►
From YouTube: Know Your Enemy: Mapping Security Risks Using Threat Matrix for Kuber... Yossi Weizman & Ram Pliskin
Description
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Know Your Enemy: Mapping Security Risks Using Threat Matrix for Kubernetes - Yossi Weizman & Ram Pliskin, Microsoft
In April, Microsoft released an updated version of the Threat Matrix for Kubernetes which was originally released in 2020. The Threat Matrix is a knowledge base for security threats that target Kubernetes. This matrix was the first attempt to systematically cover the attack landscape of Kubernetes. In this session, we will explain how defenders and SecOps engineers can use the matrix to protect their Kubernetes workloads. We will demonstrate how a real-world attack is mapped to the techniques in the matrix and how organizations can measure their coverage to the attack using the matrix. Inspired by the Threat Matrix for Kubernetes, MITRE expanded their ATT&CK framework to include also containers. In the session, we will examine the differences between the Threat Matrix and MITRE ATT&CK and explain how users can leverage both matrices to gain a better security visibility for their environments.
A
B
B
B
B
B
When
contact
when
containerization
started
to
take
off
it,
provided
a
way
for
consistent
and
repeatable
deployments,
with
kubernetes
being
so
widely
adopted
around
two
years
back,
we
were
tasked
with
building
a
plan
to
protect
users
running
kubernetes
workloads.
That's
basically
how
our
journey
started
with
kubernetes,
built
as
extremely
robust
obstruction
layer.
We
knew
we
would
need
to
adjust
our
security
perspective.
B
B
B
B
So
our
goal
was
to
map
threats
targeting
kubernetes
and
when
we
started
looking
into
kubernetes
landscape,
we
discovered
a
variety
of
attacks
with
each
such
as
a
very
different
aspect
of
kubernetes
built-in
mechanisms
we
figured.
We
should
map
those
different
areas,
so
we
could
keep
track
with
the
interface
we
would
like
to
further
explore
and
with
mitre
being
largely
embraced
by
the
community
as
the
go-to
place
for
learning
and
evaluating
security
coverages,
we
figured
we
should
leverage
attacked,
metrics
structure,
and
so
we
started
defining
our
own
kubernetes-centric
ttps.
B
A
A
A
The
first
one
is
access,
manage
identity
credential
in
some
cloud
providers
you
can
allocate
identities
to
cloud
resources
like
virtual
machines,
for
example
in
aws
you
have
ec2
roles
in
azure.
You
have
manage
identity
or
manage
service
identity
in
its
former
name,
you
can
access
to
the
token
of
the
identity.
From
the
virtual
machine
itself,
and
also
from
the
containers
that
run
on
that
virtual
machine,
so
if
attackers
gain
access
to
a
container,
they
can
potentially
grab
the
token
of
the
identity
that
is
attached
to
the
underlying
node.
A
A
A
A
A
A
Some
of
the
functionality
of
google
is
exposed
via
crds
and
some
by
a
centralized
dashboard
in
some
configurations.
This
dashboard
doesn't
require
any
authentication
in
such
configurations.
If
the
dashboard
is
exposed
externally
to
the
internet,
it
basically
allows
a
free
access
to
a
management
interface
of
good
flow,
which
is
obviously
a
bad
thing.
A
Earlier
this
year
we
saw
a
large
scale
campaign
that
targeted
internet,
accessible,
kubeflow
workloads.
The
attackers
used
exposed
dashboards
for
deploying
a
malicious
pipeline.
A
kubflow
pipeline
is
a
service
of
kubeflow
that
allows
users
to
create
machine
learning
pipelines
which
is
based
on
algo
workflow.
A
A
Here
you
can
see
the
attack
flow,
the
attackers
accessed
the
queue
flow
dashboard
using
the
dashboard.
They
deployed
a
new
pipeline
which
created
a
new
container
eventually
by
the
pipeline
controller,
the
container
which
ran
a
legitimate
tensorflow
image,
fetched
a
cryptominer
from
github
and
ran
it.
A
A
A
A
A
So
we
mark
the
relevant
techniques
step
two
is
evaluate
our
coverage
to
those
techniques
that
we
just
marked
for
exposed
sensitive
interfaces.
We
can
monitor
exposure
of
services
to
the
internet,
for
example,
monitor
load
balance
of
service
creations.
Ingress
objects
are
also
relevant
in
openshift,
it
could
be
roots,
etc.
A
I
really
want
to
emphasize
this
point
a
very
large
portion
of
the
attacks
that
we
see
against
kubernetes
clusters
start
with
an
exposed,
sensitive
interface.
It
affects
everyone,
literally
everyone
from
small
organizations
and
individuals
to
huge
organizations
with
fairly
large
information
security
departments.
A
A
A
For
name
similarity,
we
can
monitor
the
images
in
our
workload
and
make
sure
that
only
known
images
and
legitimate
images
are
running.
We
once
observed
an
attack
on
a
kubernetes
cluster.
Not
this
attack
another
one.
The
attacker
used
a
malicious
container
as
well.
We
notified
the
victim
and
we
told
them
hey.
Your
cluster
is
compromised.
You
should
be
aware-
and
they
are
actually
argued,
argued
with
us
and
told
us
that
this
is
their
end-to-end
test
in
containers
and
it's
fine,
it's
legitimate.
A
A
We
should
monitor
suspicious
operations
of
service
accounts.
This
can
be
done
by
using
the
kubernetes
audit
log
or
some
people
call
it
keyboard
it.
This
is
a
very
powerful
tool
that
gives
you
a
great
visibility
to
what
happens
in
the
kubernetes
control
plan.
You
can
see
basically
all
the
operations
in
the
cluster
who
did
it.
When
did
it
happen
from
which
ip
and
more
so
it's
very
useful?
When
we
want
to
monitor
the
activity
in
the
cluster
for
resource
hijacking,
we
can
monitor
it
from
two
levels.
A
A
B
So
let's
talk
a
bit
about
micrometrics
for
containers,
so
in
december
2020
based
on
the
community
interest
and
if
I
may
add,
with
some
inspiration
from
microsoft,
truth
metrics
might
just
started
to
work
on
attack
metrics
for
containers
and
in
april
2021
the
containers
matrix
was
added
to
attack
v9,
ok.
So
if
up
until
recently,
we
had
no
solid
source
of
information
for
learning
on
possible
attacks
targeting
kubernetes
now
we
have
two
great
sources.
B
So
first
attack
is
focused
on
in
the
wild
adversary,
behaviors,
meaning
that
might
consider
a
ttp
only
when
it
happened
in
the
when
it
already
has
been
witnessed.
Their
investigation
is
focused
specifically
on
gathering
intelligence
of
what
adversaries
are
actually
doing,
versus
what
researchers
and
lab
teamers
can
do.
B
B
Mitel's
motivation
was
to
leverage
an
existing
ttp,
so
in
case
there
was
an
equivalent
technique,
for
example,
from
the
linux
metrics.
They
prefer
to
supplement
it
with
a
container
tag
and
therefore
names
and
descriptions
are
often
times
different
as
well.
Also
on
some
few
cases,
I
think
we
had
some
disagreements.
B
Each
stakeholder
had
a
different
interpretation
of
a
certain
activity
and
that
also
led
to
few
misalignments
with.
That
being
said,
it's
important
to
also
highlight
the
core
similarities,
so
please
note
that
each
matrix
combines
adversary,
behavioral
techniques
for
both
orchestration
level
and
container
level.
B
Secondly,
both
metric
cells
can
be
considered
as
an
obstruction
layer,
for
example,
if
an
advisory
installs,
a
crown
job
within
a
container
that
behavior
would
be
covered
by
the
linux
metrics
instead
of
the
containers
matrix
to
learn
more
on
the
evolution
of
the
metrics
and
how
the
and
the
process
behind
of
building
those
please
read.
Mitra
and
microsoft
join
publication.
B
At
this
point,
let's
recap
the
attack
that
jose
laid
out
and
see
how
it's
been
reflected
on
each
of
the
matrixes.
We
can
use
the
arrow
to
map
between
techniques
so
from
the
initial
access
tactics.
The
exposed,
sensitive
interface
is
mapped
to
external
remote
service.
On
mitros
metrics
from
the
execution
tactic,
the
new
container
is
mapped
to
deploy
container
on
mitral
side
and
the
container
name.
Similarity
is
mapped
to
masquerading
and
the
resource
ejecting
is
actually
remain.
The
same.