Feature Release: Cloud Attack Emulation for Azure
We are excited to announce the release of Mitigant Cloud Attack Emulation for Azure. This feature has been popularly requested for a while, so we are thrilled to release it today. While a similar feature for AWS has been very successful, this release officially puts this product in the multi-cloud category, further expanding possibilities and use cases. This blog article describes the details of this release and provides a peep into the future.
Attack Actions
Attack actions are atomic security tests that emulate one or more techniques used by adversaries to compromise cloud infrastructure. This release includes 11 attack actions targeted against several Azure services, including Entra ID, VMs, and storage accounts. All attack actions are mapped to the MITRE ATT&CK framework and also indicate the threat actors that use them, allowing for implementation of Threat-Informed Defense.
Let's look at an example attack action: “Windows VM Custom Script Extension.” This attack emulates a technique commonly used by attackers during the post-exploitation phases of an attack. The attack abuses the Custom Script Extension for Windows, which was originally designed to help with post-deployment configuration tasks. Attackers leverage this feature maliciously, e.g., by installing malicious software in Windows VMs.
When executed, against a properly secured Azure cloud infrastructure, we expect the attack action to trigger alerts. For example, Microsoft Defender for Cloud has several alerts that could be triggered due to this attack including the following:
- Custom Script with an extension with a suspicious script was detected on your virtual machine.
- Suspicious failed execution of a custom script extension in your virtual machine.
The absence of alerts indicate a threat detection gap that needs to be investigated. This attack is mapped to T1059 - Command and Scripting Interpreter and has been observed to be used by several threat actors, e.g., APT 29. An essential part of the attack emulation process is the cleanup. This process ensures that resources created or modified are returned to the state they were before the attack. Essentially, created resources are deleted, and modified resources are returned to their initial states. So, for the attack earlier described, the resources created are deleted: resource groups, VMs, and disks.
Attack Scenarios
Attack scenarios build on attack actions like lego bricks; by combining two or more attack actions in specific sequences. This allows the emulation of multi-steps, given that most real-life attacks combine several steps to reach an objective e.g. ransomware attacks. SOC teams immensely gain from understanding realistic attacks; allowing them to implement effective countermeasures and respond promptly during attacks. There are two types of attack scenarios: managed and custom attack scenarios. Managed attack scenarios emulate specific attacks described in CTI reports and are entirely managed by Mitigant.
Conversely, Mitigant users can create custom attack scenarios based on use cases that fit their threat model. For example, the image below is a custom attack scenario created based on techniques used by the Scattered Spider threat actor.
Attack Scheduler
Attacks can also be scheduled to run at preferred times, such as off-peak hours, after a major release, or anytime that works best for security teams. This allows for flexibility and effective planning that aligns with the business objectives and resource constraints.
Attack Emulation API
Several security teams already use disparate products for different functionalities in pre-defined workflows. The Attack Emulation API allows teams to integrate attack emulation into existing workflows allowing for seamless continuity of operations. The API empowers several use-cases for the SOC teams; for example, detection engineers can leverage it for our Attack-as-Code feature, released two months ago. Attack-as-Code enables integration of detection validation into Detection-as-Code strategies.
Integrations: Slack Notifications
Agile teams leverage easy collaboration strategies for information dissemination and simplification of decision-making, essentially powering productivity. The integrations supported by the Mitigant platform are designed for this purpose, attack report summaries are sent to several notification systems, including Slack and Microsoft Teams. Furthermore, this aligns with the Mobilization stage of CTEM, we wrote about this in a previous blog post, read it here.
What’s Next?
The above-described features are just the beginning. We have some exciting features planned to be released in the coming months, and we will disclose most of these at the right time. We examine two upcoming features below: evidence collection and Sigma detection rules. Note that these features already exist in the Cloud Attack Emulation for AWS; you can easily acquire a subscription via the AWS Marketplace.
Evidence Collection
Attack telemetry is vital for understanding attacker behaviour and subsequently implementing effective countermeasures. Consequently, we automatically retrieve and display event logs corresponding to the emulated attacks. These event logs are evidence of successful attacks and can be used by detection engineers for unit testing when building/improving detection rules.
Sigma Detection Rules
Given our vision of empowering SOC teams to be agile and highly productive, Sigma rules corresponding to the emulated attacks are provided in the attack report. This is a time-saving feature, as the provided Sigma rules can be copied and applied to detection engines if unavailable. This helps remediate issues or failed/wrongly configured threat detection systems, e.g., CDRs and SIEMs.
Multi-Cloud Attack Emulation
The threat landscape is rapidly evolving, and attackers launch attacks that pivot from one cloud infrastructure to another or even to on-premises environments (and vice versa). These complex attacks are often challenging to comprehend, and SOC teams struggle to tackle them. Good news: multi-cloud attacks are planned to be released soon. These upcoming releases would demonstrate how attackers pivot across several cloud providers and move laterally to avoid detection while achieving their objectives.
Cloud Security Reality Check: Try Us Today
Mitigant Cloud Attack Emulation empowers security teams of all sizes to rethink cloud security postures using realistic adversary emulation strategies. Most open-source tools and alternative solutions are not cloud-native and offer scenarios that are not very realistic. Realistic attacks should be capable of creating resources as well as attacking existing resources since this how attackers actually behave. However, most alternative tools create resources to be attacked and destroy these afterwards, we offer a balance as shown in the image below.
Our approach empowers several use cases including the following:
- Threat detection validation: More information is discussed in a previous blog post, read it here.
- Cloud penetration testing: Continuously test your cloud infrastructure usinggraph hassle-free approaches, check detail here.
- AI Red Teaming: Use Mitigant to ensure the security and safety of GenAI workloads, we have published several blog article discussing how to leverage the Mitigant Cloud Attack Emulation for AI Red Teaming. Here is a recommended blog article.
- Red/Purple Teaming: Run your purple teaming exercises with Mitigant regardless of resource limitations. No need to be at the mercy of consultancies that queue you up due to limited resources on their side. See how we democratize red/purple teaming here.
- Incident Response Exercises: Watch this on-demand webinar for some insights on how we can super-charge your incident response processes.
Do not hesitate to reach out and sign up for a FREE Trial - https://www.mitigant.io/en/sign-up
Stay tuned for more updates as we continue to innovate and expand the capabilities of the Mitigant Adversarial Exposure Validation Platform.
