When researching vulnerabilities, we often find that environment setup takes up a significant amount of time, and in comparison, the actual time spent testing PoCs and exploits may be relatively short. Meanwhile, there are excellent security projects in the open-source community, such as Vulhub and VulApps, which package vulnerability scenarios into images, allowing researchers to quickly start working. However, these projects primarily focus on application vulnerabilities. So, what if we need to study vulnerabilities in underlying infrastructure, such as Docker, K8s, or operating system kernels?
Metarget is dedicated to automating the construction of vulnerable scenarios in underlying infrastructure and multi-layer cloud-native environments.
What is Metarget?
Metarget is the industry’s first open-source cloud-native cyber range, designed to quickly and automatically build vulnerable cloud-native environments, ranging from simple to complex.
Metarget supports the automated construction of two types of vulnerable scenarios: cloud-native components and containerized applications, enabling the generation of multi-node, multi-layer cloud-native cyber range.
Metarget has been included in the CNCF Cloud Native Landscape, has over 11,000 stars on GitHub, and is widely used by security researchers.
Metarget effectively assists security researchers in learning about vulnerabilities, helps red and blue teams and penetration testers improve their cloud-native security offensive and defensive skills, and aids security product developers in testing the threat detection and response capabilities of cloud-native defense systems.
Currently, Metarget supports over 330 vulnerabilities, covering program components such as Docker, K8s, runC, containerd, kernels, dangerous configurations, and risky mounts. It also covers scenarios such as container escape, privilege escalation, and denial of service. All these vulnerability environments support one-click automated deployment, eliminating the need for security researchers to set up environments manually.
After receiving extensive user feedback, we identified some shortcomings in Metarget. Due to factors like network environment, Ubuntu version, and Docker version, the automatic installation of vulnerability environments through scripts sometimes fails, and locating the root cause of failure can be difficult. To address this, we have improved the original version of Metarget and launched Metarget 1.0.
What’s New in Metarget 1.0
- Vulnerability Environment Images: For the first time, we are providing pre-built vulnerability environment images to reduce the likelihood of installation failures and enhance the user experience.
- Over 330 Vulnerabilities Supported: The coverage of cloud-native vulnerability scenarios has been greatly expanded.
- New Vulnerability Environments and Cloud-Native ATT&CK Matrix Mapping: We have added mappings to the ATT&CK matrix to build a relationship between cloud-native cyber range and penetration testing scenarios in cloud-native environments.
- One-Click Recovery of Vulnerability Environments: After installing the vulnerability environment, users can easily restore their normal environment with one click, reducing the impact of vulnerabilities on the user’s system and improving the overall experience.
1. Virtualization and Vulnerability Environment Images: Optimizing User Experience
To improve the user experience, we are introducing a vulnerability environment virtualization solution based on Docker and QEMU technology. This solution has the following features:
- No script assistance required: Users can directly use the pre-built images, eliminating the need for complex command-line operations.
- Ready-to-use: Users can easily pull images or build Dockerfiles to obtain the vulnerability environment, achieving a true “plug-and-play” experience.
- Built-in dependencies: We have pre-integrated runtime requirements and dependencies (such as Kernel versions, runC versions, etc.) into validated base images to ensure environment stability.
- Reduced installation failures: This approach significantly lowers the failure rate caused by differences in network environments and Ubuntu versions, thus enhancing the user experience.
Step 1: Build the Docker Image
Step 2: Run the Target Vulnerability Environment Image
2. Over 330 Vulnerabilities Supported: Comprehensive Coverage of Cloud-Native Vulnerability Scenarios
Thanks to the combined efforts of the community and academic security researchers, the number of vulnerabilities supported by Metarget has continuously increased.
Currently, Metarget supports over 330 cloud-native/cloud environment vulnerabilities. These cloud-native component vulnerabilities include program components such as Docker, K8s, runC, Containerd, Kernel, dangerous configurations, and risky mounts. The covered scenarios include container escape, privilege escalation, denial of service, and more.
3. ATT&CK Matrix Mapping: Building a Relationship Between Cloud-Native Cyber Range and Penetration Testing Scenarios
To provide a macro-level understanding of the coverage of Metarget’s cloud-native offensive and defensive scenarios, we have mapped each vulnerability environment to the cloud-native ATT&CK matrix. This creates a one-to-one relationship between cloud-native cyber range and penetration testing in cloud-native scenarios. With this mapping, users can clearly understand the role of these cyber range in practical offensive and defensive exercises. When used with red team tools, it can help red and blue teams, penetration testers, and security product developers enhance their cloud-native security skills and test the threat detection capabilities of cloud-native defense systems. For example, when used with the cloud-native attack suite developed by NSFOCUS, the ATT&CK matrix coverage reaches 70%, essentially covering the most common cloud-native penetration paths.
4. One-Click Recovery of Vulnerability Environments: Minimizing Impact and Enhancing User Experience
Although Metarget previously supported some recovery functions after using vulnerability environments, we found that support for certain components (such as Kernel vulnerabilities) was insufficient. This time, we have made improvements to support more one-click recovery features, allowing users to restore their normal environment by removing related components and vulnerabilities (such as K8s, Kernel, etc.).
In the future, we plan to integrate features like CTF and scoring to better adapt to training needs in academia and competitions. Stay tuned!
