The asset route pathing report generates a visualization of the potential network paths between a source asset and destination asset in an organization. Following the paths, you can see assets connected between the target and source destinations. These assets represent opportunities an attacker could potentially leverage to break into your target asset.
The runZero Explorer performs a traceroute between itself and the source, and then another with the target. runZero then compares the data to infer shared points between the assets. runZero does not get any paths from a direct traceroute. This is runZero’s best effort–based on the scan data it has–to identify the assets that it sees as viable points between two assets.
You can share this report with your IT and security teams to highlight assets that could be leveraged as pivot points to your critical assets. Armed with this information, they can identify systems that may need to be hardened. They can assess whether or not the appropriate critical controls are in place to prevent unauthorized access to those assets.
Customers with highly segmented environments can use this report to quickly identify paths from low security assets to critical assets. For example, this report can indicate whether a device in a wireless guest network can reach a system within the PCI cardholder data environment.
Before diving into the asset route pathing report, here are some terms you need to know:
- Hop - Any node between the source and destination.
- Node - Any asset or hop. Nodes can be an IP, an asset, or unknown.
- Asset - Any device that is part of your runZero inventory.
- Network path - runZero does not get any paths from a direct traceroute. Instead, runZero uses the data it has to identify and display potential network paths between the target and source.
Generating the asset route pathing report
Note: This report is limited to runZero Enterprise customers.
Launch the asset route pathing report.
Asset route pathing page appears, you will need to select a source asset and a destination asset. Use the search to filter assets by keyword or the table pagination to browse all of your assets.
After you have a source and destination asset selected, start the trace.
In the generated results, you will see the potential paths between the source and destination asset.
Analyzing the report
Locate your source asset and target asset. If there are hops between the two assets, you should review them and secure the paths between them. Take a look at the services running on those systems that may provide potential entry points for attacks and harden them.
Nodes in the asset route pathing report are color-coded to help you identify the source asset and destination asset.
The report uses the following colors:
- Green - The source asset
- Red - The destination asset
- Orange - A multi-homed asset that may act as a pivot point
- Blue - A standard layer-3 routing hop
- Gray - Asset is unknown
A hop labeled
Unknown indicates an intermediate hop in the layer-3 path that did not respond with ICMP errors for TTL exceeded packets.
Sharing the report
There are a couple of ways to share the results from the asset route pathing report. You can either export a PNG or dotfile of the report or share a direct link to the report.
- Export a PNG - A PNG export will take a snapshot of your report. To share the asset route pathing report, click Export view. A PNG will download to your computer.
- Export a dotfile - You can export a dotfile and feed it into a Graphviz engine or open source visualization tool. The file allows you to render the image in formats like SVG, PSD, and PNG.
- Share a link - When viewing the generated asset route pathing report, copy the URL. You can share the URL directly with other team members who have a runZero account and access to the organization.
Exporting a dotfile
A dotfile is a text file that can be fed into Graphviz engines or open source visualization tools. With the dot file, you can render the image in other formats, like SVG, PSD, and PNG.
Launch the asset route pathing report.
Trace path page appears, you will need to select a source asset and a destination asset. Use the search to filter assets by keyword or the table pagination to browse all of your assets.
After you have a source and destination asset selected, generate the report.
After the visualization appears, click the Export report button. A window appears prompting you to enter a name and download location for the file.
Enter a name for the file and choose where you want to save it on your computer.
Save the file.
Why are there hops in the report that aren’t in my inventory?
Not every hop is a runZero asset. runZero fills in IP addresses for some asset hops, based on information that is pulled out of the traceroute data. Sometimes, runZero is able to extract asset information from the traceroute data that isn’t part of the inventory, which is why you may be seeing them in the report.
Can runZero determine how two assets are talking to each other?
No, runZero can only identify potential paths–not if they are routable. runZero does not test or validate the paths.
Why isn’t the asset route pathing report available?
The asset route pathing report is only available for runZero Enterprise customers.