ThreatMapper Overview - Security Observability for my homelab. Also works for linux, kubernetes, AWS fargate, and more.
In my search for observability tools, I had stumbled upon ThreatMapper by Deepfence.
This tool has the ability to map out the topology of my environment, help me learn more about the vulnerabilities that exist in both my worker nodes, and the containers that are running my honeypots.
Vulnerability Analysis
Deepfence ThreatMapper hunts for vulnerabilities in my homelab environment, and then ranks the vulnerabilities based on their potential for being exploited. This helps prioritize the issues that could potentially present the greatest risk to the security of my web applications.
ThreatMapper can help extend your "Shift Left" Initiatives
Shift Left initiatives enables devops teams to start focusing on secure web application development by analyzing vulnerabilities with ThreatMapper in development or staging environments.
After some more testing, I'd noticed that Threatmapper has the incredible ability to:
Discover Running Workloads: ThreatMapper was able to scan my honeypot instance and identified the containers, applications, and infrastructure. It then mapped it all out in an easy to understand topological map.
Rank Vulnerabilities by Risk-of-Exploit: ThreatMapper was also able to rank the discovered vulnerabilities using CVSS and other severity scores, exploit method and then their proximity to attack surfaces, in order to identify which issues posesd the greatest risk of exploit.
Scan for Unprotected Secrets: ThreatMapper also has the ability to scan containers and host filesystems for unprotected secrets, such as access tokens, keys, passwords etc. For big development teams, this functionality is a must-have, as it is now all too common for attackers to break into organizations that are not protecting their secrets.
Investigating Vulnerabilities with ThreatMapper
ThreatMapper was able to identify many vulnerabilities, but it's great to understand which ones are actually exploitable via the network vs local exploitation. This is where the handy built-in prioritization comes in, and I am able to select a vulnerability that could potentially be exploited if an attacker had network access.
Analyzing the above vulnerability for example, CVE-2022-0318 we know that there was a vulnerability that existed for VIM, and that it was fixed here.
In order for me to mitigate this vulnerability, I should then be able to update VIM and that should subsequently update the VIM xxd utility that ThreatMapper had the issue with in the first place:
xxd:2:8.2.2434-3+deb11u1
Live Connections
ThreatMapper also gives me some incredible insight, and through the topological map, even informs me of current live connections!
This is incredibly helpful, as I am able to see in almost real-time which threat actors are attempting to exploit which honeypot services that exist in my environment. I can see that there are attacker IP's connecting to my SSH, VNC, Elastic, Redis, and other misc honeypots that are running from my honeypot instance.
Lessons Learned
This was a quick overview of ThreatMapper and it's capabilities that can help you at home, or any small business gain actionable, real-time vulnerability analysis for your devops teams and cloud infrastructure. Learn more about how awesome ThreatMapper is by reading their docs here.