the attack path itself that displays each resource that can be used to get to the target resource or resources (what InsightCloudSec refers to as the Blast Radius). Each node within the Attack Path has a color associated with it to denote the risk severity of the resource (Maroon resources are Critical, Red resources are High, etc.) Note that "Public Access" within the context of Attack Paths is defined as anything that is reachable from the Internet in ANY capacity. For example, if an AWS EC2 instance in an internet-facing network has a security group that allows at least one public IP address, it is considered Publicly Accessible. You can navigate to another instance's graph using the Attack Path Instances column.

To interact with the Attack Path graph:

Click the Attack Path name to expand a description, impact, and remediation for the attack path. Review Remediation Details for more information.
Scroll to navigate or zoom in/out on the resources and their associated risk factors along the attack path. You can update the flow of the graph using the Orientation button.
Click and drag a node to rearrange the graph visually.
Click a node in the graph to open a details window for the Resource, which includes account, vulnerabilities, and Insight findings information.

Stopped Instances Are Not Tracked

InsightCloudSec does not currently track stopped instances for Attack Paths.

Attack Paths Reference

The following table represents the possible Attack Paths as well as a severity and description of the path organized by CSP. InsightCloudSec has authored custom Azure Attack Paths, but most of the Azure Attack Paths are derived from Microsoft Defender CSPM; review Defender for Cloud Attack Path Reference for more information.

CSP	Attack Path	Description
AWS	Publicly Exposed Compute Instance with Account Takeover Privileges	Account takeover attacks attempt to gain access to those accounts, allowing the attacker to steal data, deliver malware, or use the account’s legitimate access and permissions for other malicious purposes.
AWS	Publicly Exposed Compute Instance with access to Cloud Trail data (AWS)	An attacker who gains access to the instance can access and manipulate/steal sensitive information, gain access to other cloud resources or disrupt business operations. It can also be used to further pivot within the customer's cloud footprint due to exposing data about additional cloud accounts and resources.
AWS	Publicly Exposed Compute Instance with access to PII Data in a Storage bucket	When a compute instance has access to PII data stored in an S3 bucket, it can read and potentially manipulate this data thereby posing significant security risks.
AWS	Publicly Exposed Compute Instance with High/Critical vulnerabilities	This attack path definition looks for any publicly-available instances and checks to see if any of them have a high/critical vulnerability severity. This can lead to the instance being exploited, so it should be treated as high priority.
Azure	Publicly Exposed Compute Instance owns Role with Risky Permissions	This attack path definition looks for any publicly-available instances and checks to see if any of them have a role with risky permissions. This can lead to account takeover, so it should be treated as high severity.
Azure	Publicly Exposed Compute Instance with access to Event Grid System Topics	An attacker who gains access to the instance can access and manipulate/steal sensitive information, gain access to other cloud resources or disrupt business operations. It can also be used to further pivot within the customer's cloud footprint due to exposing data about additional cloud accounts and resources.
Azure	Publicly Exposed Compute Instance with access to Event Grid System Topics via Message Queue	An attacker who gains access to the instance can access and manipulate/steal sensitive information, gain access to other cloud resources or disrupt business operations. It can also be used to further pivot within the customer's cloud footprint due to exposing data about additional cloud accounts and resources.
GCP	Publicly Exposed Compute Instance with Attached Privileged Role	This attack path definition looks for any publicly-available instances and checks to see if any of them have a role which is capable of escalating privileges. This can lead to account takeover, so it should be treated as high severity.
GCP	Publicly Exposed Compute Instance with access to Cloud Audit Logs	An attacker who gains access to the instance can access and manipulate/steal sensitive information, gain access to other cloud resources or disrupt business operations. It can also be used to further pivot within the customer's cloud footprint due to exposing data about additional cloud accounts and resources
GCP	Publicly Exposed Compute Instance with access to Cloud Secrets	An attacker who gains access to the instance can access and manipulate/steal sensitive information, gain access to other cloud resources or disrupt business operations.

Remediation Details

InsightCloudSec automatically generates these remediation steps based on the attack path name/type and Cloud Service Provider (CSP). Once your account(s) have been onboarded successfully, InsightCloudSec will harvest information about your services and accounts; from here, we perform a thorough analysis of common attack paths that are required to pinpoint vulnerable components and potential entry points.

After the attack path has been identified, we determine the necessary steps to break the "links" in the attack path by altering configuration of the resources themselves, including adjusting access controls, updating security configurations, or patching vulnerabilities. It's important to remember that Attack Path remediation is an ongoing task, not a checkbox; continual monitoring and vulnerability assessments as well as proactive security measures are essential for staying ahead of emerging threats and ensuring ongoing protection.

Did this page help you?

Visibility & Reporting

Tag Resources

Visibility & Reporting

View Risk Across InsightCloudSec and InsightVM