Zentaris: Attack Path Risk Categorization

Zetafence Engineering
6 min readNov 24, 2024

--

Zentaris Attack Path Risk Categorization

Zetafence open sources Zentaris, a Cloud Attack Path Risk Categorization tool that discovers, and builds cloud attack path playbooks mapping existing cloud environment risks. The risk evaluation tool gives enterprises an edge to categorize those playbooks and evaluate by risk levels, providing a contextual understanding, and threat priorities.

Introduction

Zentaris is a Cloud-Agnostic Attack Path Risk Categorization tool that maps cloud attack paths playbooks to a comprehensive risk categorization system. The framework heavily utilizes graph semantics to effectively model and evaluate risk profiles. Such a tool can be utilized to discover and categorize risks across AWS, GCP, Azure infrastructures, as well as with Kubernetes clusters. The risk evaluation system enables enterprises to categorize those playbooks and evaluate by risk levels, providing enterprises with a contextual understanding, and threat priorities.

Zentaris utilizes Hypergraph semantics for evaluation of resource dependencies among various infrastructure resources such as users, roles, policies, etc. Specifically, it uses Directed Acyclic Graphs (DAG) for building attack scenarios (playbooks) mapping existing resource dependencies against vulnerabilities, and exploitability to directly build potential attack flow sequence. These can then be studied as simulations or categorizing real potential risks.

Problems Addressed

Enterprise cloud deployments has evolved to exposing a complex attack surface integrating compute, storage, identify, networking resources. A multi-cloud environment, for instance, poses a hyper Attack Surface of infrastructure and deployments. Such exposed attack surface generally serves as the first step in offensive attack flow sequence starting from reconnaissance.

Traditional internal and external attack surface analysis are siloed & independent in the sense that they generally stop at the first node in attack graph, whereas attackers follow-through to discover important steps to push boundaries until exfiltration.

On the other hand, it is not humanely possible to scan and analyze all possible attack vulnerability paths that may potentially branch out of each possible exploitation nodes.

Zentaris Architecture

Zentaris Architecture from Discovery to Risk Evaluation

Attack Scenario Playbooks

Zentaris security scanning engines primarily build attack scenarios that can then be represented as attack graphs. Scanning engines traverses graph entities looking for attributes that demonstrate weakness. Following are some scenarios that the engines detects.

  • Brute Force Access and Exploitation of Misconfigurations for Data Exfiltration and Resource Abuse. The attacker targets the AWS account login interface, attempting a brute force password attack against an account that has weak credentials. The attacker leverages their access to the EC2 instance, either by further brute-forcing SSH credentials or exploiting a misconfiguration in the instance that allows them to obtain the credentials stored within the instance. The attacker uses the compromised credentials from the EC2 instance to explore AWS IAM roles and policies attached to the instance. The attacker exfiltrates sensitive data from the S3 bucket, using the compromised EC2 instance to download the files and transfer them to an external server under the attacker’s control.
  • Initial Access via Remote Desktop Protocol (RDP). An attacker exploits weak RDP credentials to gain initial access to a corporate system. After gaining access, the attacker performs reconnaissance to identify available resources and users within the network. The attacker uses tools to dump credentials stored in memory and on disk. With the dumped credentials, the attacker moves laterally to other systems within the network. The attacker identifies sensitive documents and exfiltrates them to an external server.
  • Initial Access via SQL Injection. An attacker discovers a vulnerable web application and uses SQL injection to access the backend database. The attacker manipulates data within the database to cover their tracks or create new user accounts with elevated privileges. The attacker exploits the web shell to escalate privileges and gain access to sensitive areas of the system. The attacker identifies sensitive data, such as customer information, and exfiltrates it to an external server.

A 3-Step Risk Categorization System

Zentaris builds attack path risk categorizations in three steps:

  1. Discovery: discover various entities specific to the underlying assessment environment such as AWS, GCP, or Kubernetes cluster
  2. Building Attack Paths: Building a large tree of possible attack scenarios scanning engines traverses graph entities looking for attributes that demonstrate weakness
  3. Risk Evaluation and Categorization: Develop a Risk Scoring System based on Risk categories and Accessibility, Privilege, Sensitivity, and Severity levels

Resource Discovery

Before any security scanning for risk assessment could occur, Zentaris engines must discover various entities specific to the underlying assessment environment such as AWS, GCP, or Kubernetes cluster.

Discoverable entities include cloud resources such as users, roles, policies, permission resources, access keys, monitoring logs & events, API events, object buckets such as S3, infrastructure compute resources, IPs, ports, security groups, etc.

Hypergraphs are used for discovering dependencies among resources. Because Hypergraphs and Hyperedges work more like a set, rather than 1–1 association, any changes, updates, or crucial modifications to Hypergraph applications require operations that result in far efficient. Not only are queries easier and obtain more sophisticated information, it reduces graph traversal, but even more important is that it reduces graph maintenance of nodes and adjacencies as well, which play a critical part in complexity.

Building Attack Path Graphs

Zentaris scanning engines traverses graph entities looking for attributes that potentially opens up weaknesses or vulnerabilities. Building a large tree of possible attack scenarios, Zentaris scanning engines traverses graph entities looking for attributes in discoverable entities that demonstrate exploitability.

For instance, the scenario of an attacker leveraging open port access to the EC2 instance, either by further brute-forcing SSH credentials or exploiting a misconfiguration in the instance that subsequently allows them to obtain the credentials or keys stored within the instance.

Below is an example attack path scenario for Brute Force Access, Discovery, Compromise, Lateral Movement, and Exploitation of Misconfigurations for Data Exfiltration.

  • Initial Access via Users look for brute force ways such as MFAEnabledTime, SSHPublicKeys disabled, no PermissionsBoundary set, etc.
  • Discovery and Enumeration of publicly accessible resources such as EC2 for public IP, DNS names, etc.
  • Credential Compromise and Lateral Movement by policy compromise e.g. PermissionsBoundaryUsageCount is not 0
  • Credential Compromise and Lateral Movement due to unauthorized access owing to PermissionsBoundary not set or MaxSessionDuration set to 0
  • Privilege Escalation Exfiltration of Exposed Sensitive via S3 OverlyPermissive settings

Each entity in attack graph associated with a risk level: low, medium, high, critical.

Attack Path Risk Evaluation

In order to narrow down on specific exploitations, risk evaluation on all possible paths must be done. Risk evaluation is based on the following:

  • Attack Surface: Assign scores based on the number and type of resources involved in an attack path (e.g., a critical data store vs. a test server)
  • Exploitability: Assess the ease with which an attacker can exploit the path (e.g., publicly accessible resources, vulnerabilities with known exploits)
  • Impact: Measure the potential impact (e.g., privilege escalation, data exfiltration, service disruption)
  • Likelihood: Include context like exposure to external traffic or insider threats

Each entity in the attack graph is assigned a risk score between 1–10 based on Accessibility, Privilege Levels, Data Sensitivity, Vulnerability Severity.

The overall entity score is calculated using this formula.

Entity Risk Score =
(Accessibility Score * Accessibility Weight) +
(Privilege Levels Score * Privilege Levels Weight) +
(Data Sensitivity Score * Data Sensitivity Weight) +
(Vulnerability Severity Score * Vulnerability Severity Weight)

Thus, for a given attack graph DAG, Attack Path Risk Score = Average Weighted Entity Score, with specific weights for each MITRE TACTIC. For instance, Privilege Escalation carries 20% weight, Credential Access carries 15%, Lateral Movement 10%, and so on. These weights are arbitaty but can be fined-tuned based on Enterprise risk requirements.

For further details about the attack path tool, follow these references.

On GitHub: Zentaris Attack Path Risk Categorization

Blackhat SecTor presentation on “Zentaris: Attack Path Risk Categorization Using Hypergraphs”, Oct. 2024

--

--

Zetafence Engineering
Zetafence Engineering

Written by Zetafence Engineering

Multi-Cloud Attack Surface Management Using Correlated Threat Intel Feeds

No responses yet