Intro

The product formerly known as Cloud Health Secure State now lives on as Aria Automation for Secure Clouds (kudos if someone finds a usable abbreviation…). It is a SaaS member of the Aria Suite and it allows you to check security settings and compliance across cloud accounts and Kubernetes instances. In that sense it complements Aria Operations which allows you to check compliance in your vSphere or VMC environments. I mentioned them both in my recent session at the NL VMUG Usercon.

Mitre Att&ck

Getting more involved in security I am very interested in the Mitre Attack framework. I am not going to explain it in detail in this blog post, there are enough resources for that (see the references section). The advantage for me is that it is maintained by volunteers, it is an open tool. Attack organises Tactics, Techniques and Procedures so that everyone speaks the same language. Tactics are the goals of bad people, TA0001 is for example “Initial access to your network”. With this tactic come the techniques to accomplish this such as T1566 “Phising”. You can then look up the specific Procedures to apply this technique in the real world.

In other words Tactics, Techniques and Procedures (TTPs) are the Why?, What? and How? of cybersecurity.

Mitre publishes different matrices, but for this blogpost we are interested in “cloud“. You can use it to map how you are defending against different Tactics using the Mitre Attack Navigator. But that is outside of our scope here.

Secure Clouds

In Aria Automation for Secure Clouds you can define your different cloud accounts in a multi-cloud environment. Including Kubernetes instances. Rules allow you to scan for security weaknesses in your accounts. This is especially important in cloud environments that might be exposed to the internet and have a multitude of settings. I got interested in the challenges of cloud security even before I worked with Secure Clouds when I listened to an episode of the highly recommended podcast “Cyber Security Sauna” on “cloud security“.

In the Governance, Compliance menu you will see all the frameworks that Secure Clouds can work with. For Mitre Attack it is the cloud and container matrices, both a subset of enterprise. I have v10 and v11 here. They are updated automatically and since v12 is now out I expect them to update soon. You can click the title to explore the Tactics and Techniques defined.

To see the Mitre Attack framework in action, go to the “Findings by rule” page to see all misconfigurations that were found. Click the filter icon and choose framework, Mitre Attack Cloud v11. You will see all the findings for this framework in your cloud accounts. Let’s say we are interested in our risk on DDoS attacks in MS Azure.

When I click the “DDoS Protection Standard should be enabled” rule, I see all vulnerabilities in my accounts. Clicking a resource I get a nice map overview and more info.

For more info I can click on the knowledge base article… and this is where it gets really interesting! I see that there is a remediation job page link! Yes, for a number of findings you can define a remediation job in Secure Clouds!

You can download the python script and deploy it on a worker. Imagine being able to change the setting on any number of objects in one run… what’s more, rerun that remediation to keep everything in check! Reminds me of the good old vCM days…

I hope this post gave you an idea on how to implement the Mitre Attack framework in a very practical way in Aria Automation for Secure Clouds. Remember if you want to test the product it is included in the Aria Hub Free tier! Let me know your thoughts….

Reference

• Mitre Att&ck framework
• Cybrary free Mitre Attack Fundamentals training.
• Aria Hub free tier announcement.
• Aria Automation for Secure Clouds at VMware docs.