Feature Release: January 2025

Attack-as-Code 

Introducing Attack-as-Code (AaC), a groundbreaking addition to the Mitigant Cloud Attack Emulation product. AaC, built on software engineering principles, empowers Security Operations teams, making them more productive and agile. AaC primarily ensures the repeatability, consistency, and manageability of offensive security methodologies used for security testing and validation. AaC enhances various aspects of security operations, including cloud penetration testing, red/purple teaming exercises, and detection engineering (detection rule validation), which are essential components for Adversarial Exposure Validation (AEV). Furthermore, AaC allows organizations to implement the validation step of a CTEM program. We deeply explored AEV in previous blogs, such as this one. 

Integration into Detection-as-Code Pipelines

AaC allows seamless integration of adversary emulation into detection engineering pipelines. This capability is built atop the Mitigant API, released last year to enable integration with several tools used by security teams, CI/CD pipelines, and other forms of automation. AaC leverages GitHub Actions and aligns with Detection-as-Code (DaC), an approach gaining traction in modern threat detection practices as it leverages several software development practices to enable agility, repeatability, and maintainability of threat detection logic. Several detection engineering maturity matrices (e.g., Elastic’s Detection Engineering Behavioral Maturity Model ) emphasize adopting DaC and integrating adversary emulation for validating detection logic.

‍

Example Workflow

Figure 2 illustrates a DaC workflow where AaC is integrated to validate detection logic via two approaches: unit testing and adversary emulation. The workflow consists of the following steps:

1. A security/detection engineer commits changes, e.g., new or modified detection logic.
2. The introduced changes are pushed to the code repository containing detection logic. The deployment process is subsequently triggered.
3. Following successful deployment to the detection rule engine, the detection validation process is initiated with the corresponding attack that maps to the newly added detection rule.
4. The target infrastructure monitored by the detection engine is attacked with the attack indicated in the previous step (step 3).
5. The security/detection engineer receives the attack status, which indicates whether the detection engine successfully detected the attack. Attack evidence, such as the corresponding Cloudtrail record, is also provided.
6. The attack evidence and important metadata are sent to the attack telemetry repository. This allows telemetry for analytics, datasets for AI training, and other purposes.
7. Unit testing might be sufficient in some scenarios. In such cases, this step can replace steps 4 - 6. However, this would not be as accurate as implementing those steps and performing realistic validation against a deployed infrastructure.

‍

Attack Scheduler

Another exciting addition to the Mitigant Cloud Attack Emulation is the attack scheduler. This feature brings the power of automation to security teams. Like other security tasks, running attacks can often become a repetitive chore. By automating these processes, the attack scheduler frees up valuable time for security professionals, enhancing productivity and efficiency.

Example Scenarios for the Attack Scheduler

There are several reasons why security teams should take advantage of the attack scheduler:

1. Targeted attack scheduling streamlines security validation of cloud resources, such as identity and Access Management. Security teams can constantly ensure that products like Identity Threat Detection and Response (ITDR) and Cloud Identity and Entitlement Management (CIEM) accurately detect threats.
2. Testing during the off-peak periods, facilitated by the Attack Scheduler, could quickly reduce the impact on production systems and emulate realistic attacker behavior, e.g., running tests on weekends. This practical approach ensures that security testing does not disrupt the normal operation of systems, providing reassurance and security.

 

Kubernetes Vulnerabilities Prioritization

Organizations struggle to address the ever-increasing number of vulnerabilities discovered by vulnerability scanning tools. Most of these tools provide vulnerability metrics (e.g., CVSS base scores); however, they are not helpful as they do not align with realism. For example, prioritizing vulnerabilities with high CVSS scores has not been proven to improve security or reduce the chances of successful attacks. Even more concerning, security teams still suffer from alert fatigue due to the many vulnerabilities left after using these metrics. 

Consequently, vulnerability prioritization frameworks have become favored as they provide more realistic factors for prioritizing vulnerabilities. Vulnerability prioritization is an essential aspect of CTEM programs, specifically under Step 3: Prioritization.  Two prominent prioritization frameworks have been integrated into Mitigant KSPM for efficient vulnerability prioritization: the CISA Known Exploited Vulnerability (KEV) catalog and First’s Exploit Prediction Scoring System (EPSS).  Let’s briefly explore these two:

• KEV: This is a catalog of vulnerabilities actively exploited in the wild, e.g., those used for ransomware campaigns. Security teams can easily use this list to filter out vulnerabilities that require urgent attention. 
• EPSS: Leverages data-driven approaches to assign probability scores that indicate the exploitability possibilities of vulnerabilities on a scale of 0 to 1 (i.e., 0 to 100%). EPSS uses threat information from several sources, including CVE and real-world exploit data. 

‍

‍

DefectDojo for Unified Vulnerability Management 

DefectDojo is a popular open-source vulnerability management platform that integrates with over 180 cybersecurity solutions. Security teams commonly use It to facilitate end-to-end security testing, vulnerability tracking, deduplication, remediation, and reporting. In response to customer requests, Mitigant CSPM and KSPM reports can now be seamlessly sent to DefectDojo. The CSPM reports are delivered in the AWS Security Finding Format (ASFF), while the KSPM reports are sent in the Kubescape Scan format, ensuring compatibility and ease of use. 

With these integrations, security teams using DefectDojo can quickly receive scan reports from Mitigant and unify vulnerability management (see Figure 6). This integration allows organizations to implement Step 5 (Mobilization) of the CTEM programs. Next on our roadmap is the integration of AWS Security Hub since Mitigant CSPM reports have already been formulated in ASFF.

‍

‍

Conclusion

These new features are designed to empower our users with modern cybersecurity approaches that enable unbeatable security and resilience. Organizations can leverage the Mitigant platform to quickly implement Continuous Threat Exposure Management (CTEM) for cloud and Kubernetes infrastructure. We have even more exciting features queued on our roadmap, including integration into AWS Security. 

We invite you to transform your cloud and Kubernetes security posture by signing up for a FREE Trial at https://www.mitigant.io/en/sign-up. To stay informed when new features are released, subscribe to our newsletter at https://www.mitigant.io/en/newsletter. 

‍