Step 1: Login to https://vanguard.securicad.com/app/input
Step 2: Creating an IAM User
In order to fetch the necessary data from AWS, an Amazon AWS IAM user with the right permissions and with access keys for API access is needed. Instructions on how to create an IAM user can be found here.
Step 3: Setting IAM User permissions
The IAM user used with securiCAD Vanguard needs to have permissions to read all necessary data from the AWS environment to be analyzed. This is done by attaching an IAM policy to the IAM account. See details here.
As a convenience, securiCAD Vanguard provides an IAM policy with the required permissions here.
Note: Generating AWS Access Key
If the access key was not created at the same time as the IAM account itself, the access keys can be created and obtained as described in the AWS documentation.
Step 4: Amazon Inspector check box (yes/no)
Amazon Inspector data can be included in the simulation by checking the box for Amazon Inspector. By including data from Amazon Inspector, securiCAD Vanguard helps you to prioritize existing vulnerabilities. securiCAD Vanguard will automatically fetch scans from the last 30 days and pick the latest scan and gather CVE and Network Reachability data.
Step 5: Read in your AWS data to build a model of your AWS environment
- Press “Simulate” to start a simulation with securiCAD Vanguard default settings
- Or press “Configure” for custom settings to your High Value Assets and your Threat Profile
Choose your High Value Assets
With the raw data describing the AWS environment available, securiCAD Vanguard will allow the user to select High Value Assets in the generated model.
High value assets are typically assets in your environment that represent particular business related value. They could be S3 buckets, EC2 instnces, databases and so on.
These assets will be presented as the main targets for the Attacker in the simulation.
Choose Threat Profile
Select one of following Threat Profiles:
- State-Sponsored – Attackers sponsored by nation-states are characterized by a high level of sophistication and resources. They’re capable of large-scale attacks and phishing as well as acquiring zero-day exploits.
- Cybercriminal – Cybercriminals are well equipped, well-funded, and they have the tools they need to get the job done. They are not as sophisticated as state-sponsored attackers but can still carry out advanced attacks.
- Opportunist – Opportunists are usually amateurs, often referred to as script kiddies. Their attacks are not very sophisticated and typically rely on public exploits as they lack skills to write their own malicious code.
The Threat Profile will impact the likelihood of an Attacker finding and exploiting vulnerabilities as well as phishing credentials.
After the desired “Config” has been applied, a threat model of the AWS data including the chosen scenario will be created and passed on to the attack simulation and reporting phase.
Step 6: Simulate and reporting
Clicking ”Simulate” will start the attack simulation of the model generated from the AWS data and the selected scenario configuration.
Simulations are computationally heavy and may take anywhere from seconds to minutes depending on size of the generated model.
Once the simulation is done, the model and results can be inspected by selecting “Critical Path”, “Report” or “Model viewer”.
Interpret the report
The report contains two parts; “Chokepoints” and “High Value Assets”.
A Chokepoint is an asset where attacks on high valued assets converges in the model. In other words, chokepoints are assets that the attacker is expected to make more use of than others.
To the left, the chokepoints which contributes to the most risk are shown. To the right, attack steps on High Value Assets. The width of the lines and the height of the chokepoint bars indicates how much risk the chokepoints contributes with times its frequency. The frequency denotes the total number of times an object occurs across all attack paths, or, in other words, how much an asset is expected to help the attacker. The chokepoints within 75% of the maximum frequency, or attacker contribution, will be marked as orange.
The High Value Assets report
Shows a list of the most critical attack steps used by the attacker.
High Value Asset
The specific object that was penetrated in the simulation.
The attack step that was used in the simulation and made penetration of the High Value Asset possible.
Show how likely is it that an attacker will be able to penetrate the High Value asset.
Shows the attack steps like a chain of events going thru the objects one by one.
Time to compromise plot of how likely the attacker will reach its goal shown over a period of time.
Critical paths viewer
A Critical Path is the statistically shortest way in terms of effort from an attacker’s entry point to an asset identified as valuable.
As securiCAD Vanguard allows multiple assets to be set identified as valuable, there may consequently be several Critical Path to choose from in the Critical Path viewer.
“The Path” is the sequence of actions and and operations the attacker is expected to use in order to arrive at the desired outcome of the attack. A desired outcome can for example be to gain administrative access to a given EC2 instance which e.g. is represented by the HighPrivilegeAccess attack step and that will be highlighted in blue in the Critical Path viewer.
The term “path” may be a bit misleading as attack steps may require multiple preconditions to be satisfied. This is for example access via known credentials to a networked service which will require both the ability to connect to the service over the network as well as access to the login credentials. Such attack steps are referred to as “and” attack steps and they have a slightly thicker circle border compared to the “or” attack steps that only required a single precondition to be met.
In addition to the actual attack step graph of the critical path, the view will contain a number of controls including a legend explaining the different elements of the Critical Path and tools to help searching and viewing.
View the model of your AWS environment
The Model Viewer displays the model created from the AWS data including any additions done through the selected scenarios, such as attacker placement, credential access in phishing scenarios and identification of high value assets.
It is not possible to alter a model in the Model Viewer as it is purely a tool to inspect and analyze the AWS model.
In addition to the main canvas area, there are four different sections in the left panel of the Model Viewer:
- Object Explorer
- Issues and Warnings
securiCAD Vanguard will generate three different presentation views from the model data:
- VPC Overview that shows a structural representation of the VPCs, including instances, subnets, routing and peering.
- IAM Groups showing IAM accounts, groups and policies.
- Vulnerability Overview showing any vulnerabilities present in the model and which asset are affected by them.
Shows all available asset types.
Showing all objects in the model by asset type.
It is worth noticing that even though securiCAD Vanguard does not allow the model to be altered, by e.g. adding or removing an asset, a view can be altered by removing object from it or by adding objects by dragging them onto the canvas from the Object Explorer.
Issues and warnings
This area shows any problems with the model and should normally be empty in securiCAD Vanguard as the model is auto-generated.
The main canvas area is showing the selected view and has a number of functions including zoom, pan, group and ungroup of objects. It is also possible to inspect an asset’s parameters and associations to other assets by right clicking on it.
About the Attack simulations
securiCAD Vanguard will run an attack simulation against the threat model of the AWS environment. The simulation process can on a high level be seen as an attack graph being generated from the threat model and a large number of attack attempts are run in a Monte Carlo simulation. The result of the simulations will be an aggregate of the shortest paths from the attacker to all high value assets/attack steps in the attack graph.
A great strength of securiCAD Vanguard is that the threat model will generate an attack graph that represents all kind of possibilities for an attacker to move laterally in the environment, taking both networking routing and access controls, exploits of vulnerabilities, use of credentials and IAM permissions into account.