New Release: Deepfence ThreatMapper 1.2.0 - Attack Path Visualization, AWS Fargate Support, and More

We are pleased to announce the release of Deepfence ThreatMapper 1.2.0, which offers significant feature upgrades since the first open source release in October 2021. ThreatMapper 1.2.0 adds the following capabilities:

• Attack Path Visualization, with a more sophisticated and representative calculation of the Most Exploitable Vulnerabilities
• Support for discovering and scanning AWS Fargate workloads for vulnerabilities
• Support for integration with Google Chronicle
• Community contribution to add ARM support for ThreatMapper sensors opening up threat mapping for IoT and Edge use cases

This major release also includes plenty of community-inspired performance improvements and bugfixes, better support for Kubernetes and containerd hosted workloads, better registry scanning, improved report generation, and UI enhancements.

Since the open source release, the ThreatMapper project has grown to more than 1,000 stars on GitHub, seen 10,000’s of pulls from DockerHub, and has been instrumental in assisting users to identify vulnerable components, such as log4j instances, in their running applications. It’s scanned for vulnerabilities in diverse environments, including workloads running on a Raspberry Pi!

Key Features in ThreatMapper 1.2.0

Attack Path Visualization and Most Exploitable Vulnerabilities Calculations

ThreatMapper’s primary purpose is to help you identify the key security vulnerabilities that need to be addressed first in your production applications because they present the greatest security risk. This latest release includes considerable enhancements that enable you do just that.

Attack Path Visualization 

It is relatively easy to find services that directly face the internet by looking at VPC and security groups, but it’s much harder to find vulnerable services that are further downstream, behind proxies and indirectly receiving potentially malicious traffic. ThreatMapper helps find all these hidden attack paths by continuously correlating vulnerabilities with network traffic.

ThreatMapper’s new Attack Path Visualization displays the top most critical vulnerabilities in a single graphic, illustrating the potential route an external attacker might follow to locate and exploit these issues:

This visualization illustrates the potential attack route to exploit these vulnerabilities. You can respond with immediate action, such as securing application traffic with a Web Application Firewall, to limit the exposure, while your developers work on updating, testing, and redeploying the vulnerable applications.

Most Exploitable Vulnerabilities

ThreatMapper’s Most Exploitable Vulnerabilities calculation considers a variety of important characteristics about the discovered vulnerabilities in order to rank them based on their ease of exploitation - including severities of affected vulnerabilities, attack vectors, proximity to the external attack surface, and more. The 1.2.0 release brings enhancements to this calculation to place even greater weight on network accessibility and the presence of live network connections to the affected workloads, alongside other heuristics, in order to give a more representative assessment of the relative risks of high-severity vulnerabilities. 

Support for AWS Fargate

With capabilities added from our enterprise ThreatStryker product, ThreatMapper now fully supports AWS Fargate workloads. ThreatMapper consists of two components – a management console and a series of sensors that you deploy to your production platforms. In an AWS Fargate environment, ThreatMapper sensor agents are deployed as a sidecar container, using a task definition, and they automatically register with your ThreatMapper Management Console.

With this capability, you can monitor a broad application estate, both spanning multiple cloud and deployment environments, and multiple cloud modalities - containers, serverless, bare metal, and virtual machines.

Support for Google Chronicle

We’ve added support for Google Chronicle to the range of notification, SIEM, and ticketing integrations in ThreatMapper. Google Chronicle is emerging as a common alternative to Splunk, Elasticsearch, and Sumo Logic. ThreatMapper can push the results of vulnerability scans and the audit logs of user activities to Google Chronicle for offline analysis and action.

ARM Support

Open source software doesn’t happen without an active open source community backing it. We are delighted that the 1.2.0 release features a community contribution to add ARM support for ThreatMapper sensors, which opens up security observability and threat mapping for both IoT and Edge use cases. 

We’d love to give a shout out to community member armorvx for adapting the ThreatMapper sensor for ARM and proving it out by running the sensor on a Raspberry Pi!

Other Changes in ThreatMapper 1.2.0

In ThreatMapper 1.2.0, you’ll also see:

• Improvements to vulnerability scans, with wider support for containerd and Kubernetes platforms. You can scan an entire Kubernetes cluster - nodes and pods - with a single click or API call. Improved speed for complex scans reduce the time needed to fully scan both the operating system and language components in an image.
• Enhancements to registry scans, including support for AWS ECR target account role ARN, better feedback on progress, and support for tag-based filtering of artifacts.
• Better report generation (PDF and xslx) for offline use, with improved filtering and fixes to the download process.
• Multiple UI and user experience improvements, such as the ability to invite users to the Management Console without the need to configure an email relay, and more metadata reported against containers and other workloads so you can more easily identify them.

Getting ThreatMapper 1.2.0

We’re excited about all the new features now available in ThreatMapper, and are very thankful for all the contributions and support from the growing open source ThreatMapper community. 

Here are some resources to learn more and try it out:

• To install or upgrade ThreatMapper 1.2.0, please refer to the detailed installation instructions.
• For technical support, please get in touch using the Deepfence Community Slack.
• For source code and issue tracking, refer to ThreatMapper GitHub.
• See ThreatMapper 1.2.0 in action in this video tutorial

Deepfence is dedicated to helping organizations secure their infrastructure and applications across the cloud native continuum. ThreatMapper open source scans, maps, and ranks vulnerabilities in running containers, images, hosts, and repositories. ThreatStryker elevates these capabilities by providing runtime attack analysis, threat assessment, and targeted protection.

Interested in learning more? Schedule a consultation with one of our security experts today.