Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Cloud Native Computing Foundation / CloudNativeSecurityCon 2023 - Seattle / 2 Feb 2023
Cloud Native Computing Foundation / CloudNativeSecurityCon 2023 - Seattle / 2 Feb 2023
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Get Your Security Priorities Straight! How to Identify Workloads Und... Ben Hirschberg & Arie Haenel

Description

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Get Your Security Priorities Straight! How to Identify Workloads Under Real Threat with Context - Ben Hirschberg, ARMO & Arie Haenel, Intel

Is a privileged container a security threat? Should you spend time defining a pod so it can run with a read-only filesystem? These and similar questions are raised constantly by multiple authors and projects. In most cases, there is a good reason behind these questions. However, the difference between a potential threat and a real one is far from self-explanatory and highly depends on the circumstances to differentiate between real threats. This is where the answer lies and we are presenting a security prioritization system for Kubernetes workloads that is based on the MITRE framework and its categorization. This system is built upon data aggregated from a high volume of security controls, that cover multiple projects, structured in a way that makes it easy to find contextual information about different problems. We are going to present the algorithm behind the prioritization engine which is able to calculate the security exposures score for a diversity of Kubernetes workloads. We will then review the results based on real production clusters, and how they fair against real security analysis, enabling anyone to differentiate between actual threats that should be mitigated quickly and those we can be less concerned about.

A

So, let's talk about security priorities and how can we detect them um easily? Okay, I'm going to present you with an interesting uh research, we've been doing in the last three months together with Intel security.

A

um So do you know this guy I guess you've heard of him so Ken in the next picture. I'm going to ask you to point him out: do you find him? Everyone looks similar right.

A

Sometimes it's really hard, okay to pick out the real one right, the real things which are which are bothering us: okay, when we're looking for uh um for a Target okay, in our case, okay, to improve Security in in the cloud native World, okay. Sometimes it's really hard for with today's tooling to improve security posture. Okay, we have uh a lot of great tools, giving us a ton of information and it for us. It's for you know, and I can talk right now. We are not in kubecon right.

A

We are in Cloud native security, so among Security Professionals, sometimes really hard for us to pick out the real issues. So this is what uh what I talk is going to be. Today uh uh we are going to I'm going to present you today a talk with Arya who's. uh We pre-recorded him for this talk. He couldn't make it here uh who is uh part of the Intel assert team? Okay, they are like an offensive security team.

A

We inside Intel, okay, giving uh um helping product security teams to improve uh their uh product from a security perspective and cubescape. Okay, cubescape is a Sandbox sandbox project in cncf for kubernetes security posture and we're going to show you a research and which we've been doing for a while again on how to prioritize okay security issues uh in kubernetes, using what we call attack chains uh and we're going to show you a demo. Okay of of How It's been used inside the Intel assert team in the last month.

A

So a few words about me. Those who don't know me.

B

Already.

A

um I just had a talk in the Next Room, so some some of you might already heard this okay, but I'm Ben, I'm, CTO and co-founder at armo. Armo is a kubernetes security company startup based in Israel, but we are like. We have all people around the whole globe in my previous uh uh stints, okay been working as an offensive security engineer for a long time, also went to the defensive side and then went into RND and creating products, then to Startup I'm I'm fluent in a lot of languages.

A

English is not one of them, so I'm, sorry, if I'm making mistakes- uh and you can find me around cncf a lot hello.

B

Everyone I am Ariana principal engineer at intern, where I lead an office team security, research, team, called assault, I have 25 years of professional experience in different domains of software and security, engineering and I teach software security at the Jerusalem College of Technology.

B

At Intel. With my team, we primarily conduct quality research and have different modes of operation from long engagements to focus their thoughts on various kinds of Technologies.

B

While some of the targeted effort may be short term, it is crucial for the projecting we are working with to be well prepared in order for us to deliver the best results.

B

Our role is not to replace the Standard Security actions by disease of the product team, such as the secure development life cycle well known sdl, but to complement it by providing an external articles perspective.

B

But to be effective, we aim to ensure that any bugs that could, in fact, should have been detected by automatic tools have been addressed and refer to this as a low hanging fruits.

B

The challenge we face is that, when searching for these rotten low hanging fruits using most automatic scanners, we must sift through a large number of other fruits, also reported by these tools, many of which are not actually relevant to the product scanners report issues based on rules that may return alerts that are not applicable to this specific project.

B

Additionally, it is important to consider the severity and risk level of the reported elements. Some may be critical, while Others May provide any minimal protection against telemetrics. While we advocate for defense in depths prioritization is primordial in real world scenarios,.

B

In order to effectively identify another security vulnerabilities in our kubernetes-based systems, we need a tool that could not only discover issues but also categorize and prioritize them, provide explanations and even suggest limitation steps. After evaluating values options, we found that cubescate was a good fit for our needs. We have since worked closely with the cubescape team to further improve the tool and incorporate new features, such as the ability to focus on identifying the most critical areas of the cluster.

B

From an attacker perspective, my team is not the primary customer of this tool and it shouldn't be. However, it is important for us, as a security team, to ensure that such a tool is easily adoptable by developers and validation teams as part of their workflow.

B

This way can be used to catch and Report potential vulnerabilities and weaknesses in the cluster in a way that is easy to understand and actionable for non-security professionals.

A

So few words about about cubescape, so cubescape was born as a kubernetes security posture tool. Okay, which gives you both compliance and security posture information.

A

um Sorry, the project started a year and a half ago um as a site project at armo and as of today as Mars. This is the first time: okay, I'm attending a cncfm event, where I can say out publicly that we are became a Sandbox project. Okay, armo contributed cubescape to cncf, um and it gives you today, two major uh value or information. One is the configuration uh scanning okay scanning your through your kubernetes uh configuration.

A

You know there is API server uh uh and objects and so on in order to find out different security issues. The other is the vulnerability scanning. Okay, we are enabling you to scan uh uh vulnerabilities inside your cluster and found. uh Give posture, see posture information about your container images.

A

Now the interesting thing and one of the things which were very helpful also for Intel, as you could heard from Arya, was actually the ability for cubescape to integrate not just into your cluster into live information, but also to tap in already to your development workflows for vs code integration. Github integration and so on, so you could, or devops and Dev Engineers could already Implement okay, one of the things during their work.

A

Okay, and not just get there to the production and then find out issues- and this is very, very helpful Point here now cubescape and the configuration scanning part of cubescape is based on what we call controls. Okay, controls think about them as tests. Okay, every control is a test and it tests a single I would say: property of uh of kubernetes objects: okay, I'm, just making it simpler, okay to explain, but it can be more complex because it it can have contextual, take into account, contextual information of multiple comparative objects.

A

It is based on Rego uh from the Opera project and you can Define. We are defining these controls in Rego. Now every control has its severity and it can. uh Every control can cover a single thing like whether the container which is inside the Pod is running as a root or whether uh um you know the service account token, which was mounted in into the Pod, has actual arbuck uh privileges attached to it. Whether the workload has uh in this case this example.

A

Okay, whether it has a critical vulnerability inside and so on, so we have this control concept of controls and and cubescape output shows you, okay, how which which resources failed on which controls? Okay and you can take it for uh uh for fixing them or either decide that you're ignoring them. But the main problem is that, in the case, for example, for Intel, they they're running a cluster of nearly 100 000 workloads, okay and having a scan single scan running inside and having uh taking this output is really really hard.

A

It's overwhelming and the security team is looking for want to know what are their most risky workloads on to understand what they have to fix uh for you know before the others. Therefore, we started this project, okay and we thought of the following concept: I'm going to explain you now the algorithm, the idea, okay, and they will show the results. So again, we have these things called controls, okay, and we want to get into the state where we can prioritize the output okay and to show you for each workload.

A

What which one is the most risky? Okay, uh which will you have to fix? The first okay and you know, building something in between this algorithm in between these two. The input and the output has to make take different things into account and the way we we decided to do. This is um what we call attack chains. Okay, we are going to with what we have done.

A

We've modeled um different uh these controls into a framework we've created and trying to show which controls has effect to others, okay, and if you are seeing these two controls failing on the same resource, creating a bigger effect, bigger risk, okay than each of them alone.

A

So in order to do that, um we've we've taken um Microsoft's work. Okay on kubernetes uh security, they've released, I, think to researcher at Microsoft released this framework uh like two years ago, something like that. uh They've took the miter framework; okay, I guess most of you know of it already Okay The Miser framework and adopted it to the kubernetes world, so what they did they.

A

They took the same um same uh categories: okay of initial access, execution, persistence and I'm, going to read everything out for you, but but they took the original miter uh um categories: okay and put different issues around kubernetes under each of those categories.

A

What we decided that we are going to categorize our controls, we are doing in Cuba in cubescape to be to be part of each uh to categorize them under these categories, okay, and what we could, what it brought us to uh on the our next step, which is creating a graph okay of of these categories, where we are seeing that one category can affect the other.

A

So, for example, you can look at the initial access category: okay, whether that different issues under this category of initial access, whether the attacker has an access to the container okay, and if the attacker has an access to the container, it might gain execution, which is another category right and one you know category can bring to another and execution. If the attacker has an execution on a container, it can try to escalate its privileges beyond the container, okay or or trying to hack into the kernel.

A

Okay and so on, if the attacker has an execution, it can try to access credentials inside the container, okay or or credentials which are bound to The Container. If the attacker has an execution, it can discover, uh do discovery of the environment and do lateral movements and so on. So we created this graph. Okay of of these categories, okay, how they are affecting one to the other? Okay and with we said that this can enable us, okay to create a sequence, okay of potential uh uh attack inside the container.

A

So if cubescape um sees uh an nginx controller, okay, which, in an Ingress controller which is, can be accessed from the public internet um there, it's this Con. This workload fails on in the initial access category. If it has a critical vulnerability, which is a remote code, execution vulnerability, um the attacker can gain execution. Okay, it if the same workload, which is again an Ingress controller, ending Ingress controller needs access to the kubernetes API um and therefore it will have uh access token with uh with um with roll attached to it.

A

Then it is vulnerable to API access and so on. If the container runs as a root user. The attacker has more potential to exploit different bugs in the kernel, so if we're taking this okay and and putting it on or um on our graph okay, you will see all these. You know red categories, okay, which are failing in a given workload.

A

Okay, the categories which are failing- and this can show that we we can build up chains right because we can say okay, that since there is initial access and execution and privilege escalation, okay, because this was a root container okay, um then the attacker has a potential attack chain. Okay, I'm, not saying that it's it's 100, exploitable, okay, because there are other things, but for the sake of uh of prioritization, this is a potential attack chain. Now this is the first chain.

A

The second chain can be uh this chain: initial access, execution, credential access and impact on the kubernetes API, okay, because the attacker has this flow inside the workload.

A

So, if I build, if I, you know more formal, defining okay, this algorithm, what cubescape will do? Okay is for every workload it already calculated the controls. Okay, um it assigns each field control to the graph. Okay calculates uh the fail.

A

The chains of the potential chains inside you know this graph and for each chain it calculates a score which is based on actually on the severity of of if each control is failed on it and then sum up all the chains together, and this is going to be the priority okay of the score of the of the workload and at the end, it can take all the workloads together and create a list of priority lists of each of them. Based on this score.

A

So again, if we are looking at uh at the scores, so the first chain had three failed controls. Okay, each control has its own severity. We are calculating the multiplications of each each control together. The chain one's core uh uh is, you know, is sad. uh The chain two score is going to be also the multiplication of each of the severities. We of these control it fell on. Okay, then the actually the priority score is go of. The workload is going to be chain one plus chain two.

A

So now what we are going to do is Aria is going to demo um the results he had using this.

B

In the last few months is we have evaluated the usefulness of cubescape in a various stages of development across different defaults. The feedback so far has been very positive. The findings reported by cubescape in a user-friendly manner should help them to integrate it into their workflow and focus on the most important areas of potential risks.

B

As you can see on this slide, different types of output formats are available. Report shows different namespaces, with different misconfigurations reported, along with a direct link to the documentation, explaining the issue and examples of limitation steps to fix the issue.

B

I clicked on one of the links in the report regarding a vulnerability with the cryptic name. I was taking to a page with the vulnerabilities description, additional resources and even recommend determination, steps very convenient. Isn't it.

B

As we previously mentioned, there can be a lot of noise when it comes to security threats and even after categorizing L filtering out the less relevant ones, production team may still want to prioritize their effort. In this video, we demonstrated the use of cubescape on a large namespace.

B

Despite the vast amount of information and useful details, we still found it necessary to prioritize as the initial report. As we previously mentioned, there can be a lot of noise when it comes to cycling.

B

So here we focus on one of these workloads a database one in this view, as a user I try to understand what can be mounted as an attack exploiting the vulnerabilities found in a specific workload in the bottom part I'm presenting with an attack tree, it describes a full chain of exploitation using different findings all regarding these very namespace.

B

This makes the work of explaining the possible consequences of these vulnerabilities much easier, especially when you have to justify more work from the development and validation teams to management.

B

This is an example of how cubescape how it is a workloads in the namespace I have been working on in the previous slides. The list shows a workload that cubescape suggests to fix. First, as they are considered to be the most risky, as you can see, my two database instances are.

B

This is an example of how cubescape prioritizes the workloads in the namespace I have been working on in the previous slides. The list shows a workload that cubescape suggests to fix. First, as they are considered to be the most risky.

B

As you can see, my two database instances are prioritized ahead of others due to the fact that they both have persistently claims connected and multiplayer duplicates Additionally. The control manager, which is the first on the list, has access to the kubernetes API.

B

This prioritization order provide guidance for the development team on where to start fixing issues within the namespace. Although this feature is still in the alpha phase, its value is already evident.

B

This is awesome at the end, you can access a comprehensive list of what has been tested. The vulnerabilities found the severity and risk assessment based not only on the vulnerability, but also in its context. This is important because some potential vulnerabilities may not be relevant in the specific context of this namespace, especially when the project is enticing schedule. It's crucial to be able to prioritize your resources, it's not perfect, yet there are still many areas that need Improvement and, while working with the maintainers to develop new features to make Cube skates even better.

B

However, the maintainers are very responsive and, for example, the last time I reported an issue to Ben. A new version was released with a fix the very next day.

A

So um to wrap this up um from the beginning: okay, we've, you know, uh we've put ourselves a very uh hard goal: okay of of creating a good prioritization engine, okay, which will help you really to understand what are your most critical workloads uh now we are really in the early steps. Okay and we are working in tech security, okay, to trying to align uh this concept of of attack chains in with all the other um cncf uh projects, okay and and and trying to standardize this.

A

But what we're we've seen in Intel, okay and from the enthusiasm? Actually, we got okay in the cubes team from Intel made us think that it's it's a very promising start and- and uh we are though we are- we still have Azaria said we have a few issues to work out.

A

Okay uh and we have a few missing parts: okay, for example, uh vulnerability information is not really connected today uh uh to this prioritization engine, uh I can tell you that it's a it's already giving, even without it it's already giving a valuable input, and hopefully we're going to work out this issue of vulnerability, information missing in the next month or two, and uh you will have this information already uh part of of the prioritization.

A

We are missing a lot of testing and feedback and therefore, actually what we are I have also here call to action. Okay, we are looking for uh for inputs and feedback on this, and also early adopters would be ready, okay to test it having.

A

Although this is already in the main release in cubescape, it is hidden right now under a flag. Okay, which is therefore it is not part of of every report. But if someone wants to try it out, okay, I would ask him to or her to to reach out to us to the maintainers we have. uh um It's like. You can find, find the cubescape and cubescape Dev channels where we, you can always reach us. Okay, and therefore we are looking really for input.

A

Okay from all of you and have either you're coming from your vendor or your uh your user or you are just you know, a security, enthusiastic okay, we'll be happy to get any any feedback uh from you um and yeah also on ideas. How to make it this uh even better. But I can tell you that that even for we have also started this week to show it to another company.

A

I don't want to disclose their name because it's too early, but they also started to use it and we'll be very, very happy about the first, uh their first results.

A

So uh we started. You know with this picture.

A

um I can assure you that cubescape can't tell you which one of the real Waldo here uh and therefore I the my punchline, is that there is no punch line here, uh uh but but I think that this is a really great project and if you want to contribute it, we are more than welcome um and please rate this talk. Thank you very much and if you have questions I'm here.

A

So um good question: okay, uh con cubescape is working. Controls are working either on live Cube, API data, okay or from even from uh from yaml files. So you can you know this is just a tool you can feed it from both directions, so can you can create? You can do this prioritization on your Helm charts? Okay, already you know in your git okay and get a view of which one of how they are fair one to another.

A

Honestly, okay, if you are scanning a lot, okay in once, you will get like this prioritization, but I. Think it's more interesting inside the cluster. Okay, because there have a you: have there a lot of workloads together, you can compare to each other, but looking at the attack chains and the attack tree itself, I think it can be also valuable.

A

You know offline okay, even before you are deploying stuff in your cluster and as of today, the only the only two data which goes inside can the this engine is the kubernetes objects themselves and uh and vulnerability information which is a little bit lagging. But it's it's been it's going to be there yeah anything else. One two three thank you.