SlideShare a Scribd company logo

Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd:cloudsec 2021

J
Jennifer Burns

MITRE ATT&CK® is a well-known knowledge base of adversary behaviors that was originally focused on host-based environments, but recently ATT&CK coverage was extended to include techniques carried out in container deployments. I was privileged to have the opportunity to lead the team at MITRE that developed ATT&CK for Containers, but now I'm focused on implementing ATT&CK as a practitioner. With this background, I hope to share the unique perspective of how ATT&CK for Containers was created with help from the community, what ATT&CK techniques mean in the context of containers, and how you can utilize this new knowledge base in your own cloud environment. You'll leave this talk with a better understanding of how to evaluate and identify gaps in coverage and improve defenses in your own containers deployments by utilizing techniques used by real-world adversaries.

Engineering
1 of 26
Download to read offline
Using ATT&CKⓇ for Containers to Level Up your Cloud Defenses Jen Burns @snarejen fwd:cloudsec 2021
whoami? ● Senior Security Engineer at HubSpot ● Former ATT&CK for Cloud Lead ● Solid drummer ● Somewhat decent climber ● Lover of bad puns ● Fan of most animals despite being allergic to most animals T1033 - System Owner/User Discovery
What’s on the docke(r)t for today? 1. What is ATT&CK? 2. Why did Containers get added to ATT&CK? 3. How can I use ATT&CK for Containers?
What is ATT&CK? Note that I am NOT a representative of MITRE or ATT&CK!
Want to contribute to ATT&CK? ● Check out guidelines at https://attack.mitre.org/resources/contribute/ ● Send your contribution to attack@mitre.org
Want a different sidebar color? ● Go to the “New Slide with Layout” dropdown arrow in the top left corner of the toolbar ● Scroll to “Section Headers” ● Select a color Tactics: the adversary’s technical goals Techniques: how the goals are achieved ATT&CK Navigator https://bit.ly/attacknav
Want a different sidebar color? ● Go to the “New Slide with Layout” dropdown arrow in the top left corner of the toolbar ● Scroll to “Section Headers” ● Select a color Technique Example NOTE: Techniques and sub-techniques ALSO include mitigations, detections, and procedures Screenshot from https://attack.mitre.org/techniques/T1204/
Why did Containers get added to ATT&CK?
NOT THESE CONTAINERS!!! https://twitter.com/MITREattack/status/1377615020465520640
Originally ATT&CK just covered the Windows platform. In the past few years it expanded to include techniques carried out in Linux, macOS, industrial control systems, the cloud, and network devices. It’s a logical expansion of ATT&CK. 1 Why did Containers get added to ATT&CK?
MITRE Engenuity’s Center for Threat-Informed Defense and its members (including Microsoft and the folks who produced their K8s threat matrix) sponsored an investigation into adding containers into ATT&CK and contributed to the platform’s creation. MITRE Engenuity’s CTID provided support. 2 Why did Containers get added to ATT&CK?
The community also helped conclude that the vast majority of activity that they observed did lead to cryptomining. However, evidence from a number of parties led the ATT&CK team to also conclude that adversaries utilizing containers for more “traditional” purposes, such as exfiltration and collection of sensitive data, is publicly under reported. The community asked for it! 3 Why did Containers get added to ATT&CK?
ATT&CK for Containers Contributors ● Brad Geesaman, @bradgeesaman ● Center for Threat-Informed Defense (CTID) ● Cisco ○ Idan Frimark, Ariel Shuper ● Palo Alto Networks ○ Yuval Avrahami, Jay Chen, Nathaniel Quist ● Rory McCune, Aqua Security ● Team Nautilus Aqua Security ○ Yaniv Agman (@AgmanYaniv), Ziv Karliner (@ziv_kr), Michael Katchinskiy (@michael64194968), Roi Kol (@roykol1), Assaf Morag (@MoragAssaf), Idan Revivo (@idanr86), Gal Singer (@galsinger29) ● Trend Micro ○ David Fiser (@anu4is), Pawan Kinger (@kingerpawan), Magno Logan (@magnologan), Alfredo Oliveira ● Vishwas Manral, McAfee ● Yossi Weizman, Azure Defender Research Team https://www.vecteezy.com/free-vector/industrial
How can I use ATT&CK for Containers?
Four Main Use Cases for ATT&CK How can ATT&CK for Containers help? ● Assessments and Engineering ● Threat Intelligence ● Adversary Emulation ● Building Detections Pro Tip! If it’s hard to understand how an ATT&CK technique relates to containers, check out the MITRE Engenuity Medium blogs that have some container specific definitions. ● https://medium.com/mitre-engenuity/update-help-shape-att-ck-for-containers-bfcd24515df5 ● https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 Getting Started with ATT&CK blog series: https://medium.com/mitre-attack/getting-started/home
Assessments and Engineering How can ATT&CK for Containers help? ● Helps us measure the status of our current defenses ○ What’s our confidence level that we would detect a particular technique? ○ Which techniques are sufficiently mitigated? ● Gives us an understanding of where we can improve ○ Do I need to capture different data sources in my environment? ○ Should I buy product X because we aren’t detecting a particular set of techniques?
Assessments and Engineering Example Consider starting with a single technique….
External Remote Services 01 Exposed Docker Daemon/API External access to port 2375? Is the TCP socket enabled? Is an nmap scan successful? Are you gathering Docker daemon logs for processing? 02 K8s API Server Is authentication required to access the API server? Can the API server be reached externally? Are you gathering audit logs for analysis? 03 Kubelet Is the kubelet locked down with something like webhook token auth? Are you gathering kubelet logs for analysis? 04 K8s Dashboard (or other web app) Is the K8s dashboard or other control plane apps externally accessible? Does it require authentication to access? (Testing unauthenticated initial access into your environment)
Assessments and Engineering Example 2 - High Confidence of Detection 1 - Low Confidence of Detection 0 - No Confidence of Detection 2 - Sufficiently Mitigated 1 - Partially Mitigated 0 - Not Mitigated ...or maybe
Threat Intelligence How can ATT&CK for Containers help? ● Gives us a common language across teams ○ Red Team ○ Blue Team ○ Cyber Threat Intel Team ○ Cloud Security/Operations Team ○ CISO ○ … ● Helps us better understand what behaviors adversaries are actually doing in Kubernetes, Docker, etc. https://unsplash.com/photos/uBe2mknURG4?utm_source=unspl ash&utm_medium=referral&utm_content=creditShareLink
Threat Intelligence Example Excerpt from Palo Alto Networks about the Hildegard malware from TeamTNT https://unit42.paloaltonetworks.com/hildegar d-malware-teamtnt/ T1133 - External Remote Services T1609 - Container Administration Command T1611 - Escape to Host T1552.005 - Unsecured Credentials: Cloud Instance Metadata API
Adversary Emulation How can ATT&CK for Containers help? ● Helps ensure that you can actually detect/mitigate what you expect ● Provides a sanity check for your red team on what behaviors are being carried out by adversaries in-the-wild https://unsplash.com/photos/ayog-lKRrp8?utm_source=unsplash&ut m_medium=referral&utm_content=creditShareLink
Adversary Emulation Example - Kinsing Malware Carry out an engagement across Containers and Linux https://attack.mitre.org/software/S0599/ Use procedure examples from ATT&CK and threat intelligence as your guide!
Want a different sidebar color? ● Go to the “New Slide with Layout” dropdown arrow in the top left corner of the toolbar ● Scroll to “Section Headers” ● Select a color Adversary Emulation/Assessments There are lots of tools to help! ● red-kube - collection of kubectl commands written to evaluate security posture of K8s clusters ● kube-hunter - tool that searches for security weaknesses in K8s clusters ● kubernetes-goat - intentionally vulnerable cluster to learn/practice K8s security ● kubescape - tool for testing if K8s is deployed securely as defined in Kubernetes Hardening Guidance by NSA and CISA ● kube-bench - checks K8s deployment against the CIS K8s Benchmark
Thank you Jen Burns @snarejen https://bit.ly/fwdcs21-burns

Recommended

BSidesLV -The SOC Counter ATT&CK
BSidesLV -The SOC Counter ATT&CKBSidesLV -The SOC Counter ATT&CK
BSidesLV -The SOC Counter ATT&CKMathieu Saulnier
 
In the Trenches During a Software Supply Chain Attack by Mitch Denny at Front...
In the Trenches During a Software Supply Chain Attack by Mitch Denny at Front...In the Trenches During a Software Supply Chain Attack by Mitch Denny at Front...
In the Trenches During a Software Supply Chain Attack by Mitch Denny at Front...DevClub_lv
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE - ATT&CKcon
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016grecsl
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE - ATT&CKcon
 

Recommended

BSidesLV -The SOC Counter ATT&CK
BSidesLV -The SOC Counter ATT&CKBSidesLV -The SOC Counter ATT&CK
BSidesLV -The SOC Counter ATT&CKMathieu Saulnier
 
In the Trenches During a Software Supply Chain Attack by Mitch Denny at Front...
In the Trenches During a Software Supply Chain Attack by Mitch Denny at Front...In the Trenches During a Software Supply Chain Attack by Mitch Denny at Front...
In the Trenches During a Software Supply Chain Attack by Mitch Denny at Front...DevClub_lv
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE - ATT&CKcon
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016grecsl
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE - ATT&CKcon
 
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesPriyanka Aash
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureSergey Gordeychik
 
Linkedin
LinkedinLinkedin
LinkedinKhaled Serag
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingHelping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingMITRE - ATT&CKcon
 
Defence strategy against kubernetes attack ttp's (tactics, techniques and pro...
Defence strategy against kubernetes attack ttp's (tactics, techniques and pro...Defence strategy against kubernetes attack ttp's (tactics, techniques and pro...
Defence strategy against kubernetes attack ttp's (tactics, techniques and pro...LibbySchulze
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareKaspersky
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE - ATT&CKcon
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...Priyanka Aash
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
De invloed van "cloud" op het dreigingslanschap
De invloed van "cloud" op het dreigingslanschapDe invloed van "cloud" op het dreigingslanschap
De invloed van "cloud" op het dreigingslanschapFrank Breedijk
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE - ATT&CKcon
 
Analyzing and Defending from Modern Internet Threats
Analyzing and Defending from Modern Internet ThreatsAnalyzing and Defending from Modern Internet Threats
Analyzing and Defending from Modern Internet ThreatsNECST Lab @ Politecnico di Milano
 
A Brief History of Cryptographic Failures
A Brief History of Cryptographic FailuresA Brief History of Cryptographic Failures
A Brief History of Cryptographic FailuresNothing Nowhere
 
Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)Guy Podjarny
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidFilip Šebesta
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"Christiaan Beek
 
Syrian Malware
Syrian MalwareSyrian Malware
Syrian MalwareKaspersky
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 

More Related Content

What's hot

IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesPriyanka Aash
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureSergey Gordeychik
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingHelping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingMITRE - ATT&CKcon
 
Defence strategy against kubernetes attack ttp's (tactics, techniques and pro...
Defence strategy against kubernetes attack ttp's (tactics, techniques and pro...Defence strategy against kubernetes attack ttp's (tactics, techniques and pro...
Defence strategy against kubernetes attack ttp's (tactics, techniques and pro...LibbySchulze
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareKaspersky
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE - ATT&CKcon
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...Priyanka Aash
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
De invloed van "cloud" op het dreigingslanschap
De invloed van "cloud" op het dreigingslanschapDe invloed van "cloud" op het dreigingslanschap
De invloed van "cloud" op het dreigingslanschapFrank Breedijk
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE - ATT&CKcon
 
A Brief History of Cryptographic Failures
A Brief History of Cryptographic FailuresA Brief History of Cryptographic Failures
A Brief History of Cryptographic FailuresNothing Nowhere
 
Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)Guy Podjarny
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidFilip Šebesta
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"Christiaan Beek
 
Syrian Malware
Syrian MalwareSyrian Malware
Syrian MalwareKaspersky
 

What's hot (20)

IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
 
Linkedin
LinkedinLinkedin
Linkedin
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingHelping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
 
Defence strategy against kubernetes attack ttp's (tactics, techniques and pro...
Defence strategy against kubernetes attack ttp's (tactics, techniques and pro...Defence strategy against kubernetes attack ttp's (tactics, techniques and pro...
Defence strategy against kubernetes attack ttp's (tactics, techniques and pro...
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
 
De invloed van "cloud" op het dreigingslanschap
De invloed van "cloud" op het dreigingslanschapDe invloed van "cloud" op het dreigingslanschap
De invloed van "cloud" op het dreigingslanschap
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
 
Analyzing and Defending from Modern Internet Threats
Analyzing and Defending from Modern Internet ThreatsAnalyzing and Defending from Modern Internet Threats
Analyzing and Defending from Modern Internet Threats
 
A Brief History of Cryptographic Failures
A Brief History of Cryptographic FailuresA Brief History of Cryptographic Failures
A Brief History of Cryptographic Failures
 
Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"
 
Syrian Malware
Syrian MalwareSyrian Malware
Syrian Malware
 

Similar to Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd:cloudsec 2021

Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
Evolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConEvolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConJorge Orchilles
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Harry McLaren
 
Pursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMPursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMMark Secretario
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkLeszek Mi?
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest Haydn Johnson
 
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Amélie Gyrard
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...CloudVillage
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendEric Smalling
 
Deep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloudDeep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloudsparkfabrik
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
Getting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionJoe McCray
 
PCDRA Exam Questions Answers 2022
PCDRA Exam Questions Answers 2022PCDRA Exam Questions Answers 2022
PCDRA Exam Questions Answers 2022edwardbella43
 
Hardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsHardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsSuraj Deshmukh
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...idsecconf
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 

Similar to Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd:cloudsec 2021 (20)

Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
 
Evolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConEvolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootCon
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
 
Pursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMPursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideM
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
 
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
 
Attack eu 2021 attack4cvc
Attack eu 2021 attack4cvcAttack eu 2021 attack4cvc
Attack eu 2021 attack4cvc
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friend
 
Deep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloudDeep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloud
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
Getting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking Competition
 
PCDRA Exam Questions Answers 2022
PCDRA Exam Questions Answers 2022PCDRA Exam Questions Answers 2022
PCDRA Exam Questions Answers 2022
 
Hardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsHardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing Pods
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 

Recently uploaded

(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxupamatechverse
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingrakeshbaidya232001
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Dr.Costas Sachpazis
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduitsrknatarajan
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations120cr0395
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdfKamal Acharya
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISrknatarajan
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSSIVASHANKAR N
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordAsst.prof M.Gokilavani
 

Recently uploaded (20)

(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduits
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSIS
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 

Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd:cloudsec 2021

  • 1. Using ATT&CKⓇ for Containers to Level Up your Cloud Defenses Jen Burns @snarejen fwd:cloudsec 2021
  • 2. whoami? ● Senior Security Engineer at HubSpot ● Former ATT&CK for Cloud Lead ● Solid drummer ● Somewhat decent climber ● Lover of bad puns ● Fan of most animals despite being allergic to most animals T1033 - System Owner/User Discovery
  • 3. What’s on the docke(r)t for today? 1. What is ATT&CK? 2. Why did Containers get added to ATT&CK? 3. How can I use ATT&CK for Containers?
  • 4. What is ATT&CK? Note that I am NOT a representative of MITRE or ATT&CK!
  • 5. Want to contribute to ATT&CK? ● Check out guidelines at https://attack.mitre.org/resources/contribute/ ● Send your contribution to attack@mitre.org
  • 6.
  • 7. Want a different sidebar color? ● Go to the “New Slide with Layout” dropdown arrow in the top left corner of the toolbar ● Scroll to “Section Headers” ● Select a color Tactics: the adversary’s technical goals Techniques: how the goals are achieved ATT&CK Navigator https://bit.ly/attacknav
  • 8. Want a different sidebar color? ● Go to the “New Slide with Layout” dropdown arrow in the top left corner of the toolbar ● Scroll to “Section Headers” ● Select a color Technique Example NOTE: Techniques and sub-techniques ALSO include mitigations, detections, and procedures Screenshot from https://attack.mitre.org/techniques/T1204/
  • 9. Why did Containers get added to ATT&CK?
  • 11. Originally ATT&CK just covered the Windows platform. In the past few years it expanded to include techniques carried out in Linux, macOS, industrial control systems, the cloud, and network devices. It’s a logical expansion of ATT&CK. 1 Why did Containers get added to ATT&CK?
  • 12. MITRE Engenuity’s Center for Threat-Informed Defense and its members (including Microsoft and the folks who produced their K8s threat matrix) sponsored an investigation into adding containers into ATT&CK and contributed to the platform’s creation. MITRE Engenuity’s CTID provided support. 2 Why did Containers get added to ATT&CK?
  • 13. The community also helped conclude that the vast majority of activity that they observed did lead to cryptomining. However, evidence from a number of parties led the ATT&CK team to also conclude that adversaries utilizing containers for more “traditional” purposes, such as exfiltration and collection of sensitive data, is publicly under reported. The community asked for it! 3 Why did Containers get added to ATT&CK?
  • 14. ATT&CK for Containers Contributors ● Brad Geesaman, @bradgeesaman ● Center for Threat-Informed Defense (CTID) ● Cisco ○ Idan Frimark, Ariel Shuper ● Palo Alto Networks ○ Yuval Avrahami, Jay Chen, Nathaniel Quist ● Rory McCune, Aqua Security ● Team Nautilus Aqua Security ○ Yaniv Agman (@AgmanYaniv), Ziv Karliner (@ziv_kr), Michael Katchinskiy (@michael64194968), Roi Kol (@roykol1), Assaf Morag (@MoragAssaf), Idan Revivo (@idanr86), Gal Singer (@galsinger29) ● Trend Micro ○ David Fiser (@anu4is), Pawan Kinger (@kingerpawan), Magno Logan (@magnologan), Alfredo Oliveira ● Vishwas Manral, McAfee ● Yossi Weizman, Azure Defender Research Team https://www.vecteezy.com/free-vector/industrial
  • 15. How can I use ATT&CK for Containers?
  • 16. Four Main Use Cases for ATT&CK How can ATT&CK for Containers help? ● Assessments and Engineering ● Threat Intelligence ● Adversary Emulation ● Building Detections Pro Tip! If it’s hard to understand how an ATT&CK technique relates to containers, check out the MITRE Engenuity Medium blogs that have some container specific definitions. ● https://medium.com/mitre-engenuity/update-help-shape-att-ck-for-containers-bfcd24515df5 ● https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 Getting Started with ATT&CK blog series: https://medium.com/mitre-attack/getting-started/home
  • 17. Assessments and Engineering How can ATT&CK for Containers help? ● Helps us measure the status of our current defenses ○ What’s our confidence level that we would detect a particular technique? ○ Which techniques are sufficiently mitigated? ● Gives us an understanding of where we can improve ○ Do I need to capture different data sources in my environment? ○ Should I buy product X because we aren’t detecting a particular set of techniques?
  • 18. Assessments and Engineering Example Consider starting with a single technique….
  • 19. External Remote Services 01 Exposed Docker Daemon/API External access to port 2375? Is the TCP socket enabled? Is an nmap scan successful? Are you gathering Docker daemon logs for processing? 02 K8s API Server Is authentication required to access the API server? Can the API server be reached externally? Are you gathering audit logs for analysis? 03 Kubelet Is the kubelet locked down with something like webhook token auth? Are you gathering kubelet logs for analysis? 04 K8s Dashboard (or other web app) Is the K8s dashboard or other control plane apps externally accessible? Does it require authentication to access? (Testing unauthenticated initial access into your environment)
  • 20. Assessments and Engineering Example 2 - High Confidence of Detection 1 - Low Confidence of Detection 0 - No Confidence of Detection 2 - Sufficiently Mitigated 1 - Partially Mitigated 0 - Not Mitigated ...or maybe
  • 21. Threat Intelligence How can ATT&CK for Containers help? ● Gives us a common language across teams ○ Red Team ○ Blue Team ○ Cyber Threat Intel Team ○ Cloud Security/Operations Team ○ CISO ○ … ● Helps us better understand what behaviors adversaries are actually doing in Kubernetes, Docker, etc. https://unsplash.com/photos/uBe2mknURG4?utm_source=unspl ash&utm_medium=referral&utm_content=creditShareLink
  • 22. Threat Intelligence Example Excerpt from Palo Alto Networks about the Hildegard malware from TeamTNT https://unit42.paloaltonetworks.com/hildegar d-malware-teamtnt/ T1133 - External Remote Services T1609 - Container Administration Command T1611 - Escape to Host T1552.005 - Unsecured Credentials: Cloud Instance Metadata API
  • 23. Adversary Emulation How can ATT&CK for Containers help? ● Helps ensure that you can actually detect/mitigate what you expect ● Provides a sanity check for your red team on what behaviors are being carried out by adversaries in-the-wild https://unsplash.com/photos/ayog-lKRrp8?utm_source=unsplash&ut m_medium=referral&utm_content=creditShareLink
  • 24. Adversary Emulation Example - Kinsing Malware Carry out an engagement across Containers and Linux https://attack.mitre.org/software/S0599/ Use procedure examples from ATT&CK and threat intelligence as your guide!
  • 25. Want a different sidebar color? ● Go to the “New Slide with Layout” dropdown arrow in the top left corner of the toolbar ● Scroll to “Section Headers” ● Select a color Adversary Emulation/Assessments There are lots of tools to help! ● red-kube - collection of kubectl commands written to evaluate security posture of K8s clusters ● kube-hunter - tool that searches for security weaknesses in K8s clusters ● kubernetes-goat - intentionally vulnerable cluster to learn/practice K8s security ● kubescape - tool for testing if K8s is deployed securely as defined in Kubernetes Hardening Guidance by NSA and CISA ● kube-bench - checks K8s deployment against the CIS K8s Benchmark
  • 26. Thank you Jen Burns @snarejen https://bit.ly/fwdcs21-burns