CNAPPgoat: The Multicloud Open-Source Tool for Deploying Vulnerable-by-Design Cloud Resources

Ermetic [now Tenable Cloud Security] is proud to announce the release of the open source CNAPPgoat project, developed and maintained by the Tenable Cloud Security research team. 

CNAPPgoat is intended to reinvent the creation of vulnerable cloud infrastructure for a variety of purposes (see below). 

This blog post explains why CNAPPgoat is important and how you can get started. 

First Things First - What is CNAPP Anyway? 

CNAPP (or Cloud Native Application Protection Platform) is a relatively new Gartner product category defined as “a unified and tightly integrated set of security and compliance capabilities designed to secure and protect cloud-native applications across development and production”. Simply put, CNAPP solutions help you transition your cloud infrastructure security practice from a layered (or even siloed) approach where different aspects of security (such as posture, network, runtime, compute, data, etc.) are handled separately to an holistic and comprehensive approach where they’re united in a single platform. As you may imagine, CNAPP solutions include the capabilities of multiple (more veteran) product categories such as CSPM (Cloud Security Posture Management), CWPP (Cloud Workload Protection Platform) and CIEM (Cloud Infrastructure Entitlements Management). 

So… What is CNAPPgoat? 

CNAPPgoat is an open source project designed to modularly provision vulnerable-by-design components in cloud environments (currently supporting AWS, Azure and GCP). 

Unlike other projects which may also fit this description (the most popular are probably CloudGoat and CloudFoxable), CNAPPgoat is NOT designed to simply illustrate possible attack paths.  Rather, it includes atomic, (and down the line - more complex) vulnerable scenarios that together will provide as much coverage as possible of the misconfigurations and risks that could potentially be exploited by an attacker. 

The scenarios available in CNAPPgoat are divided into modules corresponding with the various security capabilities included in the CNAPP specification (hence the name - CNAPPgoat!) and serve a specific cloud service provider (AWS, Azure, GCP, etc.). 

This structure makes it possible to provision only scenarios from a specific module or modules to address different use cases and different consumers (see below). In addition, this design makes reviewing and understanding the scenarios much easier (whether you want to find a specific scenario or add a new one). It helps break down a very complicated and multidimensional challenge into more easily digestible parts. 

Currently, the following modules are supported: 

• CIEM - scenarios relevant to the management of identities and entitlements, such as the unintended ability of an identity to escalate its privileges   
• CWPP  - scenarios relevant to the exposure of workloads to vulnerabilities, for example, by running vulnerable/end of life software or OS version   
• CSPM - scenarios relating to the misconfiguration of cloud infrastructure components, such as publicly exposed storage resources 

We will soon add support for IAC (that is - infrastructure as code scanning, or the practice of finding misconfigurations directly in the code) and a CNAPP module which will include elaborate scenarios that describe popular attack paths leveraged by malicious entities. 

Why Should You Care? 

The ability to easily provision a vulnerable environment with broad coverage of possible risk scenarios has tremendous potential.  

Killer applications - to name just a few: 

• Security teams can benchmark CNAPP solutions against known environments so they can prove their ability to deliver what they promise. 
• Security professionals can use it (responsibly and with extreme caution!) to create a sandbox for testing their teams, procedures and protocols. 
• Instructors can use it to create vulnerable environments for hands-on workshops or chalk talks ( we’ve already done this successfully) 
• Pentesters can use it to provision a “shooting range” to test their skills at exploiting the scenarios and developing relevant capabilities. (We also feel the need to mention in this context two great pen-testing projects - pacu and Stratus Red Team) 
• Educators can create a learning environment where cloud infrastructure risks  can be explored, understood - and avoided. 

Since it’s open source, you can contribute your own scenarios and together, as a community, - we can make and maintain CNAPPGoat as comprehensive as possible. 

The initial version released is just a starting point and we’re looking forward to seeing more and more scenarios added.

How To Use CNAPPgoat? 

The basic process of using CNAPPgoat is quite simple: 

1. Select the scenario(s) and/or module(s) you want to provision (or the entire set) 
2. Provision the vulnerable infrastructure in dedicated test accounts
3. Use the environment as described in the use cases above. 
4. Destroy the provisioned environment. 

Easy to create - easy to destroy. No unneeded vulnerable components left behind for you to worry about (and pay for). 

We will now walk you through a simple example of getting started with CNAPPgoat (it’s highly recommended to go through the README to get oriented with the tool). 

Getting Started 

First make sure you have the prerequisites installed.

Next - download the CNAPPgoat executable compiled for your OS from our release page. 

Optional: Pulling the Scenarios Repo 

The currently available scenarios are managed in a Github repository.These scenarios are automatically downloaded when you run CNAPPgoat and are stored in the `~/.cnappgoat/scenarios` directory.

However - if you wish to review the scenarios yourself (and perhaps even contribute to them) - you can pull the repository. 

It’s possible to define a custom path to get scenarios from a local folder - but let’s keep things simple for now.  

Setting Up Cloud Credentials 

Remember: CNAPPGoat deploys vulnerable environments. Only use it within safe, controlled sandboxes. 

It goes without saying that experiments with CNAPPgoat should ONLY BE DONE IN TEST ACCOUNTS COMPLETELY SEPARATE FROM YOUR BUSINESS ENVIRONMENT. 

Running CNAPPgoat 

Now, we’re ready to kick things off with CNAPPgoat. 

First, we’ll list the available scenarios by running the list command: 

./CNAPPgoat list

For each scenario, you can see which platform (cloud service provider) it’s designed for and which module (CIEM / CSPM / CWPP) it belongs to. The names are also pretty self-explanatory. 

If you’re only interested in a specific module, you can use the global option --module to specify the module you’re interested in. For example, if we only want to see the currently available CSPM modules we’ll run: 

./CNAPPgoat list --module CSPM

The Status column on the right indicates which scenarios have been deployed, which have not, and which have been destroyed (that is - deployed and then destroyed). 

If you’re interested in acquiring more information about a specific scenario - you can do so using the describe command, for example: 

will produce the following output: 

In order to provision a scenario / multiple scenarios / a module, you can use the “provision” command. If you simply run: 

./CNAPPgoat provision

All scenarios will be deployed upon your confirmation (use this carefully): 

If you state as an argument a space-delimited list of selected scenarios it will provision them, for example: 

./CNAPPgoat provision cspm-aws-ec2-imds-v1-enabled ciem-aws-iam-privesc-ec2-passrole

CNAPPgoat will present you with a log (partially shown in Figure 5, as it’s a bit much) of the operations performed and will present you with the end result of the process: 

Note that when you do this for the first time, CNAPPgoat will also take care of necessary dependencies installation - so it may take a while. Go get some coffee. 

Once the provisioning is complete, you can check the new resources in your cloud environment. 

Now. if you perform the list function - you will see that it clearly indicates the deployed scenarios: 

Rather than deploying scenarios individually, - you can provision an entire module using the global option --module:  

./CNAPPgoat provision --module CSPM

As this may also be a significant operation, it requires confirmation - after that, all scenarios in the selected module will be provisioned, and the output will look something like this: 

As you can see from Figure 8, in case there were any errors in the process of provisioning the scenarios, they are indicated in the output, and you can review the entire log to see exactly what went wrong. For example, the error we got in the above process can be tracked to an invalid zone issue: 

Once you’re done using the deployed scenarios, similar to provisioning them, you can destroy all or specific scenarios / modules with the destroy command: 

./CNAPPgoat destroy

Since now we simply want to clean up, we’ll just run it without any arguments and confirm the operation: 

Once the process is done, we see the following output, clearly indicating what has been destroyed: 

And that about does it! We’ve gone through the basics of using the CNAPPgoat framework.You now know how to explore the tool for existing scenarios, provision and destroy selected scenarios / modules. 

Where Do We Go From Here? 

To the moon! 

As mentioned before - this is just the start. The first step of a very long journey, if you will. 

We firmly believe in the potential of this modular approach to enable almost anyone, regardless of expertise level, to leverage this tool for commercial, technical and educational purposes. 

Soon, we’ll release additional artifacts including deeper technical dives and guides to further support you in using the tool and making contributions. This is also the place to note that any contribution - whether new complete scenarios, scenario proposals , issues, suggestions, feature requests or simply sharing this with your network or organization - would be highly appreciated. If in doubt - just reach out, we’d love to hear from you.  

Cyber security, and specifically cloud security, should be a team sport. And as an industry and community, we’ll be much better off if we join our hands and CNAPPgoat is a great platform to do so. 

Join us on our collaborative path to codifying cloud security. We've got cookies.

Want to learn more? Join our upcoming virtual unboxing event. See you there!