Vanguard – Attack simulation security analysis for AWS
In essence, securiCAD Vanguard is based on the following chain of events:
Fetch AWS data → Configure Attacker → Simulate → Generate interactive report.
When using securiCAD Vanguard in demo mode, the AWS data will be fetched from a pre-configured demo environment. Also, the demo mode will not require any additional configuration. If you are running securiCAD Vanguard with your own data, the AWS data will be fetched from your account via read access to standard AWS APIs and a model of your environment is automatically built and visualized. When using data from your own environment, additional attacker configurations are possible (read more under “Configure”).
Will the simulation affect my AWS environment?
No. The attack simulations are conducted on virtual models that are automatically generated and will not interact with the actual environment in any way.
Is my data saved?
securiCAD Vanguard does not save any AWS model data and it only exists in our system during the time from it is read from Amazon AWS APIs or an uploaded data file until the report is generated.
Fetch AWS data
Feeding AWS data into securiCAD Vanguard can be done in two ways.
– You can enter API keys of a read-only IAM user so that Vanguard can fetch it for you. If you want more information, see Creating an IAM user, Setting IAM User permissions and Generating AWS Access Key below.
– You can download a script, enter your keys, and let it fetch your configuration for you. It will then store the configuration as a json file which you then upload into vanguard. If you want more information see below.
By including data from Amazon Inspector, securiCAD Vanguard can help you prioritize existing vulnerabilities. Amazon Inspector data can be included in the simulation by either checking the box for Amazon Inspector when simulating from an IAM User or by running the CLI Script locally. securiCAD Vanguard will automatically fetch scans from the last 30 days and pick the lastest scan and gather CVE and Network Reachability data.
Once you have a model of your environment you may supply some additional information.
– Threat profile. Are you worried about criminals, nation state hackers or bored teenagers? Which threat profile you choose will affect the simulation results.
– High value assets. Which components in your environment contain the sensitive data or must not be compromised?
If you want to know more about these configuration options, please see Assets & Threat Profile under How it works further down.
Clicking ”Simulate” will start the attack simulation of the model generated from the AWS data and the selected scenario configuration.
Simulations are computationally heavy and may take anywhere from seconds to minutes depending on size of the generated model.
Once the simulation is done, the model and results can be inspected by selecting “Critical Path”, “Report” or “Model viewer”. See below for details on each of these.
Generate interactive report
The report contains two parts; “Chokepoints” and “High Value Assets”.
A Chokepoint is an asset where attacks on high valued assets converges in the model. In other words, chokepoints are assets that the attacker is expected to make more use of than others.
To the left, the chokepoints which contributes to the most risk are shown. To the right, attack steps on High Value Assets. The width of the lines and the height of the chokepoint bars indicates how much risk the chokepoints contributes with times its frequency. The frequency denotes the total number of times an object occurs across all attack paths, or, in other words, how much an asset is expected to help the attacker. The chokepoints within 75% of the maximum frequency, or attacker contribution, will be marked as orange.
The High Value Assets report shows a list of the most critical attack steps used by the attacker.
High Value Asset
The specific object that was penetrated in the simulation.
The attack step that was used in the simulation and made penetration of the High Value Asset possible.
Show how likely is it that an attacker will be able to penetrate the High Value asset.
Shows the attack steps like a chain of events going thru the objects one by one.
Time to compromise plot of how likely the attacker will reach its goal shown over a period of time.
In order to fetch the necessary data from AWS, an Amazon AWS IAM user with the right permissions and with access keys for API access is needed. Instructions on how to create an IAM user can be found here.
Note: An IAM user is not needed when running the in-application Demo of securiCAD Vanguard as this will fetch data from a foreseeti-provided demo account.
Setting IAM User permissions
The IAM user used with securiCAD Vanguard needs to have permissions to read all necessary data from the AWS environment to be analyzed. This is done by attaching an IAM policy to the IAM account. See details here. As a convenience, securiCAD Vanguard provides an IAM policy with the required permissions here.
Generating AWS Access Key
Regardless of how the AWS data provided to securiCAD Vanguard is obtained, either by the application fetching it directly from AWS via API or by downloading the data beforehand via a script, the IAM user used needs to have an API access key. If the access key was not created at the same time as the IAM account itself, the access keys can be created and obtained as described in the AWS documentation.
Critical paths viewer
A Critical Path is the statistically shortest way in terms of effort from an attacker’s entry point to an asset identified as valuable.
As securiCAD Vanguard allows multiple assets to be set identified as valuable, there may consequently be several Critical Path to choose from in the Critical Path viewer.
“The Path” is the sequence of actions and and operations the attacker is expected to use in order to arrive at the desired outcome of the attack. A desired outcome can for example be to gain administrative access to a given EC2 instance which e.g. is represented by the HighPrivilegeAccess attack step and that will be highlighted in blue in the Critical Path viewer.
The term “path” may be a bit misleading as attack steps may require multiple preconditions to be satisfied. This is for example access via known credentials to a networked service which will require both the ability to connect to the service over the network as well as access to the login credentials. Such attack steps are referred to as “and” attack steps and they have a slightly thicker circle border compared to the “or” attack steps that only required a single precondition to be met.
In addition to the actual attack step graph of the critical path, the view will contain a number of controls including a legend explaining the different elements of the Critical Path and tools to help searching and viewing.
The Model Viewer displays the model created from the AWS data including any additions done through the selected scenarios, such as attacker placement, credential access in phishing scenarios and identification of high value assets.
It is not possible to alter a model in the Model Viewer as it is purely a tool to inspect and analyze the AWS model.
In addition to the main canvas area, there are four different sections in the left panel of the Model Viewer:
- Object Explorer
- Issues and Warnings
securiCAD Vanguard will generate three different presentation views from the model data:
- VPC Overview that shows a structural representation of the VPCs, including instances, subnets, routing and peering.
- IAM Groups showing IAM accounts, groups and policies.
- Vulnerability Overview showing any vulnerabilities present in the model and which asset are affected by them.
Shows all available asset types.
Showing all objects in the model by asset type. It is worth noticing that even though securiCAD Vanguard does not allow the model to be altered, by e.g. adding or removing an asset, a view can be altered by removing object from it or by adding objects by dragging them onto the canvas from the Object Explorer.
Issues and warnings
This area shows any problems with the model and should normally be empty in securiCAD Vanguard as the model is auto-generated.
The main canvas area is showing the selected view and has a number of functions including zoom, pan, group and ungroup of objects. It is also possible to inspect an asset’s parameters and associations to other assets by right clicking on it.
How it Works
securiCAD Vanguard automatically builds a threat model of an AWS environment and consequently needs access to the data describing the AWS Environment. Specifically it will need to obtain information about:
- EC2 instances
- Elastic network interfaces
- EBS volumes
- Security groups
- Network ACLs
- VPC peering connections
- Internet gateways
- VPN gateways
- Routing tables
- Load balancers
- S3 buckets
- RDS instances
- IAM users, groups, roles, policies and instance profiles
- KMS keys
This data can be fetched directly by securiCAD Vanguard by using the API credentials of an IAM account with the appropriate permissions.
Alternatively, a standalone script to download this data outside of securiCAD Vanguard can be run to fetch the information as a json formatted file. This resulting data file can then be uploaded in the securiCAD Vanguard GUI. The script can be downloaded from within the securiCAD Vanguard GUI. The script will also require an IAM user with the appropriate permissions.
It should be noted that the permissions of the IAM user used to read this data can and should only have read permissions to the objects.
The obtained data will be available only in a single securiCAD Vanguard session and will be discarded and completely forgotten by the application after the simulation report has been generated.
Assets & Threat Profile
With the raw data describing the AWS environment available, securiCAD Vanguard will allow the user to select High Value Assets in the generated model. These assets will be the main target for the Attacker in the simulation.
Furthermore, “Config” allows the user to select one of following Threat Profiles:
- State-Sponsored – Attackers sponsored by nation-states are characterized by a high level of sophistication and resources. They’re capable of large-scale attacks and phishing as well as acquiring zero-day exploits.
- Cybercriminal – Cybercriminals are well equipped, well funded, and they have the tools they need to get the job done. They are not as sophisticated as state-sponsored attackers but can still carry out advanced attacks.
- Opportunist – Opportunists are usually amateurs, often referred to as script kiddies. Their attacks are not very sophisticated and typically rely on public exploits as they lack skills to write their own malicious code.
The Threat Profile will impact the likelihood of an Attacker finding and exploiting vulnerabilities as well as phishing credentials.
After the desired “Config” has been applied, a threat model of the AWS data including the chosen scenario will be created and passed on to the attack simulation and reporting phase.
securiCAD Vanguard will run an attack simulation against the threat model of the AWS environment. The simulation process can on a high level be seen as an attack graph being generated from the threat model and a large number of attack attempts are run in a Monte Carlo simulation. The result of the simulations will be an aggregate of the shortest paths from the attacker to all high value assets/attack steps in the attack graph.
A great strength of securiCAD Vanguard is that the threat model will generate an attack graph that represents all kind of possibilities for an attacker to move laterally in the environment, taking both networking routing and access controls, exploits of vulnerabilities, use of credentials and IAM permissions into account.