Demystifying Security Chaos Engineering - Part II
The first part of this blog series discussed the origins of chaos engineering and how its application to cloud-native security could address the evolving cyber-attacks by enabling cyber-resilience. In this concluding part, some practical applications of security chaos engineering will be discussed, including leveraging science-backed approaches, fast-tracking security maturity and bolstering resilience for Zero-Trust Architectures.
Note: In a recent webinar, some exciting facts about Security Chaos Engineering (SCE) were discussed, including how it differs from some existing cyber security approaches, e.g. Red/Blue?Purple teaming. You can watch the webinar recording via the link - https://www.mitigant.io/webinar/unraveling-security-chaos-engineering#about-the-webinar.
Cyber-Security Meets Science: Security Experimentation
Security Chaos Engineering (SCE) builds on proven scientific methods, the same methods that underlie chaos engineering. The basic premise is that resilience is a product of planned and organized turbulence. Without deliberate and coordinated orchestration of turbulence, defenders perceive a false sense of security, and blindspots remain unnoticed. These blindspots are potential attack opportunities in the waiting. Interestingly, on the flip side, attackers easily identify such blindspots because they intentionally look for them; they employ adversarial tactics. This mindset, also known as the assume-breach mindset, is imperative for using proactive cyber-security mechanisms.
A crucial value proposition of SCE is that it allows defenders to think from the perspective of attackers and ask several interesting questions about the security and resilience of a system. Adopting such an adversarial mindset allows framing various attack scenarios as hypotheses to be proved. Hypothesis proving enables the collection of evidence, thus taking away guesswork or gut feeling and positioning a fact-based analytical process. SCE is analogous to operationalizing tabletop exercises by bringing defined constructs to life to test and acquire evidence about assumed scenarios. While tabletop exercises aid the identification of attack opportunities, SCE enables the gathering of evidence on how deployed security controls can effectively thwart attacks and the cascading effects of those attacks across an infrastructure.
Fast-Tracking Security Maturity
Security maturity models are popularly used to measure the level of a security organization while objectively deciding the next improvement steps to enable continuous development. One of the most popular cloud security maturity models is the AWS Security Maturity Model. This maturity model is quite comprehensive; interestingly, it proposes the formation of chaos engineering teams for resilience as part of the security governance efforts. However, the chaos engineering teams are to be established in Phase 4 of the maturity model, which is the highest level. Implicitly, the model deems the adoption of security chaos engineering as a preserve of very mature security teams.
Though establishing chaos engineering teams might seem like a thing for very mature teams, it is crucial to consider an essential factor; attackers don't care about maturity models. Several reports indicate cyber-criminals increasingly target SMEs. Consequently, companies should consider adopting SCE as soon as possible while aligning with their threat models and priorities.
How Trustworthy is Your Zero-Trust Architecture?
The cyber-security industry has been on the rage for Zero-Trust Architecture (ZTA) in the last few years. The gains of adopting ZTA are apparent to most people; cyber-security vendor marketing tactics still lead unknowing buyers to adopt a false sense of security posture. However, it is essential to note that ZTA is not a silver bullet, there is a lot of ongoing vendor gimmick, and end-user misconfigurations remain a challenge in the cloud. Therefore, verifying the efficiency and security ROI of ZTA implementations is a serious responsibility, and SCE can aid in fulfilling this responsibility.
Unlike most cyber security controls, SCE has a short feedback loop which allows for evidence-based security rather than promise-based security mechanisms. SCE verifies the efficiency of ZTA architecture by injecting attacks of varying magnitudes and observing if the ZTA prevents or detects the attacks. This value proposition is not unique to ZTA but applies to all other security mechanisms.
The NIST ZTA document notes that the resilience of ZTA to enterprise and network disruption is an open research area. The limitations of ZTA under advanced attacks are still being determined. While this does not discredit ZTA in any way, it highlights the risk of attacks that overcome ZTA or diminish its effectiveness. Adopting SCE allows continuous cyber-resilience testing to identify the ZTA limitations, thus allowing the timely roll-out of appropriate countermeasures.
Mitigant's Security Chaos Engineering Platform
One of the challenges to adopting security chaos engineering is the high cost required for building an appropriate system from the ground up. Furthermore, given its recent appearance, the technical know-how is relatively unavailable; hence the possibility of building in-house solutions is unlikely. Mitigant solves these challenges by providing a SaaS SCE platform.
Mitigant SCE platform consists of several cloud attacks which can be leveraged as building blocks for constructing complex attack scenarios against AWS services. The platform enables safe and controlled SCE experiments, attacks can be started and stopped with button clicks, and all changes made to the cloud infrastructure are rolled back and restored seamlessly. Additionally, all attacks are mapped to the MITRE ATT&CK library, enabling the implementation of real-world attacks being conducted in the wild.
Mitigant SCE platform aims to enable cyber-resiliency as a first-class citizen in cloud-native infrastructure. It is suitable for companies of all sizes and allows quick and safe adoption of SCE without going through the cost and resource overhead already highlighted above. Please do not hesitate to contact us if you are interested in adopting Security Chaos Engineering.