►
From YouTube: CNCF SIG Security 2021-03-17
Description
CNCF SIG Security 2021-03-17
B
C
C
Yeah,
hello,
everyone.
Thank
you
all
for
joining
this
security
meeting
per
as
this
is.
This
meeting
is
being
recorded
right
and
since
this
is
a
cncf
meeting
as
well,
just
make
sure
that
you
are
following
the
the
code
of
conduct
from
cncf
and
anything
else.
Andreas
before
we
start.
C
Thank
you
yeah,
so
yeah
today
we're
going
to
have
a
presentation
by
jen
burns
from
mitre
she's,
going
to
speak
about
the
mitre
attack
for
containers,
the
first
draft,
which
was
released
last
month
and
provided
us
with
some
information
and
guidance
on
how
we
could
help
improve
this
initiative.
C
Jen
feel
free.
Take
it
away,
yeah.
D
For
sure,
let
me
put
this
together
like
a
short
slide
deck
so
I'll
see.
If
I
can
share
my
screen
here.
Real
quick,
okay.
D
All
right,
let's
see
you
able
to
see
that
okay,
yes,
okay,
perfect
yeah,
so
I
guess
first
off
thanks
for
having
me
today,
jim
burns,
I
work
at
mitre
right
now
in
the
lead
of
attack
for
cloud
and
a
few
months
ago.
At
this
point,
we
kind
of
kicked
off
this
project
with
mitre
ingenuity's
center
for
threatened
form
defense
to
research,
adversarial,
behavior
in
containers,
and
really
determine,
if
there's
a
possibility
of
including
container
techniques
into
attack.
D
So
at
this
point,
like
magnus
said,
we've
released
first
draft
of
the
matrix
for
feedback
from
the
community.
We've
already
received
lots
of
really
great
feedback.
Just
want
to
talk
to
you
folks
about
you,
know,
really
attack
itself
kind
of
that
first
draft
that
we
released
and
how
we
could
use
your
help
and
how
we
could.
Potentially,
you
know,
collaborate
on
this,
so
I
figured
I'd
just
give
a
short
background
on
attack.
I
know
some
folks
may
be
familiar.
D
Some
may
not
so
kind
of
start
off
with
that
and
then
just
kind
of
hope
to
kick
off
a
discussion
on.
You
know
that
contribution
process
and
collaboration
process
really
feel
free
to
interrupt
me
or
ask
questions
at
any
point.
Definitely
happy
to
answer
whatever
I
can
but
to
to
start
off
attack
itself.
It's
a
knowledge
base
of
adversary,
behavior.
It
was
born
out
of
a
series
of
red
team
and
blue
team
operations
at
mitre's
maryland
site
around
2013..
D
I
originally
had
focused
exclusively
on
the
windows
platform,
but
since
then
it's
kind
of
expanded
into
like
mac,
os
linux,
mobile,
even
network
devices,
ics,
and
then
also
the
cloud
which
is
my
area
of
focus,
and
then
this
containers
piece
is
kind
of
tangential
to
that
a
key
point
about
attack
it's
based
on
real
world
observations
of
adversaries,
so
what
adversaries
have
done
in
the
past
and
what
they're
likely
doing
now?
Based
on
those
previous
observations,
it's
not
really
meant
to
include
kind
of
more
of
the
theoretical
proof
of
concept
attacks.
D
It
really
focuses
more
on
what
real
adversaries
have
done,
because
we,
you
know,
believe
that
there's
definitely
value
in
prioritizing
those
types
of
behaviors
based
on
threat.
Intel
another
key
point
about
attack:
it's
free,
it's
open!
It's
globally
accessible!
Anybody
can
use
attack
and
because
it's
free
and
open
it
kind
of
provides
a
common
language
that
different
teams
and
organizations
can
use
to
make
sure
they're
on
the
same
page
and
then
last
but
certainly
not
least,
attack
is
driven
by
the
community.
A
large
portion
of
attack
has
been
contributed
from
outside
of
mitre.
D
We
shape
many
of
our
decisions
based
on
the
needs
and
requests
from
the
security
community
for
this
container's
work.
Specifically
at
this
point,
the
vast
majority
of
the
techniques
have
been
driven
by
contributions
from
the
community,
which
is
pretty
awesome.
You
know
you,
folks
are
the
ones
out
there
with
boots
on
the
ground,
really
seeing
what
adversaries
are
doing
and
defending
defending
enterprises
so
having
those
contributions
is,
is
pretty
invaluable
to
us
and
it
really
leads
most
of
the
work
that
we
do
just
to
kind
of.
D
D
So,
for
example,
if
you
think
of
something
like
a
hash
value,
if
an
adversary
changes
a
single
bit
in
a
file
that
hash
value
is
going
to
change,
it's
almost
painless
for
them,
then,
on
the
defender
side,
you
know
carrying
out
actions
based
on
something
like
hash
values
as
limited
utility,
since
the
adversary
can
easily
easily
change
them.
You
know.
Similarly,
adversaries
can
do
things
like
register
new
domains,
ip
addresses
per
campaign.
D
So
if
you're,
just
monitoring
for
those,
you
might
miss
some
activity
and
then
moving
of
the
pyramid
to
what
is
most
painful
for
the
adversaries
to
change.
We
see
that
tactics,
techniques
and
procedures,
and
that's
really
where
attack
lies.
You
know,
adversaries
are
humans
too,
just
like
us.
They
are
creatures
of
habits,
painful
to
change
their
behaviors.
So
as
a
defender,
if
you
can
detect
those
behaviors
or
ttps,
you
have
a
better
chance
at
thwarting
those
adversaries.
D
More
recently,
we
added
sub
techniques
to
the
matrix
and
you'll
see
this
with
containers
as
well.
So,
for
example,
here
that
the
technique
fishing
has
three
sub
techniques,
and
these
are
just
more
specific
techniques
that
fall
under
that
technique
of
fishing
and
then
within
techniques
and
sub
techniques.
We
have
a
set
of
procedures
and
these
are
adversary,
implementations
of
specific
techniques.
D
So,
for
example,
here
we
see
a
specific
implementation
of
the
spear
phishing
attachment
technique
carried
out
by
apt-12
and
that's
mapped
to
a
couple
of
open
source
threat
reports
for
references
to
dive
just
a
bit
more
into
techniques
before
we
kind
of
dig
into
containers.
D
Here's
an
example
of
a
technique
on
our
website,
which
is
process
injection
you'll,
see
we
lead
off
each
technique
with
a
description
and
really
that
description
explains
what
the
behavior
or
technique
is
from
the
perspective
of
the
adversary,
and
then
we
have
these
little
cards
on
the
right
side
of
each
page.
That
calls
out
things
like
the
tactics
that
a
technique
belongs
to
what
systems
may
be
affected,
such
as
linux,
windows
and
mac
os.
You
know
when
we
get
containers
into
attack.
D
So
I
kind
of
get
more
into
you
know
the
containers
bit.
Why
are
we
investigating
the
container
space
for
attack?
First,
off
we've
had
the
community
asked
for
it,
like
I
mentioned,
attack,
is
largely
driven
by
the
community
and
the
needs
of
the
community
before
we
started
researching
adversary
behavior
in
this
space,
it
was
probably
one
of
the
questions
I
received
the
most
from
folks
when
talking
about
attack
for
cloud,
it's
kind
of
like
the
the
what
about
containers
piece.
D
D
I
think
this
just
gives
more
weight
to
the
fact
that
folks
are
looking
for
something
to
kind
of
utilize
in
this
threat
based
space
for
containers,
also
we're
finding
threat,
intel
and
reports
that
mention
behaviors
in
the
container
space,
often
tied
to
linux
and
cloud
as
well.
We
want
to
be
able
to
kind
of
represent
those
container
specific
behaviors
within
attack,
even
though
the
behaviors
might
kind
of
bounce
across
cloud
containers
and
linux,
and
then
also
one
of
the
reasons
we're
able
to
take
up
this
work.
D
Is
it's
actually
a
project
through
minor
ingenuities
center
for
threatened
form
defense?
This
really
just
kind
of
gave
us
that
opportunity
to
take
off
and
and
run
so
to
speak
with
this
new
space
for
attack.
D
All
right
so
kind
of
when
it
comes
to
you
know
what
we
did
first,
you
know
really
came
down
to
researching
the
adversary
behavior
in
the
container
space,
and
so
we
kind
of
started
by
searching
for
open
source
intelligence
in
the
area.
There's
some
good
content
from
folks,
like
palo
alto
magno,
sent
us
some
great
content
from
a
trend.
Micro
aqua
had
put
some
stuff
out
too.
D
We've
actually
been
in
touch
throughout
this
process,
with
microsoft
kind
of
regarding
that
kubernetes
threat
matrix.
Since
that
was
kind
of
one
of
our
final
pushes
to
hey.
We
need
to
do
something
with
this
an
attack.
They
gave
us
a
really
great
starting
point
with
the
work
that
they
had
done.
One
of
the
things
that
kind
of
sets
their
threat
matrix
separate
from
what
we're
working
on,
though,
is
that
in
the
wild
element
of
attack.
D
I
mentioned
this
in
the
blog
we
released
with
that.
First
draft
of
the
containers
matrix,
but
one
of
the
first
steps
that
we
did
as
a
team
was
actually
work
with
microsoft
to
determine
you
know
out
of
what
they
have
which
behaviors
in
their
matrix
had
been
carried
out
in
the
wild
by
adversaries,
and
we
also,
you
know,
published
an
initial
blog
kind
of
during
this
kickoff
of
the
project
asking
for
intel
on
what
adversaries
are
doing
in
containers
in
the
wild.
D
So
then
we
basically
organize
that
content,
those
contributions
into
kind
of
these
distinct
behaviors
or
buckets
so
techniques
based
on
tactics
and
then
for
each
of
those
techniques
or
behaviors.
We
determined
is
this
something
that's
already
covered
in
attack,
so
if
so,
for
those
behaviors,
we
would
consider
you
know,
maybe
simply
just
adding
a
new
platform
tag
to
that
technique
like
that
containers
platform
tag.
D
So
we
would
maybe
add
that
tag,
maybe
a
line
or
two
to
the
technique
on
how
that
current
technique
applies
to
the
container
space.
Maybe
you
know
add
more
content
to
the
detection
as
well
to
how
that
kind
of
applies
to
containers.
D
If
that
behavior,
though,
wasn't
already
covered
in
an
attack,
that
means
we
need
to
add
a
new
technique
or
sub
technique
and
attack
to
kind
of
cover
that
behavior.
So
you
know,
building
out
those
new
portions
of
attack
and
kind
of
carving
out
what
that
might
look
like.
That's
actually
been
a
really
a
really
large
chunk
of
this
work.
D
At
this
point,
we're
still
going
through
feedback
we
received
from
folks
and
really
refining
our
matrix,
we're
also
building
out
those
detections
data
sources,
mitigations
other
pieces
of
attack,
particularly
for
the
techniques
that
would
be
considered
new
to
attack.
Due
to
this
edition
of
containers,
timeline
wise,
we're
hoping
that
containers
will
be
added
in
the
april
release
of
attack,
which
is
you
know
in
the
next
month,
or
so.
There
are
some
dependencies
that
that
we
have
there
that
may
or
may
not
be
met,
so
we
haven't
officially
confirmed
that
release
yet.
D
But
that
is
what
we're
targeting
at
this
point,
and
so
this
is
what
we
released
with
our
blog
post
is
that
first
draft
of
a
containers
matrix,
I'm
gonna-
I
can
come
back
to
this
and
talk
to
you
folks
more
about
this
and
answer
questions
you
might
have
about
it.
I
just
want
to
go
through
kind
of
the
next
slide,
real
quick
first.
D
So
how
can
you
help
we've
already
received?
You
know
lots
of
feedback
from
the
community.
This
has
been
a
huge
community
effort,
there's
going
to
be
a
lot
of
contributors
added
to
attack
with
this
effort
to
add
containers,
but
we
do
still
have
some
thoughts
and
questions
where
we
could
use
some
help.
One
is:
do
we
have
any
gaps
in
the
matrix?
D
Have
you
seen
or
heard
of
you
know
in
the
wild
adversary
behaviors
that
are
currently
not
represented
with
what
we
have
for
our
draft,
and
this
is,
you
know,
really
focused
on
the
in
the
wild
piece,
so
not
that
kind
of
theoretical
what
could
happen
or
what
our
red
team's
doing?
It's
really
focused
on.
You
know
the
the
real
adversaries.
What
are
they
doing?
D
Also,
do
you
have
intel
on
adversaries
using
containers
for
other
traditional
purposes,
such
as
for
something
like
exfiltration
or
collection?
What
we've
been
finding
is
that,
most
of
what's
out
there,
really
the
the
end
goal
or
the
objective
of
the
adversary
is
coin.
Mining,
crypto
mining,
so
is
there,
are
adversaries
out
there
doing
like
all
of
these
behaviors
to
ultimately
do
something
other
than
that
crypto
mining
piece?
We
really
want
to
understand.
D
If
that's
really,
you
know
the
the
main
objective
of
adversaries
in
this
space
right
now
and
next
kind
of
besides
deploying
new
containers,
do
you
have
intel
on
lateral
movement
behaviors
that
would
fit
into
containers
something
like
moving
from
container
to
container
or
pod
to
pod,
etc?
You
know,
we've
kind
of
what
we've
been
seeing
is:
there's
a
lot
of
gaining
access
to
the
environment
and
then
deploying
new
containers
versus
getting
access
to
a
container
and
then
moving
laterally
to
another,
so
we're
trying
to
kind
of
suss
out.
D
Is
there
like
this
idea
of
lateral
movement
in
containers
that
adversaries
are
actually
taking
advantage
of,
or
is
it
more
of
like
a
theoretical
concept
of
you?
Can
move
laterally
come
forth
here?
Did
we
get
something
wrong?
Is
there
something
completely
inaccurate,
or
did
we
name
something?
Weirdly,
we've
gotten
actually
a
lot
of
great
feedback
on
this
already.
D
We
know
the
the
technique
we're
calling
container
service.
That's
not
a
great
name,
it's
kind
of
vague,
so
we're
we're
currently
working
on
trying
to
suss
out
you
know
what
else
could
we
call
this?
Should
we
split
this
into
multiple
techniques
or
add
sub
techniques
to
it?
But
you
know
any
thoughts
that
folks
might
have.
There
would
be
super
helpful
for
us
and
then
finally,
we're
kind
of
at
this
point
where
we're
building
out
detection
logic
to
add
to
attack
for
these.
D
For
these
specific
techniques-
and
you
know
a
lot
of
it
on
our
end-
has
been
you
know-
kind
of
reading
through
what
recommendations
are
in
this
space?
We
don't
have
like
this
lab,
where
we're
seeing
adversary
activity
and
trying
to
detect
it
ourselves.
So
we're
kind
of
you
know
hoping
that
folks
in
the
community
who
are
doing
detections
in
this
space
would
be
able
to
really
help
us
kind
of
build
those
out,
and
so
with
that,
that's
kind
of
all
all
I
have
here.
D
D
But
also,
if
folks
have
any
questions
super
happy
to
to
dig
into
some
of
this.
E
The
one
thing
I
noted
by
the
way,
jen
awesome
awesome
presentation.
My
attack
framework
is
not
only
heard
from
from
the
from
like
government
sources
and
obviously
I'm
seeing
like
investment
banks
using
as
their
overall
like
framework
of
like
here's,
how
like
to
use
this
to
be
able
to
like
kind
of
have
this
framework
for
attack
and
all
that
fun
stuff.
E
But
I
just
noted
that,
like
a
lot
of
the
mappings
that
happened
from
the
various
vendors
that
are
out
there,
there's
some
amazing
stuff
going
on
and
I
think
there's
a
there's
a
place
for
like
every.
You
know
a
lot
of
different
solutions
to
be
able
to
to
be
able
to
like
fit
into
that
framework,
because
you
can
easily
map
these.
To
these.
You
know
specific
quadrants
that
you
have
so
I
wanted
to
tell
you.
A
D
Yeah,
so
I
don't
know
if
we
need
like,
like
kind
of
the
the
low
level
details
of
what's
going
on
it's
more
so
like
really
just
proof-
or
I
say
proof,
but
you
know
attestation
from
somebody
who
has
a
visibility,
saying
yeah,
I
see
I've
seen
an
adversary
move
from
container
to
container
using
x
or
like
using
this
procedure.
It
doesn't
have
to
be
like
the
actual
logs
or
anything
like
that,
just
kind
of
an
example
of
of
what
that
looks
like
in
the
space
and
that's
kind
of
where
we're
you
know.
D
D
Yeah
yeah,
those
are
always
good
for
sure,
we're
kind
of
like
the
same
thing
we're
doing
with
with
detections
we're
doing
with
mitigations.
You
know
there's
a
lot
of
there's
some
open
source
intel
out
there
about
what's
going
on,
but
there's
not
as
much
on
how
to
defend
against
it,
and
so
you
know
we're
trying
to
figure
out
like
what
are
the
best
ways
to
to
to
build
your
defenses.
D
So
mitigations
are
definitely
super
helpful,
since
we
kind
of
don't
have
that
kind
of
lab
set
up
to
be
able
to
to
totally
suss
it
out
on
our
own.
You
know.
F
Hey
this
is
a
great
presentation
jen.
This
is
vinay
vinka
dragon
here,
I'm
actually
part
of
palo
alto
networks,
and
you
know
that
they
contributed
some
information
there.
I'm
just
wondering
you
know
recently:
we've
had
a
lot
of
initiatives
within
the
sig
security
group
to
you
know
talk
about
cloud
native
security
and
the
right
posture
across
the
entire
application
life
cycle.
F
If
you
will
right
the
build,
deploy,
distribute
run
aspects,
I'm
wondering,
do
you
think
it'll
be
useful
if
we
were
able
to
see
from
a
defense
perspective
to
your
point,
how
do
you
protect
against
these
types
of
attacks
to
take
all
these,
this
collateral
that
we
built
up
and
see?
How
do
we
map
it
and
then
call
out
like
here's
here,
the
specific
types
of
attack
patterns?
And
here,
if
you
adopted
this
kind
of
defense
and
protection
techniques,
you
could
potentially
have
avoided
or
protected
against
that
particular
attack
pattern.
F
Do
you
think
that
kind
of
how
do
you
say
story
would
be
useful
for
people
who
are
embarking
and
trying
to
protect
against
these
types
of
attacks.
Yeah.
D
Yeah,
absolutely,
I
think
so,
and
this
is
kind
of
you
know-
I've
been
doing
this
with
cloud
too.
It's
always
kind
of
a
gray
area,
especially
like
with
the
with
these
matrices,
it's
like,
where
do
you
transfer
from
cloud
to
containers,
to
linux,
etc
and
so
having
examples
kind
of
going
across
all
these
different
platforms?
D
I
think
helps
kind
of
tie
things
together
for
folks,
and
it
gives
I
guess,
some
clarity
onto
how
we
are
scoping
containers
at
this
point,
so
we're
kind
of
thinking
of
cloud
like
aws,
azure,
gcp
etc,
which
are
actually
as
a
heads
up
there
if
you're
using
those
matrices
in
this
next
release
in
april,
we're
combining
all
of
those
into
a
single
infrastructure
as
a
service
matrix
in
attack,
because
if
you
actually
look
through
each
one,
aws
gcp
azure,
the
techniques
are
the
same
so
like
at
a
high
level
that
the
behaviors
are
the
same.
D
It's
just
at
the
procedural
level,
it's
slightly
different
between
the
different
cloud
service
providers,
but
so
that's
kind
of
a
tangent,
but
for
cloud
itself
like
is
we're
thinking
of
it.
As
more
like
of
the
cloud
versus
in
the
cloud,
so,
for
example,
what
you
find
at
the
cloud
control
plane
or
the
management
plane
what
you
can
get
from
like
cloud
trail
logs
logging
at
that
level
and
then
once
it
kind
of
pivots
onto
the
host
like
an
ec2
instance,
that's
covered
by
the
linux
matrix.
D
To
cloud
like
it's
things
you
would
get
from
like
logging
in
and
docker
or
kubernetes
things
of
that
nature.
So
once
it
pivots
onto
the
host
like
a
an
example
here
would
be
deploying
like
gaining
access
to
like
a
kubernetes
environment
deploying
a
container.
That's
all
you
know
here
in
containers
as
soon
as
the
the
adversary
gets
a
shell
on
the
host
and
does
something
like
deploying
like
coin
mining,
malware,
etc.
That's
where
the
pivot
to
linux
would
be
for
containers
yeah.
F
D
I
think,
having
you
know
and
something
that
we
nee
we're
considering
putting
out
ourselves
like
some
sort
of
blog
on
here's,
how
you
pivot
between
each
of
these,
but
the
more
that
the
community
is
able
to
put
out
that
type
of
those
type
of
details.
I
think
that's
just
going
to
help
everybody
understand
like
how
do
we
use
this
across,
like
our
entire
cloud,
something
of
that
nature?
Sorry
that
was
probably
more
words
than
I
needed
to
put
in
there,
but
hopefully
that
that
helps.
F
Yeah
I
mean
so
so
from
an
input
standpoint.
If
you
know,
for
example,
right
you
know,
you
know,
mapping
host
mount
points
is
is
a
great
way
of.
Let's
say
you
run
a
container,
let's
say:
there's
a
malware
and
you
can
exploit
this.
You
know
persistent
host
mount
move
and
get
some
kind
of
access
onto
the
host
and
then
do
those
lateral
movements.
F
So
there
are
these
very,
very,
I
think,
kind
of
reasonably
well
established
attack
patterns
from
a
container
standpoint
and
then
how
they
move
from
a
container
to
the
host,
and
then
they
move
so
just
amplifying
that
message
and
then
hopefully,
and
but
how
can
we
help
mitre
and
bring
back
that
kind
of
telemetry.
G
D
On
it
is
super
helpful
finding
things
that
are
novel
to
that
kind
of
that
cycle.
That
would
be
helpful.
I
think
what
we
have
now
in
the
containers
matrix
is
based
on
like
a
a
lot
of
open
source
intel.
It's
interesting
for
containers,
there's
actually
significantly
more
open
source
intel
than
for
cloud
itself,
so
that
was
actually
made
my
our
job
a
lot
easier
with
containers
versus
cloud,
but
basically
finding
anything.
D
E
F
E
I
kind
of
want
to
echo
what
vinay
said
as
well
and
basically
like
whatever
help
that
we,
you
know
any
of
any
of
us
in
insect
security
like
I'm
not
going
to
talk
to
everybody
here,
but,
like
you
know,
in
terms
of
like
us,
has
helped
to
help.
You
kind
of
you
know,
map
or
things
that
you're
kind
of
unclear
on
you
know
we're
seeing
this
on
a
day-to-day
basis
and
for
us
to
be
able
to
like
help
with
some
of
the
mitigations
that
you
talked
about
somebody
at
the
station.
E
D
Yeah,
that's
awesome,
and
even
as
we're
you
know
before
we
do
a
release
for
this,
and
you
know
like
I
said
we
we're
hoping
for
the
april,
but
we'll
kind
of
see
how
how
it
all
goes.
You
know
even
before
doing
that,
release
or
right
after
the
release,
the
detections
we
release,
you
know
making
sure
that
those
make
sense.
D
I
think
we
could
certainly
use
a
lot
of
help
there
with
folks
with
kind
of
the
boots
on
the
ground,
so
I
can
kind
of
maybe
coordinate
with
magno
a
bit
on
this
too,
but
if
I
can
get
some
of
that
stuff,
potentially
publicly
released
a
little
bit
early,
I
might
be
able
to
get
some
feedback
on
that
as
well
from
you
folks,
which
would
be
really
great
if
you're
willing.
G
Hey
jen:
do
you
have
any
more
information
about
any
contributions
for
the
infrastructure
as
a
service
attack,
matrix.
D
Yeah
yeah
definitely
pretty
much.
What
really
helps
us,
so
you
can
send
to
attack
admiter.org.
We
have
like
a
set
of
here's,
a
there's,
a
contribute
section
on
our
website.
D
That
kind
of
gives
you
an
idea
of
how
to
write
up
a
contribution,
etc,
but
mainly
when
we
get
those
contributions
and
what
I
personally
look
for
is
the
first
off
kind
of
that
in
the
wild
piece,
so
either
like
a
mapping
of
that
behavior
to
something
that's
open,
source
or
an
attestation
that,
yes,
we
did
see
this
an
adversary,
do
this
in
the
wild.
D
So
it's
like
you
know
it's
helpful
to
have
it
all
written
up
the
way
it
says
on
the
website,
but
really
we
we
take
contributions
and
we
kind
of
fit
it
into
how
how
we
process
attack
so
to
speak,
but
but
yeah.
If
you
have
stuff,
that's
not
in
the
is
matrix
that
you've
seen
adversaries
do
just
send
a
message
to
attack
at
minor.org
and
that
just
pretty
much
instantly
gets
it
into
my
in
my
inbox
and
then
we
can
kind
of
go
back
and
forth
on
it.
A
D
Awesome,
I
don't
know,
I
don't
know
if
any
of
you,
you
folks,
have
gotten
a
chance
to
look
at
the
draft
matrix.
I
know
magno.
Has
he
sent
me
some
really
awesome
feedback
already,
but
do
you
guys
have
any
questions
like
on
like
how
how
any
of
these
we
got
to
the
to
the
conclusion
of
any
of
these
techniques
or
what
any
of
the
the
mean
or
anything
of
that
nature.
C
Yeah,
hey
again,
yeah,
just
one
more
thing
for
me:
yeah,
thank
you
for
the
presentation.
It
was
really
great
yeah.
I
think
that
one
one
thing
that
sometimes
it
confuses
me
is
in
regards
to
that
fine
line
between
what
fits
in
the
containers
and
what
fits
in
the
linux
matrix
right.
So
I'm
not
sure
like
some
something
else,
like
vinaya
mentioned,
like
deploying
a
privileged
container
that
maps
into
the
host,
and
then
you
have
access
to
the
host
environment.
C
How
can
we,
how
do
you
process
that
and
and
how?
How?
What
is
the
thought
process
if,
if
that
would
fit
into
the
container
matrix
or
into
the
linux
one.
D
Yeah,
I
think,
from
what
you
just
said.
It
kind
of
goes
across
both
so
doing
the
deployment
of
the
container
and
even
the
mapping
so
like
if
you
do
like
a
like
a
file
system
mount
or
something
like
that
to
escape
to
the
host
once
that
escape
occurs
and
the
follow-on
behaviors
are
on
the
host.
That
would
be
linux,
but
also
just
deploying
that
container
once
it
starts,
you
know,
once
the
adversary
starts,
doing
things
like
pulling
down
malicious
content
via
curl
things
like
that.
That
would
be
linux.
D
F
Sure
I
had
one
other
comment
if
I
may
really
quickly,
and
then
this
goes
back
to
your
comment
about
the
aws
azure
gcp,
the
iis,
is
it
the
matrix
or
the
the
the
recommendations?
F
So
this
is
shared
responsibility
right,
so
we've
all
been
so
conditioned
in
the
cloud
to
you
know,
use
it
off
the
cloud
and
in
the
cloud
right
so
off
the
cloud.
So
is
there
some
recommendation?
You
also
provide
where
you
know
a
lot
of
us.
We
really
don't
care
of
off
the
cloud
right,
because
that
is
exactly
why
the
csps
are
there.
You
know
they
are
that's
their
responsibility
and
the
in
the
cloud
portion
is
what
we
as
either.
Let's
just
say,
cloud
customers
and
container
customers
whatever
are
are
responsible
for.
F
D
Yeah,
so
I
think
that
of
the
cloud
piece
we
could
probably
just
split
that
into
a
couple
sections
and
it's
like
the
of
the
cloud
that
the
cloud
service
provider
is
responsible
for
and
then
the
the
part
that
we're
kind
of
responsible
for,
like
you
know
what
you
could
find
like.
I
mentioned
like
in
something
like
cloud
trail
logs.
So
if
you
can
like
get
visibility
into
those
areas,
that's
that's
more
of
where
we're
focused
on
we're,
not
as
focused
with
attack
on
just
things
that
the
cloud
service
providers
would
be
responsible
for.
D
There
might
be
like
some,
like
small
nuances
to
that,
but
in
general
we're
more
focused
on
hey.
I
have
like
cloudtrail
cloud
watch,
etc,
azure
activity
logs.
What
can
I,
what
am
I
responsible
for
in
those
in
those
logs?
If
that
makes
sense,.
F
H
Hi,
my
name
is
bob
and
I
work
at
trent
micro.
I
manage
the
cloud
and
container
threat
research
team
here,
thanks
for
the
session
amazing
on
vanessa's
commentary,
I
think
he
brought
up
a
good
point.
There
like
started
my
thoughts
that,
from
a
mitre
point
of
view
from
an
attack
matrix
point
of
view,
I
think
it
doesn't
matter
whether
it's
a
csp
responsibility
versus
the
customer
responsibility.
H
D
Me,
I
think
the
maybe
the
differentiation
is
we,
so
this
is
another
spot,
especially
with
cloud
there's,
not
a
lot
of
open
source
intel.
So
when
they
first
were
putting
the
cloud
matrix
together,
it
was
highly
dependent
once
again
on
like
contributions,
so
we
might
not
have
like
the
details
of
what
is
going
on
from
that
cloud.
D
Cloud
service
provider
perspective
like
what
they
might
have
visibility
into.
So
I
guess
that's
probably
the
difference,
and
probably
why,
like,
I
definitely
agree
with
you
like.
If
it's,
if
it's
a
technique,
it's
definitely
a
technique.
We
might
just
not
have
that
visibility
to
be
able
to
add
that
into
attack.
If
that
makes
sense,.
B
B
Oh
hi
jay,
I
had
a
question
so
mostly
we
assume
that
when
it's
a
container
or
kubernetes,
I
think
we
assume
it
is
linux,
but
I've
seen
some
people
run
windows,
containers
too,
and
so
have
you
ever
thought
about
those
things
like
hey
like
it
could
also
run
on
windows
and
have
you
ever
thought
about
that
mapping?
Can
it
be
like
linux
plus
containers
and
those
plus
containers
in
your
mapping,
or
have
you
ever
thought
about
those
things.
D
Yeah,
that's
a
good
point
and
I
think
most
of
the
almost
all
the
intel
that
we've
received
has
been
ultimately
like
behaviors
that
were
carried
out
and
containers
moving
to
linux.
D
I
think
if
we
find
or
given
intel
in
the
windows
space,
I
absolutely
think
that
we
would
you
know
kind
of
pivot,
from
containers
to
linux,
also
to
to
windows,
and
we
also
kind
of
our
philosophy
with
adding
platform
tags
to
like
existing
techniques.
D
Is
that
if
a
technique
or
behavior
can
happen
on
windows,
for
example,
or
has
happened
on
windows,
for
example,
but
could
also
happen
on
linux
or
mac,
we
would
still
add
that
platform
tag
to
linux
or
mac,
even
though
we
don't
have
necessarily
the
intel
that
it
has
been
carried
out
on
linux
or
mac.
So
that's
kind
of
a
different
way.
We
process
things
as
well,
so
there
may
be.
You
know
some
cases
here
where
you
know
perhaps
escaping
to
host
is
somehow
escaping
to
the
windows
host.
D
I
think
escape
to
host
ultimately
will
be
like
containers,
linux
and
possibly
windows
as
well.
If
we
can,
we
haven't
done
a
lot
of
research
in
that
area.
Yet,
but
if
we
find
that
there
are
ways
to
escape
the
container
to
go
like
into
the
windows
environment,
then
we
would
certainly
add
the
platform
tag
there,
but
we
haven't
received
any
in
the
wild
yet
really
about
adversaries,
kind
of
moving
into
windows.
D
D
H
So
I'll
just
go
back
to
the
point
of
we
were
discussing
about
how
like
it's,
it's
all
evidence-based
as
you
mentioned,
but
if
we
can
really
demonstrate
in
a
lab
that
this
is
how
we
can
break
out
or
move
from
a
part
to
a
pod.
H
The
way
it
works
is
like
they're
also
catching
up
on
technology
learning,
as
we
all
learn
and
they're
trying
to
get
there
learning
more
about
containers
and
cloud
and
we're
seeing
techniques
that
we
won't
have
imagined
four
years
ago,
the
adversaries
are
using
them
now.
Speaker
demonstrates
something
in
our
lab
yeah.
This
is
how
you
would
carry
out
an
attack,
it's
very,
very
plausible.
It's
just
that
we're
just
short
of
evidence
on
that.
How
open
are
we
about
including
such
stuff.
D
So
this
has
been
definitely
been
a
kind
of
a
philosophical
conversation
back
and
forth
with
attack
for
a
long
time.
Attack
itself
is
kind
of
rooted
in
cti
cyber
threat
intel.
What
adversaries
are
doing.
There
are
other
models
like
kpec,
for
example,
that
are
kind
of
more
of
the
theoretical.
This
is
what
adversaries
could
do
or
what
we
can
do
in
a
research
lab,
etc.
D
I
know
with
cloud
and
containers
you
know
the
space
has
been
we're
kind
of
more
at
the.
I
guess:
the
infancy
levels
of
those
those
platforms
in
attack.
So
there's
definitely
an
argument
for
you
know
where,
as
research
comes
out,
you
know
the
adversaries
are
going
to
be
doing
those
things,
but
it's
still.
Ultimately,
attack
is
rooted
in
like
what
adversaries
are
doing
versus
what
can
be
done.
D
So
there's
an
ongoing
conversation
about
that,
but
as
of
right
now,
we're
focused
on
the
in
the
wild
adversary
behavior,
but
if
there
is
an
existing
like
technique
for
so
as
escape
to
host
that's
another,
I
brought
this
example
before
if
we
were
seeing
adversaries
do
that
in
linux,
but
there
are
ways
to
do
that
in
windows.
Like
through
research,
we
found
that
that
can
happen
on
windows
as
well.
We
would
add
windows
to
like
that
existing
technique.
C
D
Yeah
absolutely
thank
you
guys
for
for
listening,
and
you
know
I
we
can
talk
magno
more
about
it
about
you
know,
maybe
seeing
if
I
can
get
some
feedback
from
you
folks
on
our
detections
and
things
like
that,
but
we'll
definitely
stay
in
touch.
C
Andre,
do
you
have
any
other
discussions
for
today.
I
A
I
Yeah,
I
I'm
new
hi,
guys,
I'm
a
marina.
I
work
at
cysbig
with
dan
happy
to
be
here,
I'm
part
of
a
lot
of
other
working
groups
around
regulatory
compliance
and
cs
benchmarks,
and
I
thought
it's
a
good
time
to
join
this
meeting
as
well
to
see
how
I
can
contribute.
I
have
a
lot
of
compliance
and
risk
management
knowledge
and
I
also
have
a
lot
of
understanding
of
cloud
and
containers.
So
hopefully
I
can
help
this
effort.
E
E
J
Thanks
hi
hi
everyone,
I'm
edan,
I'm
from
aqua
security.
Also,
first
time
in
in
this
school,
we
actually
even
talked
with
jen
a
little
bit
about
dimitri
frame
of
phone
containers.
J
D
A
Yeah,
I
do
not
know
that
there
are
any
other
updates
well
worth
mentioning
the
schedule
for
cloud
native
security
day
collocated
with
kubecon
europe.
2021
is
now
posted.
Some
of
you
might
have
seen
that
in
the
chat
big
shout
out
to
the
program
committee
who
helped
review
all
cfp
submissions,
it
was
a
very
artist
task.
There
was
really
high
quality
submissions.
A
It
was
a
hard
job
having
to
make
choices.
There
is
a
number
of
submissions
that
were
made
that
we
think
would
would
be
a
great
fit
to
present
on
regular
weekly
calls
we're
going
to
be
sorting
through
some
of
those
that
said
well.
Schedules
now
now
posted.
It
would
be
great
if
you
can
help
promote
and
advertise
the
event,
so
we
can
make
that
a
very
participative,
well-attended
engaging
event
and
we
can
have
good
discussion.
A
Ctf
is
also
happening
planning
for
that
still
ongoing
we're
going
to
be
sharing
six
different
scenarios.
A
Some
of
you
might
have
done
the
capture
the
flag
next
year
expect
like
new
things
and
changes
to
be
made
to
that,
but
yeah.
That's
that
I
don't
know
if,
if
anyone
else
like,
I
see
richard
julian
on
the
call
richard
you've
been
joining
friday's
calls
on
the
secure
supply
chain,
working
group
and
participating
and
writing
that
not
sure
if
you
want
to
like
talk
a
little
bit
about
that
to
others.
Sorry,
to
put
you
on
the
spot,
no.
G
No,
no,
no!
It's
totally.
Okay,
I'm
actually
here
as
a
as
a
proxy
for
john
meadows
for
the
most
part
yeah
I
mean
I,
the
the
progress
that
we've
been
documenting
in
the
chat
is
pretty
up
to
date.
It's
pretty
much
at
this
point,
we're
going
through
the
document.
I
personally
am
reading
it
out
of
order
in
various
sections
to
make
sure
they
work
on
their
own.
Anybody
who
is,
is
willing
and
and
and
wants
to
read
a
rougher
draft
of
that
document.
G
Honestly,
we
we've
gotten
a
summary
of
all
the
major
recommendations
if
anything,
I'd
love
for
the
feedback
on
just
that
part.
If
you
really
have
30
minutes-
and
you
want
to
go
through
our
our
document
and
just
read
the
bullet
point
part,
if
there's
anything
major
that
you
see
missing
there,
you
know
let
us
know
there
might
be
some
contextual
pieces
that
would
help
but
yeah
that's
where
we
are
today
with
the
the
actual
white
paper.
A
G
I
think
I
I
I
would
say,
go
ahead
and
leave
it
and
comments
inside
the
doc.
That's
where
we've
been
all
keeping
our
feedback.
If
you
are
particularly
good
at
writing
or
have
you
know
want
to
play
editor,
you
know
we'd
be
happy
for
any
sort
of
recommendations
on
that
side
too,
and
I
know
I
see
alex-
is
on
the
call
there
there's
there's
a
lot
of
folks
going
and
and
like
working
in
that
capacity
so
but
the
more
the
merrier.
I
think.
G
And
andres,
I
do
think,
is
there
going
to
be
just
breaking
outside
of
that
that
working
group
is
there
going
to
be
a
greater
sharing,
maybe
with
sig
security.
First
of
of
that
document
of
maybe
just
a
summary
of
it
and-
and
you
know,
vetting
a
lot
of
the
concepts,
will
there
be
something
formal
for
that?
That.
A
A
So
there's
there's
right
now
some
some
some
discussion
around
of
like
well.
Sex
security
is
only
allowed
one
talk
and
we
have.
We
already
had
one
talk
to
like
promote
membership
and
promote
the
group.
Cncf
has
some
language
around
sanctioned
working
groups,
also
being
given
a
maintainer
track
and
that's
how
we
managed
to
slot
that
in.
But
there
was
some
confusion
on
the
back
end.
A
So,
while
it's
on
the
schedule,
it's
not
100
confirmed
so,
like
I
said
we
managed
to
secure
like
we
managed
to
put
in
there
it's
subject
to
change
we're
advocating
keeping
it
on
as
it's
very
relevant.
A
There
are
some
other
supply
chain
talks,
but
they
really
don't
shed
as
much
light
or
like
elicit
or
extrapolate
as
much
as
as
the
white
paper
has
done.
So
we
really
want
to
to
make
sure
that
gets
represented.
A
John
meadows
is
the
primary
speaker,
emily
fox
and
r,
and
I
are
are
there
as
secondary
speakers,
but
yeah.
We,
we
might
even
shuffle
the
like
those
seats.
Given
well,
a
lot
of
folks
have
put
put
in
a
lot
more
work
into
the
paper
than
I
have
personally,
I
participated
initially,
but
I'd
be
willing
to
concede
my
seat
depending
on
what
merit
of
what's
gone
into
the
paper,
so
yeah
stay
stay
tuned
for
for
updates
on
that.
I
don't
expect
it
to
change
at
this
point,
but
yeah
ongoing
discussion.
A
Last
sorry
to
for
the
shifting
thought
process,
I
did
see
magno
at
the
links
for
the
schedule
for
cloud
native
security
day
and
also
last
year's
ctf.
A
ride
up
on
the
ctf
for
last
year
I
forgot
to
mention:
magno
is
going
to
be
doing
a
live
stream
of
the
ctf
magno.
You
want
to
talk
a
little
bit
about
that
and
tease
that
up
a
little
bit
sure.
C
No
problem
yeah,
so
what
we
were
working
on
is
having
at
least
some
time
on
the
cloud
native
twitch
team
to
do
a
live
live
commentator
session
with
some
some
people
in
the
community
that
are
are
very
famous
and
understand
a
lot
about
kubernetes
security,
so
so
we're
going
to
present
to
them
some
of
the
challenges
from
the
ctf
and
ask
them
okay.
How
would
you
go
about
solving
it
right?
So
how
would
you
start?
Where
would
you
look
for
this
information?
Which
tools
did
you
use?
C
So
me
me,
diego,
and
I
think
ron
so
we're
going
to
be
talking
with
this.
Those
people
we're
still
selecting
a
few
gas
speakers
there
and
we
have
we're
going
to
have
like,
I
think,
one
to
two
hours
and
we're
going
to
do
this
small
sessions
right.
So
after
we
release
one
of
the
challenges,
then
we
invite
some
of
the
guest
speakers
to
talk
about
it
and
and
understand
their
thought
process
right.
C
So,
just
just
to
have
that
attacker's
mindset
of
how
would
they
go
about
solving
that
problem
and
looking
for
for
the
flag
or
like
how
would
they
compromise
that
specific
cluster
or
or
look
for
the
the
logs
or
information
about
it
right?
So
that's
that's!
What
we're
gonna
do
on
the
the
twitch
stream
during
the
cloud
native
security
day.