Attack Paths

The Attack Paths feature provides the simplest and easiest way to examine and remediate the attack paths within your onboarded cloud accounts. Using the data that InsightCloudSec already harvests from your accounts and associated services, we can determine the source, target, and severity of each attack path.

From your InsightCloudSec installation, locate "Security" in the main navigation and select "Attack Paths" to open the page. Attack Paths provides access to search functionality, filters, as well as a table/list display of attack paths.

Prerequisites

AWS
- For PII-related attack paths, Amazon Macie must be enabled
Azure
- For Azure-based attack paths to display, Azure Defender for Cloud must be enabled

👍
GCP Support
GCP attack path support does not require additional configuration.

Filtering & Searching

Attack Paths has searching and filtering functionality to narrow the scope of the resource list. These features can be used together to effectively and quickly navigate. The "Add Filter" button also allows you to select a filter that will be applied to the Trend and Analytics visualizations.

Add Filter

Filtering ("Add Filter") allows for narrowing the scope of the resources list using properties like cloud accounts, clusters, and resource groups. Click the “Add Filters” button to open the panel, and “Select a property” to get started. After choosing your desired filters, select “Apply” to update the page to display the results of your specified filters.

Filtering Behavior

Each selected Filter updates dynamically with options appropriate for the property selected.
Click “+ Add Filter” to add an additional filter and further narrow the scope.

Save Filters

After Adding a Filter, you can save it so that it can easily be reused the next time you access the feature. Note: Saved filters are feature-specific (since options vary between features), i.e., a Feature "A" saved filter will only be available in Feature "A" and will not be available in Feature "B".

To save a filter:

1. Use the "Add Filter" option to create a filtered view of the page.

2. Expand the Filters section, and click the "Options" button (ellipsis--"...").

3. Click "Save Filter" and provide a name and (optional) description.

4. If desired, select the checkboxes:

"Set as Default Filter" -- Designates this filter as your default when you return to the feature
"Make this a Public Filter" -- Makes this filter available to all users inside your InsightCloudSec organization

5. Click "OK". The filter is saved and can be edited from the "Saved Filters" page for this feature.

Search

Begin typing into the search bar and the list of attack paths will automatically filter to match the criteria. Currently, search is limited to the attack path name, attack path source, target resource, and target resource account name.

Data Display

Below the filters is the main table/list display of all of the data analyzed within Attack Paths. The columns of data for the table are detailed below.

Severity: The severity of the attack path if utilized. Note: Currently, only Critical and High severity attack paths are available; Medium and Low will be enabled in the future.
Attack Path Name: The proper name for the attack path as well as its category.

👍
List All Names and Categories
You can use the List Attack Path Names and Categories endpoint to view all available names/categories. We also support all of the Azure Attack Paths.

Target Resource Acct.: The CSP and name for the account where the target resource resides
Target Resource: The name of the target resource, including its normalized resource name as calculated by InsightCloudSec (if available)
Attack Path Source: The name of the attack path source, including its normalized resource name as calculated by InsightCloudSec (if available)
Age: When the attack path was discovered

Attack Path Graph

Click an Attack Path Name to open the Attack Path graph. The graph provides similar information as the data display, but with a graph of the attack path itself to visualize each resource that can be used to get to the target resource.

Click the Attack Path name to expand a description, impact, and remediation for the attack path. Review Remediation Details and Attack Paths for more information.
Scroll left and right on the graph itself to view the resources and their associated risk factors along the attack path.
Right-click a node to open a menu. From here, you can access a resource details panel or view Related Resources.

Attack Paths

The following table represents the possible Attack Paths as well as a severity and description of the path organized by CSP:

CSP	Attack Path	Description
AWS	Publicly Exposed Compute Instance with Account Takeover Privileges	Account takeover attacks attempt to gain access to those accounts, allowing the attacker to steal data, deliver malware, or use the account’s legitimate access and permissions for other malicious purposes.
AWS	Publicly Exposed Compute Instance with access to Cloud Trail data (AWS)	An attacker who gains access to the instance can access and manipulate/steal sensitive information, gain access to other cloud resources or disrupt business operations. It can also be used to further pivot within the customer's cloud footprint due to exposing data about additional cloud accounts and resources.
AWS	Publicly Exposed Compute Instance with access to PII Data in a Storage bucket	When a compute instance has access to PII data stored in an S3 bucket, it can read and potentially manipulate this data thereby posing significant security risks.
AWS	Publicly Exposed Compute Instance with High/Critical vulnerabilities	This attack path definition looks for any publicly-available instances and checks to see if any of them have a high/critical vulnerability severity. This can lead to the instance being exploited, so it should be treated as high priority.
GCP	Publicly Exposed Compute Instance with Attached Privileged Role	This attack path definition looks for any publicly-available instances and checks to see if any of them have a role which is capable of escalating privileges. This can lead to account takeover, so it should be treated as high severity.
GCP	Publicly Exposed Compute Instance with access to Cloud Audit Logs	An attacker who gains access to the instance can access and manipulate/steal sensitive information, gain access to other cloud resources or disrupt business operations. It can also be used to further pivot within the customer's cloud footprint due to exposing data about additional cloud accounts and resources
GCP	Publicly Exposed Compute Instance with access to Cloud Secrets	An attacker who gains access to the instance can access and manipulate/steal sensitive information, gain access to other cloud resources or disrupt business operations.
Azure	See description	InsightCloudSec uses Microsoft Defender CSPM to source our Azure Attack Paths. Review the Defender for Cloud Attack Path Reference for more information.

Remediation Details

InsightCloudSec automatically generates these remediation steps based on the attack path name/type and Cloud Service Provider (CSP). Once your account(s) have been onboarded successfully, InsightCloudSec will harvest information about your services and accounts; from here, we perform a thorough analysis of common attack paths that are required to pinpoint vulnerable components and potential entry points. Once the attack path has been identified, we determine the necessary steps to break the "links" in the attack path by altering configuration of the resources themselves, including adjusting access controls, updating security configurations, or patching vulnerabilities. It's important to remember that Attack Path remediation is an ongoing task, not a checkbox; continual monitoring and vulnerability assessments as well as proactive security measures are essential for staying ahead of emerging threats and ensuring ongoing protection.