Cloud Sniper is an open-source platform for managing cloud security operations that aims to make it easy for cloud teams to deal with security incidents.
“One of our main goals is end-to-end automation of security incident lifecycles. Cloud Sniper performs automatic actions from deployment via Terraform to findings management,” Nicolás Rivero Corvalán, one of the tool’s creators, told Help Net Security.
“When using this platform, the lifecycle of a particular use case is covered end-to-end: from a simple action, detection, and slack notification to complex integrations with correlation, self-remediation, and exception management through actions performed by a slack bot, as an example.”
The Cloud Sniper project
Cloud Sniper is the creation of Corvalán, Matías Marenchino, Santiago Friquet and Luciano Carranza Berra, a multidisciplinary team from the field of security, DevOps and ML, “with a 100% cloud mentality.”
“We know that the security paradigm has changed and we want to provide an extensible platform that reduces false positives and allows teams to verify the security posture in cloud environments,” Corvalán noted.
The project was conceived to detect attacks by processing threat intelligence feeds, automating the code, and using machine learning techniques to detect anomalies in cloud environments. Later, extra modules were added to run security tabletop exercise and collect information from cloud environments to feedback into the platform’s automations.
“Cloud Sniper is a detection-as-code platform, which uses Python as the main programming language. Due to Python’s popularity, it is easy to understand and extend our code, adapting it to specific needs. We use infrastructure as code (IaC) and integrate to cloud resources natively so that detection can be automated end-to-end,” Corvalán explained.
The tool’s current main limitation is that, due to time and resource constraints, it is focused on AWS but the team hopes to extend it to other cloud providers such as GCP or Azure.
A collection of stacks
End-to-end use case lifecycles are defined in various Cloud Sniper stacks, which are all based on the same approach: get real actionable findings and perform automatic actions.
For example, the Analytics stack introduces an analytics module to analyze data, metrics and telemetry generated on the cloud, and analyzes VPC flows to detect and flag beaconing patterns and other abnormal traffic patterns.
The stacks can be run individually, but running the entire platform provides correlation, orchestration, and visibility of security use cases.
Upcoming improvements and plans for the future
The team is scheduled to present and demo Cloud Sniper at Black Hat Asia 2021 Arsenal in early May, where they will also be showcasing two new modules.
“Cloud Droid lets you perform incident and response simulations, which measures the effectiveness in defining the incident response plan. It works as a red/purple-team-as-code, which checks if your security posture is adequate,” Corvalán shared.
“Cloud Lusat provides internal threat intelligence feeds, inventory, and compliance data collection. The goal is to get more indicators of compromise, integrated with the Cloud Sniper orchestrator, and perform automatic remediation actions. We are currently working on an integration with Kubernetes and Falco, as our goal is to integrate with any open source project that provides more visibility to mitigate incidents in cloud environments.”
The team’s short term goal for Cloud Sniper is to be part of the CNCF project, and they are working hard for it.
“We consider that success is 100% linked to the community being able to extend the functionalities of the platform since cloud environments provide a wide range of use cases to cover. We also believe that integrating it with many other successful open source projects is fundamental to enrich the cloud ecosystem,” he concluded.