Automated Attack Graph generation from CTI for Kubernetes networks

In today’s digital landscape, organizations are increasingly reliant on cloud-native technolo- gies to build, deploy, and manage scalable, resilient, and efficient services. Among these technologies, Kubernetes has emerged as the de facto standard for container orchestration. However, the adoption of this new technology also brings about a new set of security challenges. Its dynamic, distributed architecture, combined with its complexity, expands the attack surface and introduces novel vulnerabilities that traditional threat modeling might struggle to address. At the same time, the cyber threat landscape continues to evolve rapidly. Adversaries are constantly developing and refining their tactics, techniques, and procedures (TTPs), often exploiting the misconfigurations of cloud-native infrastructures. In response to this ever-shifting threat environment, Cyber Threat Intelligence (CTI) has become a critical resource. CTI provides organizations with contextualized, relevant information about potential threats, enabling more informed defensive strategies. However, the volume and complexity of CTI data can overwhelm human analysts, making it difficult to extract timely and actionable insights. This thesis addresses this critical challenge by introducing an automated tool designed to generate attack graphs from structured CTI. These graphs model the possible attack paths that adversaries could exploit within Kubernetes-based environments, enabling a more proactive and informed approach to defense. The solution leverages the MulVAL attack graph engine, integrating it with a comprehensive representation of both Kubernetes infrastructure components and mapped adversarial techniques derived from CTI sources. By doing so, the tool is able to dynamically model potential security breaches, taking into account known vulnerabilities, system configurations, and attacker behavior patterns. The generated attack graphs serve as a visual and analytical aid for security analysts. They provide actionable insights, helping analysts understand the progression of potential attacks, identify critical assets at risk, prioritize mitigation efforts, and implement targeted countermeasures more effectively.