CNAPPgoat: The Multicloud Open-Source Tool for Deploying Vulnerable-by-Design Cloud Resources
Here’s all you need to know about CNAPPgoat, our open-source project designed to modularly provision vulnerable-by-design components in cloud environments.
Tenable Cloud Security [previously Ermetic] is proud to announce the release of the open source CNAPPgoat project, developed and maintained by the Tenable Cloud Security research team.
CNAPPgoat is intended to reinvent the creation of vulnerable cloud infrastructure for a variety of purposes (see below).
This blog post explains why CNAPPgoat is important and how you can get started.
First things first - What is CNAPP anyway?
Cloud native application protection platform CNAPP is a relatively new Gartner product category they define as “a unified and tightly integrated set of security and compliance capabilities designed to secure and protect cloud-native applications across development and production”. Simply put, CNAPP solutions help you transition your cloud infrastructure security practice from a layered (or even siloed) approach where different aspects of security (such as posture, network, runtime, compute, data, etc.) are handled separately, into an holistic and comprehensive approach where they’re united in a single platform. As you may imagine, CNAPP solutions include the capabilities of multiple (more veteran) product categories such as cloud security posture management (CSPM), cloud workload protection platform (CWPP) and cloud infrastructure entitlements management (CIEM).
So… What is CNAPPgoat?
CNAPPgoat is an open source project designed to modularly provision vulnerable-by-design components in cloud environments (currently supporting AWS, Azure and GCP).
Unlike other projects which may also fit this description (the most popular are probably CloudGoat and CloudFoxable), CNAPPgoat is not designed to simply illustrate possible attack paths. Rather, it includes atomic, (and down the line - more complex) vulnerable scenarios that together will provide as much coverage as possible of the misconfigurations and risks that could potentially be exploited by an attacker.
The scenarios available in CNAPPgoat are divided into modules corresponding with the various security capabilities included in the CNAPP specification (hence the name - CNAPPgoat!) and serve a specific cloud service provider (AWS, Azure, GCP, and more).
This structure makes it possible to provision only scenarios from a specific module or modules to address different use cases and different consumers (see below). In addition, this design makes reviewing and understanding the scenarios much easier (whether you want to find a specific scenario or add a new one). It helps break down a very complicated and multidimensional challenge into more easily digestible parts.
Currently, the following modules are supported:
- CIEM - scenarios relevant to the management of identities and entitlements, such as the unintended ability of an identity to escalate its privileges
- CWPP - scenarios relevant to the exposure of workloads to vulnerabilities, for example, by running vulnerable or end-of-life software or OS versions
- CSPM - scenarios relating to the misconfiguration of cloud infrastructure components, such as publicly exposed storage resources
We will soon add support for infrastructure as code (IaC) scanning, which is the practice of finding misconfigurations directly in the code; and for a CNAPP module, which will include elaborate scenarios that describe popular attack paths leveraged by malicious entities.
Why should you care?
The ability to easily provision a vulnerable environment with broad coverage of possible risk scenarios has tremendous potential.
Killer applications - to name just a few:
- Security teams can benchmark CNAPP solutions against known environments so they can prove CNAPP solutions’ ability to deliver what they promise.
- Security professionals can use it (responsibly and with extreme caution!) to create a sandbox for testing their teams, procedures and protocols.
- Instructors can use it to create vulnerable environments for hands-on workshops or chalk talks, which we’ve already done successfully.
- Pentesters can use it to provision a “shooting range” to test their skills at exploiting the scenarios and developing relevant capabilities. (We also feel the need to mention in this context two great pentesting projects - ]Pacu and Stratus Red Team).
- Educators can create a learning environment where cloud infrastructure risks can be explored, understood - and avoided.
Since it’s open source, you can contribute your own scenarios and, together as a community, we can make and maintain CNAPPgoat as comprehensive as possible.
The initial version released is just a starting point and we’re looking forward to seeing more and more scenarios added.
How to use CNAPPgoat?
The basic process of using CNAPPgoat is quite simple:
- Select the scenario(s) and/or module(s) you want to provision (or the entire set).
- Provision the vulnerable infrastructure in dedicated test accounts.
- Use the environment as described in the use cases above.
- Destroy the provisioned environment.
Easy to create - easy to destroy. No unneeded vulnerable components left behind for you to worry about (and pay for).
We will now walk you through a simple example of getting started with CNAPPgoat. (It’s highly recommended to go through the README to get oriented with the tool).
Getting started
First make sure you have the prerequisites installed.
Next - download the CNAPPgoat executable compiled for your OS from our release page.
Optional: Pulling the scenarios repo
The currently available scenarios are managed in a Github repository. These scenarios are automatically downloaded when you run CNAPPgoat and are stored in the `~/.cnappgoat/scenarios` directory.
However, if you wish to review the scenarios yourself (and perhaps even contribute to them) you can pull the repository.
It’s possible to define a custom path to get scenarios from a local folder, but let’s keep things simple for now.
Setting up cloud credentials
Remember: CNAPPGoat deploys vulnerable environments. Only use it within safe, controlled sandboxes.
It goes without saying that experiments with CNAPPgoat should only be done in test accounts completely separate from your business environment.
Running CNAPPgoat
Now, we’re ready to kick things off with CNAPPgoat.
First, we’ll list the available scenarios by running the list command:
./CNAPPgoat list
Figure 1 - Listing the available scenarios
For each scenario, you can see which cloud service provider platform it’s designed for and which module (CIEM / CSPM / CWPP) it belongs to. The names are also pretty self-explanatory.
If you’re only interested in a specific module, you can use the global option --module to specify the module you’re interested in. For example, if we only want to see the currently available CSPM modules we’ll run:
./CNAPPgoat list --module CSPM
Figure 2 - Listing only available CSPM scenarios
The “status” column on the right indicates which scenarios have been deployed, which have not, and which have been destroyed (that is - deployed and then destroyed).
If you’re interested in acquiring more information about a specific scenario - you can do so using the describe command, for example:
./CNAPPgoat describe cwpp-aws-malicious-ec2-xmrig
will produce the following output:
Figure 3 - Description of a scenario
In order to provision a scenario / multiple scenarios / a module, you can use the “provision” command. If you simply run:
./CNAPPgoat provision
All scenarios will be deployed upon your confirmation (use this carefully):
Figure 4 - Requesting deploy of all scenarios
If you state as an argument a space-delimited list of selected scenarios it will provision them, for example:
./CNAPPgoat provision cspm-aws-ec2-imds-v1-enabled ciem-aws-iam-privesc-ec2-passrole
CNAPPgoat will present you with a log (partially shown in Figure 5, as it’s a bit much) of the operations performed and will present you with the end result of the process:
Figure 5 - End result of provisioning selected scenarios
Note that when you do this for the first time, CNAPPgoat will also take care of necessary dependencies installation - so it may take a while. Go get some coffee.
Once the provisioning is complete, you can check the new resources in your cloud environment.
Now. if you perform the list function, you will see that it clearly indicates the deployed scenarios:
Figure 6 - Scenarios list indicating deployed scenarios
Rather than deploying scenarios individually, you can provision an entire module using the global option --module:
./CNAPPgoat provision --module CSPM
As this may also be a significant operation, it requires confirmation. After that, all scenarios in the selected module will be provisioned, and the output will look something like this:
Figure 7 - Provisioning the CSPM module
As you can see from Figure 8, in case there were any errors in the process of provisioning the scenarios, they are indicated in the output, and you can review the entire log to see exactly what went wrong. For example, the error we got in the above process can be tracked to an invalid zone issue:
Figure 8 - Error log from provisioning a scenario
Once you’re done using the deployed scenarios, similar to provisioning them, you can destroy all or specific scenarios / modules with the destroy command:
./CNAPPgoat destroy
Since now we simply want to clean up, we’ll just run it without any arguments and confirm the operation:
Figure 9 - Running and confirming the destroy command for all deployed scenarios
Once the process is done, we see the following output, clearly indicating what has been destroyed:
Figure 10 - Output from the destroy command
And that about does it! We’ve gone through the basics of using the CNAPPgoat framework.You now know how to explore the tool for existing scenarios, provision and destroy selected scenarios / modules.
Where do we go from here?
To the moon!
As mentioned before - this is just the start. The first step of a very long journey, if you will.
We firmly believe in the potential of this modular approach to enable almost anyone, regardless of expertise level, to leverage this tool for commercial, technical and educational purposes.
Soon, we’ll release additional artifacts including deeper technical dives and guides to further support you in using the tool and making contributions. This is also the place to note that any contribution would be highly appreciated - whether new complete scenarios, scenario proposals , issues, suggestions, feature requests or simply sharing this with your network or organization. If in doubt, just reach out, we’d love to hear from you.
Cybersecurity, and specifically cloud security, should be a team sport. And as an industry and community, we’ll be much better off if we join our hands. CNAPPgoat is a great platform to do so.
Join us on our collaborative path to codifying cloud security. We've got cookies.
Related Articles
- Cloud
- Cloud