Full Report
Wiz extends its cloud analysis with an external scanner, giving customers an attacker's view of their externally exposed resources to reduce noise.
Analysis Summary
# Tool/Technique: Wiz Dynamic Scanner / Cloud Network Analysis Engine
## Overview
This entry details enhancements to the Wiz cloud security platform, specifically focusing on an updated **cloud-native network analysis engine** integrated with a **dynamic scanner**. The purpose of these tools is to help organizations understand, visualize, and validate their effective external attack surface in cloud environments (including VMs, containers, and serverless functions) from an attacker's perspective.
## Technical Details
- Type: Tool / Security Platform Feature
- Platform: Cloud Environments (AWS, Azure, GCP infrastructure, Kubernetes)
- Capabilities: Comprehensive analysis of network configuration layers, dynamic port validation, external-facing screenshot capture of exposed endpoints, risk prioritization, and integration with the Wiz Security Graph.
- First Seen: Not explicitly stated, but enhancements are recent based on the article's context.
## MITRE ATT&CK Mapping
The focus here is on reconnaissance and initial access enabled by misconfigurations, which these tools help defenders identify.
- **TA0043 - Reconnaissance**
- T1595 - Active Scanning
- T1595.002 - Internet Service Scanning (Identifying exposed ports/services)
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (Identifying applications like Jenkins or ELK that are exposed and potentially exploitable)
## Functionality
### Core Capabilities
- **Full Visibility on Externally Exposed Resources:** Analyzes network rules across load balancers, firewalls, gateways, VPCs, and subnets to map path dependency to publicly accessible resources.
- **Dynamic Validation:** The dynamic scanner attempts to connect externally to resources, validating if ports and IP addresses identified via static analysis are truly reachable (an outside-in approach).
- **Contextual Prioritization:** Moves beyond binary checks (like "Does this VM have a public IP?") to understand if exposure is legitimate or risky based on network topology and validation status.
### Advanced Features
- **Attacker Perspective View:** Takes a screenshot of the exposed endpoint (e.g., a Jenkins login page or an ELK dashboard) upon successful connection attempt, showing security teams exactly what an attacker would see.
- **Integration with Wiz Cloud Detection and Response (CDR):** Enriches the static risk analysis with cloud event analysis to determine if high-risk resources have been actively targeted.
- **Graph-Based Analysis:** Uses the Wiz Security Graph to build a complete network topology across cloud and Kubernetes layers.
## Indicators of Compromise
The tools *identify* potential IOCs resulting from misconfigurations, rather than being the malware itself.
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: **Identifies** resources with public IPs/open ports hosting services like Jenkins or ELK stacks. (Specific IPs/details not provided as they are environment-specific.)
- Behavioral Indicators: Detection of successful external connections attempts to previously identified exposed ports.
## Associated Threat Actors
This tool set is used by **Cloud Defenders/Security Teams** to protect against threat actors who exploit common cloud misconfigurations. The article implicitly references attackers who target commonly exposed services such as **Databases, Jenkins servers, and ELK stacks**.
## Detection Methods
The system itself is a detection and prioritization engine, not the target of detection.
- Signature-based detection: N/A (It analyzes configurations, not traditional signatures.)
- Behavioral detection: Detects external connection attempts validating exposure (dynamic scanning).
- YARA rules if available: N/A
## Mitigation Strategies
The primary goal is risk reduction by addressing exposure:
- **Attack Surface Reduction:** Identifying and eliminating unnecessary public exposure of cloud resources.
- **Configuration Hardening:** Reviewing and correcting network rules, security groups, load balancers, and VPC settings to restrict external access.
- **Prioritization:** Using the dynamic scanner and screenshot feature to prioritize remediation efforts on the most critical, externally validated risks (e.g., publicly accessible Jenkins or ELK servers).
- **Contextual Awareness:** Moving beyond legacy CSPM tools to incorporate runtime and network topology context for better decision-making.
## Related Tools/Techniques
- **External Attack Surface Management (EASM):** Mentioned as a related concept, which the Wiz tool enhances by adding cloud context.
- **Cloud Security Posture Management (CSPM):** The solution aims to surpass the limitations of legacy CSPM by adding dynamic validation context.