Automating security assessments using Cloud Katana

Today, we are open sourcing Cloud Katana, a cloud-native serverless application built on the top of Azure Functions to assess security controls in the cloud and hybrid cloud environments. We are currently covering only use cases in Azure, but we are working on extending it to other cloud providers.

Design principles of Cloud Katana

Cloud Katana design principles.

Figure 1: Cloud Katana design principles.

Cloud Katana was designed and developed under the following principles:

  • A serverless execution model.
  • Compute on-demand as a web API.
  • YAML-based attack definitions.
  • Orchestrated stateful execution.
  • Secure authentication and authorization.
  • Managed identity integration.
  • Granular access control to Azure resources.
  • Programming language agnostic clients.
  • Cloud and on-premise coverage.

A serverless execution model

Cloud Katana is a cloud-native solution that relies on platform as a service (PaaS) concepts to provide a simplified and scalable event-driven solution without worrying about deploying and maintaining the underlying infrastructure used to execute simulations.

To meet this need, Cloud Katana uses Azure Functions to abstract the operating system layer from the code through a pay-per-execution billing model that automatically scales based on trigger invocations.

A basic definition of a serverless execution model.

Figure 2: A basic definition of a serverless execution model.

Compute on-demand as a web API

Simulation steps are represented as blocks of code called functions and invoked via HTTP requests through a built-in serverless web API.

With this feature, one could simply send an HTTP request with information about the specific simulation and wait for the infrastructure underneath to process the request. Currently, all functions are written in PowerShell (subject to change) and categorized following the MITRE ATT&CK framework.

Compute on demand via a serverless web API and categorized by ATT&CK tactics.

Figure 3: Compute on demand via a serverless web API and categorized by ATT&CK tactics.

YAML-based attack definitions

Every attack simulation is documented in a YAML-based format to aggregate metadata such as title, description, ATT&CK mappings, expected input and output, and even preconditions to make sure we have the right permissions before running a simulation step. This facilitates the processing of every documented action programmatically and the automatic setup of a few other resources.

YAML-based documentation example.

Figure 4: YAML-based documentation example.

Orchestrated stateful execution

The project is also designed to handle state and ensure reliability across numerous attack simulations by using an extension of Azure functions named durable functions. This feature allows the orchestration and execution of scenarios where actions could depend on the state and output of other simulation steps. This is good to define specific attack paths as code.

Orchestrated stateful execution to execute chains of events.

Figure 5: Orchestrated stateful execution to execute chains of events.

Secure authentication and authorization

Cloud Katana also enforces authentication and authorization best practices to secure the application.

Authentication

The project uses the Microsoft Identity Platform (also known as Azure Active Directory or Azure AD) as its identity provider to authenticate clients. This feature requires a registered Azure AD application, which allows users to connect to the Azure Function app using OAuth authentication.

In addition, using an identity provider enables the following features:

OAuth device authorization grant flow used by Cloud Katana.

Figure 6: OAuth device authorization grant flow used by Cloud Katana.

Authorization

Besides enforcing users to authenticate before executing simulations, the project also implements “Application Role Assignments” to restrict access to selected users. This allows organizations to select who can use the project in their environments.

Managed identities integration

Furthermore, when executing simulations in Azure, Cloud Katana uses a user-assigned managed identity to access Azure AD-protected resources. One of the advantages of managed identities is that it removes the need to provision or rotate any secrets.

A user-assigned managed identity is used to access Azure resources.

Figure 7: A user-assigned managed identity accessing Azure resources.

Granular access control to Azure resources

Access to Azure resources is defined by the permissions assigned to the managed identity. We currently cover Azure-based scenarios. Therefore, we use permissions associated with each major set of Microsoft Graph APIs to control access to specific Azure resources.

For example, if we wanted to use Cloud Katana to add credentials to an application, we would need to grant the following permissions (from least to most privileged) to the managed identity:

  • Application.ReadWrite.OwnedBy
  • Application.Read.Write.All

Cloud Katana’s identity adding credentials to an Azure AD application via Microsoft Graph API.

Figure 8: Cloud Katana adding credentials to an Azure AD application via Microsoft Graph API.

Programming language agnostic clients

Another feature that makes Cloud Katana a very powerful tool is the flexibility to use any programming language to request simulations. If the client used to interact with Cloud Katana can handle the Azure AD authentication process, it doesn’t matter how the simulation is requested.

Programming language agnostic clients to interact with the serverless web API.

Figure 9: Programming language agnostic clients to interact with the serverless web API.

Microsoft Authentication libraries are available via PowerShell as MSAL.PS and Python as MSAL. We could also use other open-source projects, such as Jupyter Notebooks, to create repetitive templates to show the execution of simulations and share the process with other security researchers.

Running a Jupyter Notebook to execute simulations.

Figure 10: Running a Jupyter Notebook to execute simulations.

Cloud and on-premise simulations

Finally, we are currently experimenting with Azure App Service Hybrid Connections to not only run simulations in the cloud but also on-premises. Hybrid Connections use a relay agent to securely expose services that run on-premises to the public cloud. The relay agent sits in the middle between the on-premise server and the Cloud Katana Azure Function app.

A relay agent—Hybrid Connection Manager (HCM)—is set up on the on-premise server and configured to call out to the Azure Relay over port 443. The Cloud Katana function app then connects to the Azure Relay to interact with the on-premise server and execute simulations locally. The connection uses TLS 1.2 for security and shared access signature (SAS) keys for authentication and authorization.

Running simulations on resources on-premises from Cloud Katana function app.

Figure 11: Running simulations on resources on-premise from Cloud Katana function app.

Deploy Cloud Katana

After learning about Cloud Katana’s design principles, you can check our docs to deploy the project.

Assess security controls

Once the Azure function app is deployed successfully, you can run some of the demos available in our docs. The main idea is not only to write simulation steps as code and execute them on demand but also to assess detections and security controls.

Future work

Besides automating and releasing more simulation steps, we are also going to be working on several features to improve the deployment of the tool and execution scope. The list below shows some of the ideas we currently have (not in a specific order):

  • Simulations in other cloud providers.
  • On-premise simulations via Azure Hybrid Connection management services.
  • A data model to document chains of simulation steps in a more flexible way.
  • An Azure DevOps continuous integration and continuous delay (CI/CD) pipeline to deploy and maintain the Azure Function app.
  • Integration with SimuLand to give security researchers an option to deploy it all together.
  • A way to schedule functions to run periodically as a service in a network environment.
  • A way to verify if alerts triggered or data was generated after each simulation.
  • Plugin-like capabilities to integrate other projects, such as Atomic Red Team, into the framework.

Community contributions

We look forward to contributions and feedback from the community. If you would like to contribute to specific areas of the project, open an issue in our GitHub repository and share your ideas. Look at the previous “Future Work” section for some ideas.

Learn more

To learn more about this open-source initiative, visit the Cloud Katana GitHub repository.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

READ MORE HERE