ThreatMapper is a Runtime Threat Management and Attack Path Enumeration for Cloud Native
Deepfence ThreatMapper hunts for threats in your production platforms and ranks these threats based on their risk of exploit. It uncovers vulnerable software components, exposed secrets, and deviations from good security practices. ThreatMapper uses a combination of agent-based inspection and agent-less monitoring to provide the widest possible coverage to detect threats.
With ThreatMapper's ThreatGraph visualization, you can then identify the issues that present the greatest risk to the security of your applications, and prioritize these for planned protection or remediation.
Current Deployment Info
https://threatmapper.safibank.online
Architecture
The ThreatMapper product consists of a Management Console, and multiple Sensor Agent containers and Cloud Scanner tasks that are deployed within your production platform(s).
The Management Console is deployed first. The Management console generates an API key and a URL which you will need when you install the Sensor containers and Cloud Scanner tasks.
The Management Console is managed over TLS (port 443), used for administrative traffic (web browser and API) and for sensor traffic. You should firewall or secure access to this port so that only authorised admin users and remote production platforms are able to connect.
Kubernetes Threatmapper Stack
This is deployed using the helm charts packaged by deepfence in their official repository https://github.com/deepfence/ThreatMapper/tree/master/deployment-scripts/helm-charts
Component | Purpose |
---|---|
The ThreatMapper Management Console ("Console") is a standalone application, implemented as a fleet of containers. It should be deployed on either a single docker host, or (for larger deployments) a dedicated Kubernetes cluster. The console is self-contained, and exposes an HTTPS interface for administration and API automation. The console allows you to:
| |
ThreatMapper Sensors are deployed on your production platforms, directly on each production host. They are deployed in the form of a privileged container (the 'Sensor Agent container'). They communicate securely with your ThreatMapper Management Console, taking instructions to retrieve SBOMs and run scans, and forwarding telemetry data. The sensors support the following production platforms:
| |
The router chart deploys Service, Ingress and LoadBalancer resources to allow external access to the management console. |
Installation
threatmapper-console & threatmapper-router
The second portion of the values.yaml file consists values for the router, Initially we tried to use ingress but it failed, we then resorted to using a separate dedicated external gcp loadblancer
Because the default helm chart for deepfence-router didn’t consist a section for mentioning tls, we couldn’t leverage cert-manager’s auto certificate generation feature. So we created a separate custom cert-manger certificate definition, which we then referred to in the values.yaml file for threatmapper agent to use.
Note: SSL termination is now happening on the application server level instead of loadbalancer/ingress level.
threatmapper-agent
Threatmapper agent is installed throughout multiple clusters, for that we explicitly specify each cluster’s name and ip.
The API key used by the threatmapper-agent is generated from the user settings page
Important Notes
After installation, we had to make sure in the global settings, the URL in DEEPFENCE CONSOLE URL had :443 appended at the end, without it, the agents fail to connect to the console.
Attachments:
Screen Shot 2022-11-28 at 1.39.37 PM.png (image/png)
Screen Shot 2022-12-01 at 1.29.39 PM.png (image/png)
Screen Shot 2022-12-01 at 1.39.30 PM.png (image/png)
Screen Shot 2022-12-01 at 1.40.29 PM.png (image/png)
Screen Shot 2022-12-01 at 1.42.42 PM.png (image/png)
Screen Shot 2022-12-01 at 1.52.17 PM.png (image/png)
Screen Shot 2022-12-01 at 1.56.37 PM.png (image/png)
Screen Shot 2022-12-02 at 2.04.28 PM.png (image/png)