SaFi Bank Space : Self Managed Vulnerability Scanner - ThreatMapper

Created by Mahmudul Hasan, last modified on Dec 02, 2022

ThreatMapper is a Runtime Threat Management and Attack Path Enumeration for Cloud Native

Deepfence ThreatMapper hunts for threats in your production platforms and ranks these threats based on their risk of exploit. It uncovers vulnerable software components, exposed secrets, and deviations from good security practices. ThreatMapper uses a combination of agent-based inspection and agent-less monitoring to provide the widest possible coverage to detect threats.

With ThreatMapper's ThreatGraph visualization, you can then identify the issues that present the greatest risk to the security of your applications, and prioritize these for planned protection or remediation.

Current Deployment Info

https://threatmapper.safibank.online

Architecture

The ThreatMapper product consists of a Management Console, and multiple Sensor Agent containers and Cloud Scanner tasks that are deployed within your production platform(s).

ThreatMapper Components

The Management Console is deployed first. The Management console generates an API key and a URL which you will need when you install the Sensor containers and Cloud Scanner tasks.

The Management Console is managed over TLS (port 443), used for administrative traffic (web browser and API) and for sensor traffic. You should firewall or secure access to this port so that only authorised admin users and remote production platforms are able to connect.

Kubernetes Threatmapper Stack

This is deployed using the helm charts packaged by deepfence in their official repository https://github.com/deepfence/ThreatMapper/tree/master/deployment-scripts/helm-charts

Component

Purpose

deepfence-console

The ThreatMapper Management Console ("Console") is a standalone application, implemented as a fleet of containers. It should be deployed on either a single docker host, or (for larger deployments) a dedicated Kubernetes cluster. The console is self-contained, and exposes an HTTPS interface for administration and API automation.

The console allows you to:

  • Manage the users who can access the console.

  • Configure Infrastructure API access and interrogate platform configurations.

  • Visualize and drill down into Kubernetes clusters, virtual machines, containers and images, running processes, and network connections in near real time.

  • Invoke vulnerability scans on running containers and applications and review the results, ranked by risk-of-exploit.

  • Invoke compliance scans on infrastructure configuration ('agentless') and on infrastructure hosts ('agent-based'), manually or automatically when they are added to a cluster.

  • Scan container registries for vulnerabilities, to review workloads before they are deployed.

  • Scan image builds during the CI/CD pipeline, supporting CircleCI, Jenkins, and GitLab.

  • Scan containers and host filesystems for unprotected secrets, including access tokens, keys and passwords.

  • Configure integrations with external notification, SIEM and ticketing systems, including Slack, PagerDuty, Jira, Splunk, ELK, Sumo Logic, and AWS S3. ThreatMapper supports multiple production deployments simultaneously, so that you can visualize and scan workloads across a large production estate.

deepfence-agent

ThreatMapper Sensors are deployed on your production platforms, directly on each production host. They are deployed in the form of a privileged container (the 'Sensor Agent container'). They communicate securely with your ThreatMapper Management Console, taking instructions to retrieve SBOMs and run scans, and forwarding telemetry data.

The sensors support the following production platforms:

  • Kubernetes: The sensors are deployed as a daemonset, similar to other kubernetes services.

  • Docker: The sensor is deployed as a docker container on each docker host.

  • Bare metal and VM-based platforms: Sensors are deployed as a Docker container on each Linux operating system instance, using a Docker runtime. Linux instances are supported; Windows Server is not supported, although an experimental implementation is available.

  • AWS Fargate The sensor is deployed as a daemon service alongside each serverless instance.

deepfence-router

The router chart deploys Service, Ingress and LoadBalancer resources to allow external access to the management console.

Installation

threatmapper-console & threatmapper-router

The second portion of the values.yaml file consists values for the router, Initially we tried to use ingress but it failed, we then resorted to using a separate dedicated external gcp loadblancer

Because the default helm chart for deepfence-router didn’t consist a section for mentioning tls, we couldn’t leverage cert-manager’s auto certificate generation feature. So we created a separate custom cert-manger certificate definition, which we then referred to in the values.yaml file for threatmapper agent to use.

Note: SSL termination is now happening on the application server level instead of loadbalancer/ingress level.

threatmapper-agent

Threatmapper agent is installed throughout multiple clusters, for that we explicitly specify each cluster’s name and ip.

The API key used by the threatmapper-agent is generated from the user settings page

Important Notes

After installation, we had to make sure in the global settings, the URL in DEEPFENCE CONSOLE URL had :443 appended at the end, without it, the agents fail to connect to the console.

Attachments:

deepfence-logo.png (image/png)
Screen Shot 2022-11-28 at 1.39.37 PM.png (image/png)
Screen Shot 2022-12-01 at 1.29.39 PM.png (image/png)
Screen Shot 2022-12-01 at 1.39.30 PM.png (image/png)
Screen Shot 2022-12-01 at 1.40.29 PM.png (image/png)
Screen Shot 2022-12-01 at 1.42.42 PM.png (image/png)
Screen Shot 2022-12-01 at 1.52.17 PM.png (image/png)
Screen Shot 2022-12-01 at 1.56.37 PM.png (image/png)
Screen Shot 2022-12-02 at 2.04.28 PM.png (image/png)