KubeHound icon indicating copy to clipboard operation
KubeHound copied to clipboard
verified publisher icon DataDog

Support Attack Flow as export format

Open Magier opened this issue 9 months ago • 2 comments

Mitre's Attack Flow project is a data model for describing sequences of adversary behaviors. It helps defenders understand how adversaries operate and improve their own defensive posture and may lead to DEATH (Detection Engineering And Threat Hunting).

KubeHound has is great in finding various attack paths in a Kubernetes environment. However, it's challenging to further use these inferred attack paths to power other tools. Attack Flow may be a very natural way to build the interface to other tools and hence greatly improve the utility of KubeHound.

Magier avatar Apr 02 '25 21:04 Magier

Thank you for your contribution; we will look at the Attack Flow specification.

Would you prefer Attack path profiles, concrete attack paths, or both, exportable to Mitre Attack flow?

--

The attack path profile would be like this:

Image

A concrete attack path would be like this:

Image

Zenithar avatar Apr 03 '25 06:04 Zenithar

To be honest, I am not aware of attack flows differentiating between specific paths and profiles. Ideally, the resulting flows could be used as execution plans for emulation frameworks. So more abstract representations have a higher utility (i.e. target deployments vs specific pods). IMO, concrete attack paths are better for post-emulation analysis, i.e. the actions were executed and now detection tools want to match the IoCs (which can be part of the attack path), with the observed data.

Magier avatar Apr 04 '25 08:04 Magier

The feature has been added as an experiment in PR #346.

Zenithar avatar Jun 19 '25 11:06 Zenithar