ChaosXploit: A Security Chaos Engineering framework based on Attack Trees

Security incidents may have several origins. However, many times they are caused due to components that are supposed to be correctly configured or deployed. Traditional methods may not detect those security assumptions, and new alternatives need to be tried. Security Chaos Engineering (SCE) represents a new way to detect such failing components to protect assets under cyber risk scenarios. This paper proposes ChaosXploit, a security chaos engineering framework based on attack trees, which leverages the chaos engineering methodology along with a knowledge database composed of attack trees to detect and exploit vulnerabilities in different targets as part of an offensive security exercise. Once the proposal is explained, a set of experiments are conducted to validate the feasibility of ChaosXploit to validate the security of cloud managed services, i.e. Amazon buckets, which may be prone to misconfigurations.