Security incidents may have several origins. However, many times they are caused due to components that are supposed to be correctly configured or deployed. Traditional methods may not detect those security assumptions, and new alternatives need to be tried. Security Chaos Engineering (SCE) represents a new way to detect such failing components to protect assets under cyber risk scenarios. This paper proposes ChaosXploit, a security chaos engineering framework based on attack trees, which leverages the chaos engineering methodology along with a knowledge database composed of attack trees to detect and exploit vulnerabilities in different targets as part of an offensive security exercise. Once the proposal is explained, a set of experiments are conducted to validate the feasibility of ChaosXploit to validate the security of cloud managed services, i.e. Amazon buckets, which may be prone to misconfigurations.
|Original language||English (US)|
|Title of host publication||VII Jornadas Nacionales de Investigación en Ciberseguridad (JNIC)|
|Place of Publication||Bilbao|
|Number of pages||8|
|State||Published - Jun 27 2022|
All Science Journal Classification (ASJC) codes
- Computational Mathematics