Cloud Attack Emulation 101: Getting Started

‍

Cloud Attack Emulation (CAE) is an approach to adversary emulation that focuses on cloud-specific environments and threats. The cloud threat landscape continuously evolves, and attackers (cloud-conscious adversaries) are increasingly proficient at targeting organizations that leverage the cloud. Consequently, addressing this growing concern requires security approaches fitted to cloud infrastructure. Despite the availability of several security approaches like CSPM, CNAPP, CIEM, and CDR, attackers still conduct successful cyberattacks due to gaps these technologies fail to address. 

These gaps would be discussed in a blog series, including how Mitigant CAE addresses these shortcomings and enables security effectiveness. The first part of this series discussed the need for devil advocacy, how security teams can become agile, interesting use cases, and how to get started with cloud attack emulation.

The Best Defense is Offense: Be Your Devil’s Advocate

The Devil’s Advocate concept has been popularly employed by military and business strategists to assume alternate positions to strategies, allowing for opposing viewpoints that facilitate the identification of flaws and blind spots. While the devil's advocacy seems unpleasant and somewhat counter-productive, it yields immense results in the long run. When applied to cloud security, it makes the case for second-guessing the perceived security posture and making efforts to acquire empirical evidence on the strengths and weaknesses of cloud security architectures. This allows for security improvements and incremental maturing of security. 

‍

‍

Consequently, playing the devil's advocate against cloud security postures is the most assured approach to measuring and validating security effectiveness, which is the most important question CISOs aim to answer. However, some organizations intentionally/unintentionally avoid validation of security postures, in favour of other proxy approaches, e.g., faulty implementation of defense-in-depth. Such defense-in-depth implementations are often compliance-driven or trend-driven rather than data-driven; no wonder attacks are still successful despite the deployment of multiple security products to formulate a defense-in-depth approach. 

‍

Realistically, defense-in-depth hinges on thwarting attacks via a layered approach that accounts for security gaps that could be maliciously exploited when some layers are bypassed. This notion further emphasizes that 100% cybersecurity is a fallacy, and while attackers might slip through, organizations should aim to detect and recover from such attacks gracefully.  So, deploying multiple security layers blindly does not increase security effectiveness; rather, it increases security complexity, in favor of attackers. It is synonymous with the ostrich burying its head in the sand in the face of danger rather than making smart risk assessments that ultimately mitigate the imminent threat.

‍

Agility: A Requirement for Security Effectiveness

Modern security teams must be agile to tackle the evolving threat landscape effectively. Cloud infrastructure is spun up and down within microseconds via APIs, and interestingly, these infrastructures often include security controls embedded within, e.g., S3 bucket policies required to implement stringent access control. Attackers often abuse this inherent agile cloud attribute to fast-track attacks.

Therefore, tackling attackers in the cloud requires security approaches designed with agility, speed, and flexibility!  These are the core attributes of Mitigant CAE, aimed at equipping modern security teams to take advantage of the cloud’s inherent ability to thwart attacks.  The following CAE features facilitate these attributes: Attack Actions, Attack Scenarios, Attack Scheduler, and Attack API. The details of these features are not comprehensively discussed in this article, however, more details are available in a previous blog post.

‍

How to Leverage Cloud Attack Emulation

The Mitigant design philosophy is hinged on modularity and flexibility; thus, empowering Mitigant CAE to be applied to differing use cases based on the objectives of security team specialties, maturity, organizational size, etc. The modularity of Mitigant CAE is based on Attack Actions, which are building blocks for composing chains of attacks to formulate multi-step, realistic attacks.  Let's examine four use cases commonly used by our customers:

Cloud Penetration Testing

Most organizations run penetration tests as a compliance certification process. While this is a great way to enhance marketing and sales by building customer confidence, the key question is whether the security posture achieved at compliance time remains or deteriorates afterwards. More often than not, the posture deteriorates, and there are no means to validate the current state, resulting in a false sense of security. While technologies like CSPMs & CNAPPs allow some level of visibility, they eventually present high numbers of vulnerabilities and misconfigurations that security teams struggle to manage. A means to quickly sift the signal from noise is running penetration tests using Mitigant CAE to narrow down on security gaps that matter, those exploitable, and prioritizing remediation efforts.

‍

Red/Purple Teaming

Owning red/purple teams is a preserve of mature organizations, mainly due to the associated human and material costs. Therefore, organizations that can afford the costs outsource this critical security function to security service providers. How about democratizing what it takes to affordably own and operate red/purple teaming capabilities? This is exactly what Mitigant CAE does; by leveraging the continuous security assessments of cloud environments (via Mitigant CSPM), attacks are recommended for running red/purple teaming engagements. These attacks are contextual to the specific cloud account and tagged with corresponding threat actors based on validated Cyber Threat Intelligence, thus allowing organizations to implement Threat-Informed Defense strategies with a few button clicks. This is a major WIN as organizations of all sizes can now own red/purple teaming capabilities and use them as often as possible. 

‍

Threat Detection Validation

Threat detection is a crucial aspect of a Defense-In-Depth strategy, as it allows organizations to detect threats that have slipped through the preventive measures. However, most threat detection products ship with Out-Of-the-Box (OOTB) detection rules that eventually cause alert fatigue or introduce false positives/negatives. Overcoming these detection overheads requires contextual detection validation, which can be achieved by leveraging Mitigant CAE. Furthermore, detection gaps can be discovered, allowing security teams to enhance threat detection and incident response efforts. Here is a use case where we joined forces with Sekioa to showcase how CAE enhances threat detection, specifically focused on detecting MITRE ATT&CK techniques used by the Scattered Spider Threat Actor. Importantly, maturing detection engineering capabilities is made easier with Mitigant CAE.  The Detection Engineering Behavioral Model (illustrated below) highlights how threat detection validation is critical to maturing detection engineering capabilities.

‍

‍

Incident Response Readiness

Cloud Incident response differs from how it is conducted for on-premises infrastructure. APIs power virtually every cloud resource, while this capability is by design, it has several pros and cons for defenders. Attackers can leverage cloud APIs to rapidly orchestrate attacks or gain access to resources that would take more effort to access in on-premises systems. Conversely, this same capability can be harnessed by defenders to super-charge incident investigations and response. 

However, gaining this level of efficiency involves practice and continuous validation of incident response processes and mechanisms. Aside from the need to exercise technical skills and knowledge required for effective incident response, mechanisms like playbooks and runbooks could drift away from the reality of cloud resources. AWS recommends running regular simulations as they afford several benefits, including testing the accuracy and efficiency of tools and workflows.

Security teams can easily run incident response exercises by leveraging Mitigant CAE, taking advantage of its agentless integration into the cloud fabric. The collected attack telemetry is critical for further attack investigation and analysis, leading to the implementation of hardened security measures.  

‍

‍

A practical example of cloud incident response was demonstrated in a collaboration with Cado Security, where Mitigant CAE orchestrated several attacks, while investigative and forensics efforts were conducted using the Cado Security platform. See more details in this blog post. 

Getting Started with Cloud Attack Emulation

Regardless of the specific use case for adopting Mitigant CAE, most security teams find executing attacks against their cloud environments discomforting. It’s a natural impulse; however, Mitigant CAE attacks are built upon tried and tested Security Chaos Engineering research. Furthermore, attacks are recommended based on each cloud environment’s context, so not random or based on guesswork. Attacked cloud resources are returned to pre-attack states via a dynamic-snapshotting strategy that functions by collecting target snapshots before attacks commence, thus guaranteeing the seamless rollback afterwards. Here are two approaches for getting started with Mitigant CAE: running attacks against non-production environments and leveraging enumeration attacks.

Use Non-Production Environments

Non-production environments are commonly used for testing different systems' properties, including non-security properties. These environments could also be used for running attack emulations. This approach is cheap when such environments already exist, and the lessons learnt could be applied to production environments or attacks could be orchestrated against production environments once a better grip on Mitigant CAE is achieved.

Leverage Discovery and Enumeration Attacks

Mitigant CAE consists of several enumeration attacks, mostly under the discovery tactics category of the MITRE ATT&CK framework. These attacks are completely harmless, they do not create or modify resources. However, despite being noisy, the techniques implemented in the discovery tactics could help security teams to tune detection and response systems (e.g., CDRs), ultimately providing effective early warnings of impending attacks. Furthermore, security teams use these attacks to establish baseline behaviour and leverage it to identify deviations, e.g., when attackers use stolen valid credentials.

Sign Up, Get Started & Outsmart Attackers

Attackers are becoming better at identifying and successfully targeting enterprise cloud environments.  These cloud-conscious attackers understand the lapses in current security architectures and continuously gain proficiency at exploiting these gaps. Conversely, security teams can thwart these attackers by adopting the attacker mindset, allowing for agile security validation and commensurate security hardening. 

Mitigant CAE empowers organizations to seamlessly adopt an attacker’s mindset and play the devil’s advocate without the overhead that previously discouraged such efforts. With a few button clicks, security teams can launch attacks contextual to their cloud environment. The results of the attacks are collected and analyzed with the corresponding evidence of attack success or failure. Remediation steps are also provided, with Sigma Rules that guide detection engineering teams to remediate the identified gaps.

Several use cases are feasible, including cloud penetration testing, red/purple teaming, detection validation, and incident response exercises. The second part of this series would take a deeper dive into how Mitigant CAE differentiates from similar approaches like Breach and Attack Simulation, traditional penetration testing, etc. Don’t wait for it, sign up for your Mitigant CAE free trial and start outsmarting attackers - https://www.mitigant.io/en/sign-up 

‍