►
From YouTube: Uncovering a Sophisticated Kubernetes Attack in Real-Time - Jed Salazar & Natália Réka Ivánkó
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Uncovering a Sophisticated Kubernetes Attack in Real-Time - Jed Salazar & Natália Réka Ivánkó, Isovalent
As Kubernetes adoption continues to explode, the threat actors working on attacks are growing in sophistication. Simple mitigations and security best practices are no longer sufficient alone to protect production workloads. While tools like vulnerability scanning, signed container images, and distroless containers help, constant monitoring must take place in a running environment to ensure it remains safe from compromise. eBPF, an emerging Linux kernel technology, provides us unique visibility directly into any Kubernetes pod. Because pods on a node share a single kernel, a single eBPF program has full visibility to the entire node’s workloads. We’ll show how using such a program gives us the network and process-level visibility to detect and a live sophisticated attack on our cluster. We’ll finish by showcasing how security teams can easily put these same tools to use to protect their critical Kubernetes environments from threats.
A
A
A
So
a
lot
of
security
today
practices
they
really
focus
on
the
pre-fail
and
post-fail
approach
to
security.
Pre-Fail
tries
to
predict
the
necessary
protections
that
a
system
is
going
to
require
based
on
threat,
modeling
or
an
assumption
of
risk
post
fail
ensures
that
you
have
the
necessary
logs
for
intrusion
detection
to
be
notified.
If
you
get
compromised
despite
those
protections,
what
we're
advocating
for
is
that
we
actually
change
that
paragon
and
we
move
from
a
pre-fail
and
post-fail
to
a
pre-data
and
post
data
paradigm.
A
Data
allows
us
to
continually
measure
that
our
hardening
and
security
configurations
are
suitable
to
protect
against
real
world
threats
that
are
attacked
that
are
detected
by
observability
within
our
environment
with
observability.
We
will
open
your
eyes
to
the
reality
of
the
threats
in
your
environment.
A
A
If
you're
tasked
with
securing
kubernetes,
you
might
look
at
this
landscape
and
become
overwhelmed.
It
takes
a
lot
of
resources
and
time
to
successfully
build
and
operate
a
cloud-native
environment,
let
alone
secure
it.
However,
different
components
of
your
stack
have
different
levels
of
risk
and
prioritizing
your
focus.
Where
there's
the
least
trust
and
the
most
risk
is
a
good
way
to
get
started.
A
A
A
You
can
protect
your
containers
by
removing
dangerous
debugging
tools
like
interactive
shells,
package
managers,
compilers
and
unneeded
run
times
with
distrolus
base
images.
Bonus
vulnerability
scanning
should
be
integrated
to
a
container
image,
build
stage
and
runtime
sandboxing
such
as
setcomp
app,
armor,
g-visor
and
firecracker
can
limit
the
potential
of
privilege,
escalation
or
container
escapes.
A
A
A
A
A
For
example,
when
the
cubelet
launches
our
workload,
we
can
assert
that
the
configs
have
been
statically
analyzed
hardening
measures
have
been
applied
and
we
can
basically
account
for
every
bit
in
the
deployment.
However,
over
time
entropy
reduces
that
trust.
For
example,
an
internet
exposed
workload
gets
attacked,
an
sre
runs,
cube,
cuddle,
exec
and
installs
some
debugging
tool
and
fails
to
clean
up
after
themselves.
A
A
A
A
A
B
So
a
little
bit
of
background
psyllium
deploys
as
a
demon
set
inside
of
a
kubernetes
environment.
This
means
that
there
is
a
cilium
agent
running
on
each
one
of
your
communities
worker
nodes.
These
agents
are
communicating
with
the
kubernetes
api
server
to
understand,
but
identities,
network
policies,
services
and
so
on
and
based
on
those
identities
of
each
one
of
the
workloads
deployed
inside
the
kubernetes
environment.
B
So
this
is
how
our
json
event
looks
like,
which
was
exported
to
user
space.
By
an
avpf
program,
you
can
see
the
kubernetes
identity
over
information
like
pods
containers,
labels
and
theos
level
process,
visibility,
information
like
binary
arguments,
docker
id
and
the
pid
for
simplicity.
We
will
just
use
some
python
scripts
directly
consuming
the
json
events
that
would
be
otherwise
sent
to
an
external
system
like
cm
system
like
elasticsearch
or
splunk.
B
In
this
talk,
we
are
going
to
see
two
attacks,
both
happening
on
a
live
gk
cluster
in
the
first
one.
We
are
going
to
reach
the
host
file
system
and
break
out
from
the
container
and
on
the
second
one
we
are
going
to
download
some
sensitive
data
from
an
external
s3
packet
and
for
detection.
We
are
going
to
use
ceiling
and
the
power
of
evpf
so
from
an
environment
perspective.
B
Let's
assume
that
jet
has
already
accessed
a
gka
cluster,
that's
what
we
can
see
on
the
right
terminal
and
on
the
same
cluster
I
have
psyllium
set
up
and
running,
which
monitors
all
the
kubernetes
workloads
and
provide
observability
connectivity
and
security
for
them.
For
simplicity,
I'm
going
to
use
a
python
script
which
would
parse
all
the
json
events
coming
from
the
kernel
and
export
it
to
user
space
via
an
ebpf
program
and
then
which
would
look
for
malicious
behaviors.
A
A
B
A
A
So
now
that
we
have
access
to
the
host's
file
system,
we
can
just
directly
cd
into
that
mount.
This
gives
us
direct
route
privileges
over
that
file
system,
which
is
effectively
game
over
and
we
have
full
root
access
to
the
file
system,
which
means
that
we
can
mutate
things
like
you
know
the
roots
bash
rc.
We
can
change,
we
can
add
users.
We
can
really
do
whatever
we
want.
At
this
point.
B
So
the
continent
escape
is
not
the
only
thing
that
you
want
to
monitor.
For,
sadly,
most
of
the
people
are
only
looking
for
this.
In
the
second
demo,
we
will
detect
an
attack
version
is
able
to
download
sensitive
data
from
an
external
s3
bucket
from
an
environment
perspective.
The
setup
is
the
same.
So
let's
assume
that
jet
has
access
to
a
gk
cluster
and
from
a
workload
perspective,
he
is
currently
seeing
running
application
with
multiple
services
like
job
posting
and
drag
reader
and
with
multiple
databases
like
elasticsearch
and
zookeeper.
B
A
So
now
that
I've
compromised
the
pod,
I'm
going
to
run
the
end
command
to
see
if
there
are
any
credentials
or
secrets
mounted
in
the
pod
that
I
can
take
advantage
of
excellent.
We
can
see
that
there's
an
aws
access,
key
and
secret
key,
as
well
as
an
s3
bucket
name
that
I
can
use.
So,
ideally,
secrets
are
mounted
in
a
volume
inside
the
container
to
avoid
having
to
restart
the
container
if
the
secret
is
rotated.
But
in
this
case
I'm
able
to
take
advantage
of
the
fact
that
they're
environment
variables.
B
A
A
The
image
on
the
right
comes
from
a
blog
post
called
the
pyramid
of
pain,
and
it
identifies
the
value
of
detection
data
progressively
from
trivial
to
collect
and
the
relative
value
that
that
data
provides
in
a
regular
environment
at
the
bottom.
You
have
a
hash
of
a
file
if
you
flip
a
single
bit
in
a
file,
its
hash
value
completely
changes,
so
its
value
is
minimal.
A
A
A
Immutability
really
brings
a
lot
of
benefits
to
security.
All
the
binaries
in
a
container
should
be
packaged
into
a
container
image
using
a
hardened
base
image
like
distrolus.
It
makes
it
easy
to
identify
all
the
binaries
in
the
container
and
those
that
should
be
running
downloading
binaries
in
a
production
container
for
purposes
other
than
debugging
is
an
anti-pattern.
A
So
if
there's
a
execution
of
a
binary
inside
of
that
container
image
that
isn't
part
of
the
container
image,
we
immediately
know
that
it's
suspect
what
this
further
allows
is.
Those
hash
values
that
are
trivial
in
value
actually
become
very
critical
inside
of
an
immutable
environment,
because
we
don't
make
any
changes
to
any
of
the
files
inside
of
that
environment.
So
a
change
to
a
hash
in
the
case
of
immutability
might
actually
become
a
tactic,
technique
or
procedure.
A
A
So
the
key
thing
here
is
starting
to
collect
the
right
data
so
that
you're
actually
going
to
be
positioned
to
be
able
to
detect
the
sophisticated
attack
that
occurs
within
your
environment.
Today,
we've
talked
about
a
couple
of
kind
of
simple
attacks,
but
the
key
here
is
that
we're
actually
measuring
that
data
to
be
able
to
detect
those
things.
A
Hope
is
your
best
strategy
and
if
I
can
take
one
thing
away
from
the
sre
book,
it's
that
hope
is
not
a
good
strategy
and,
lastly,
we
just
wanted
to
give
a
huge
shout
out
to
everyone
on
this
slide.
Everyone
here
has
given
us
either
feedback
directly
or
helped
us
somehow
throughout
our
kubernetes
security
learning
journey.
This
talk
wouldn't
be
what
it
is
without
these
people.
So
thank
you
very
much.