SlideShare a Scribd company logo

How to think like a threat actor for Kubernetes.pptx

Download as PPTX, PDF
L
LibbySchulze1

How to think like a threat actor for Kubernetes.pptx

Internet
1 of 33
Nov. 29, 2023 How (and why) to think like a threat actor in your Kubernetes Environments Abhinav Mishra Abhinav Mishra Rewanth Tammana Director of Product Management, Uptycs Consultant, Uptycs
2 Abhinav Mishra Director of Product Management › Leading Uptycs product team on Containers & Kubernetes › 10+ years of Security and Engineering Experience
3 Rewanth Tammana Consultant › Speaker, Trainer, Open-source contributor, GSoCer & more › DevSecOps, Cloud & Container security - Red, Blue & Purple teams
By the Numbers - Kubernetes Attacks Source: 2023 Red Hat State of Kubernetes Security Report Threat actors are now Kubernetes security experts 4
Which room am I in? How many floors are in this house? What doors can I open? Where are the security cameras? Where are the valuable items?
Which room am I in? Specific Pod or Namespace What other rooms can I get into? Kubernetes Network Policies/Lateral Movements What doors can I open? Access Controls (Role Bindings) Where are the security cameras? Kubernetes Audit Log Data Where are the valuable items? Secrets/Sensitive Data
Tools 7 Kubernetes GOAT RedKube
Pillar 1 - Visibility Across Your Supply Chain
Pillar 1 - Visibility Across Your Supply Chain 9 Developer Laptop Development Container Images Control Plane Data Plane Code Development Git Repository Code Pull Node 1 Node 2 Node 3 Registry Container Runtime Container Orchestration Registry Scanning Confidential. All rights reserved. CI / CD Tool CI Scanning
Pillar 1 - Visibility Across Your Supply Chain
Example - Malicious & Vulnerable Packages 11 Container Image - Image is Signed - Registry and CI where image is built and stored is scanned for vulnerabilities - Image Layer vulnerabilities are scanned - What were the ingredients used to make the cookie? Are they safe? - What are the contents of the cookie on the inside? - What was the state of the factory when the cookie was built?
Example - Malicious & Vulnerable Packages Need to inspect: - the contents of the image when it is built - the traceability of the image - where did it come from, who built it? - the provenance of the image - what was the security of the supply chain components?
Example - Malicious Admission Controllers 13 Admission Controls: - enforce sensible & secure defaults (such as namespace quotas) - only allow trusted repositories - don’t allow insecure resources (ex. wildcard ingress controllers or over privileged service accounts) to be deployed The Challenge: How do I know my admission controller is secure at any given point in time?
Example - Malicious Admission Controllers 14 Source: https://blog.rewanthtammana.com/creating-malicious-admission-controllers
Let’s take a look at a crypto mining example to see what information we need 1. Attacker created malicious mutating webhook to gain persistence to the system 2. Injects crypto mining init container/side car to each deployment. 3. As an attacker, you want to make everything still seem normal - the application will still work normal but in the backend, it’s eating your compute resources 4. This cannot be identified with static checks like CIS benchmarking, misconfiguration checks using kubescape, etc. 15
Cryptomining DEMO
Pillar 1 Takeaways - Visibility Across Your Supply Chain - always have point in time snapshot of your security posture - rely on a combination of the following: - image scanning: across layers of malicious/vulnerable packages - image provenance: what was the security posture of my supply chain components at the time of an image build? need snapshot information - image traceability: where did the image come from? who committed it? did it go through the right set of security pipelines? - Image signing and verification: is the image signed by a trusted author? 17
Pillar 2 - Start with RBAC and Dive Deeper
Pillar 2 - Start with RBAC and Dive Deeper 19 Source: MITRE ATT&CK Framework - Containers Matrix
Example - Masqueraded Cluster Role Bindings 20 Threat Actors will try to hide behind benign names or components that seem important but are actually harmful Source: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters NOTE: Misconfigurations can also be introduced via human error or using defaults
Example - Lateral Movements via Default Service Accounts Team Alpha Namespace alpha-1 Namespace alpha-2 SHARED EKS CLUSTER Team Beta Namespace alpha-3 The lock/key is now used to access namespaces including ones belonging to the other tenant if malware is present in one namespace or vulnerabilities, it can laterally move across the entire cluster! You need a platform that can tell you where these misconfigurations are present! Use Security Tools That Map Real- Time Threats To Misconfigurations In Your Cluster
Leverage Principles of Zero Trust and IAM in the Cloud Source: https://blog.rewanthtammana.com/securing-aws-eks-implementing-least-privilege-access-with-irsa
Pillar 2 Takeaways - Start with RBAC and Dive Deeper - always monitor your identities in and across your clusters - leverage concepts such as IRSAs and Pod Identity to map Kubernetes service accounts to core IAM roles that are properly managed and audited - use security platforms that enable you to answer key questions about your RBAC posture 23
DEMO
Pillar 3 - Correlating Data Plane and Control Plane Telemetry for Incident Response
Pillar 3 - Build and Collect Telemetry Across Control and Data Plane 26 Runtime Security relies on observability - you don’t know what you don’t know Example: User Space vs Kernel Space
Collect and Correlate Across A Security Data Lake 27 SHARED EKS CLUSTER Audit Logs eBPF Telemetry - API Calls - Policy Creations - User/Service Account Activity - Process Events - Network Events - File Changes
Pillar 3 Takeaways - Correlate Telemetry Across Data Plane and Control Plane - Security starts with observability - you need to collect telemetry from the processes running in a container all the way to your Kubernetes and Cloud control plane - Attackers can hide behind seemingly benign processes - leverage eBPF Telemetry and forensic techniques such as YARA rule scanning to catch these nasty attacks 28
Malware Developer laptop Threat Actor Identity Provider Code Repository Cloud service provider 1 2 3 4 5 Uptycs Sensor How Uptycs Can Help - Pillar 1: Visibility Across the Supply Chain Cloud Security Early Warning System EKS Cluster
How Uptycs Can Help - Pillar 2: Start with RBAC and Go Deeper
How Uptycs Can Help - Pillar 3: Correlating Data Plane and Control Plane Telemetry for Incident Response
Q&A Shift up your cybersecurity with Uptycs! › Learn more at uptycs.com
Thank You Shift up your cybersecurity with Uptycs! › Learn more at uptycs.com

Recommended

Understand, verify, and act on the security of your Kubernetes clusters - Sca...
Understand, verify, and act on the security of your Kubernetes clusters - Sca...Understand, verify, and act on the security of your Kubernetes clusters - Sca...
Understand, verify, and act on the security of your Kubernetes clusters - Sca...Scaleway
 
Owasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainOwasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainMichele Chubirka
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Michael Ducy
 
Kubernetes Ransomware Threat - How to Protect and Recover.pdf
Kubernetes Ransomware Threat - How to Protect and Recover.pdfKubernetes Ransomware Threat - How to Protect and Recover.pdf
Kubernetes Ransomware Threat - How to Protect and Recover.pdfUrolime Technologies
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019Alexander Master
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
ThreatModeling.ppt
ThreatModeling.pptThreatModeling.ppt
ThreatModeling.ppttashon2
 
Security Practices in Kubernetes
Security Practices in KubernetesSecurity Practices in Kubernetes
Security Practices in KubernetesFibonalabs
 

Recommended

Understand, verify, and act on the security of your Kubernetes clusters - Sca...
Understand, verify, and act on the security of your Kubernetes clusters - Sca...Understand, verify, and act on the security of your Kubernetes clusters - Sca...
Understand, verify, and act on the security of your Kubernetes clusters - Sca...Scaleway
 
Owasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainOwasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainMichele Chubirka
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Michael Ducy
 
Kubernetes Ransomware Threat - How to Protect and Recover.pdf
Kubernetes Ransomware Threat - How to Protect and Recover.pdfKubernetes Ransomware Threat - How to Protect and Recover.pdf
Kubernetes Ransomware Threat - How to Protect and Recover.pdfUrolime Technologies
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019Alexander Master
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
ThreatModeling.ppt
ThreatModeling.pptThreatModeling.ppt
ThreatModeling.ppttashon2
 
Security Practices in Kubernetes
Security Practices in KubernetesSecurity Practices in Kubernetes
Security Practices in KubernetesFibonalabs
 
Under-reported Security Defects in Kubernetes Manifests
Under-reported Security Defects in Kubernetes ManifestsUnder-reported Security Defects in Kubernetes Manifests
Under-reported Security Defects in Kubernetes ManifestsAkond Rahman
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecuritySplunk
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecurityShannon Cuthbertson
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloadsRuncy Oommen
 
Offensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaOffensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaShivamSharma909
 
Offensive cyber security engineer
Offensive cyber security engineerOffensive cyber security engineer
Offensive cyber security engineerShivamSharma909
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updatedInfosecTrain
 
Best Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes ClusterBest Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes ClusterUrolime Technologies
 
The State of Kubernetes Security
The State of Kubernetes Security The State of Kubernetes Security
The State of Kubernetes Security Jimmy Mesta
 
The Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on KubernetesThe Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on KubernetesJacopo Nardiello
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes ClusterSuman Chakraborty
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security NinjaAmazon Web Services
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbain|u - The Open Security Community
 
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfK8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfMichaelOLeary82
 
Unveiling-Patchwork
Unveiling-PatchworkUnveiling-Patchwork
Unveiling-PatchworkBrandon Levene
 
SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainErik Van Buggenhout
 
Module 17 (novell hacking)
Module 17 (novell hacking)Module 17 (novell hacking)
Module 17 (novell hacking)Wail Hassan
 
Cloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCarlos Andrés García
 
Cloud-Native Security
Cloud-Native SecurityCloud-Native Security
Cloud-Native SecurityVMware Tanzu
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendEric Smalling
 
CNCF Webinar June 20 _ McMahon v2.pptx
CNCF Webinar June 20 _ McMahon v2.pptxCNCF Webinar June 20 _ McMahon v2.pptx
CNCF Webinar June 20 _ McMahon v2.pptxLibbySchulze1
 
Kubernetes 1.27 Webinar.pdf
Kubernetes 1.27 Webinar.pdfKubernetes 1.27 Webinar.pdf
Kubernetes 1.27 Webinar.pdfLibbySchulze1
 

More Related Content

Similar to How to think like a threat actor for Kubernetes.pptx

Under-reported Security Defects in Kubernetes Manifests
Under-reported Security Defects in Kubernetes ManifestsUnder-reported Security Defects in Kubernetes Manifests
Under-reported Security Defects in Kubernetes ManifestsAkond Rahman
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecuritySplunk
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecurityShannon Cuthbertson
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloadsRuncy Oommen
 
Offensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaOffensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaShivamSharma909
 
Offensive cyber security engineer
Offensive cyber security engineerOffensive cyber security engineer
Offensive cyber security engineerShivamSharma909
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updatedInfosecTrain
 
Best Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes ClusterBest Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes ClusterUrolime Technologies
 
The State of Kubernetes Security
The State of Kubernetes Security The State of Kubernetes Security
The State of Kubernetes Security Jimmy Mesta
 
The Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on KubernetesThe Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on KubernetesJacopo Nardiello
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes ClusterSuman Chakraborty
 
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfK8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfMichaelOLeary82
 
SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainErik Van Buggenhout
 
Module 17 (novell hacking)
Module 17 (novell hacking)Module 17 (novell hacking)
Module 17 (novell hacking)Wail Hassan
 
Cloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCarlos Andrés García
 
Cloud-Native Security
Cloud-Native SecurityCloud-Native Security
Cloud-Native SecurityVMware Tanzu
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendEric Smalling
 

Similar to How to think like a threat actor for Kubernetes.pptx (20)

Under-reported Security Defects in Kubernetes Manifests
Under-reported Security Defects in Kubernetes ManifestsUnder-reported Security Defects in Kubernetes Manifests
Under-reported Security Defects in Kubernetes Manifests
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
 
Offensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaOffensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agenda
 
Offensive cyber security engineer
Offensive cyber security engineerOffensive cyber security engineer
Offensive cyber security engineer
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
 
Best Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes ClusterBest Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes Cluster
 
The State of Kubernetes Security
The State of Kubernetes Security The State of Kubernetes Security
The State of Kubernetes Security
 
The Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on KubernetesThe Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on Kubernetes
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security Ninja
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
 
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfK8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
 
Unveiling-Patchwork
Unveiling-PatchworkUnveiling-Patchwork
Unveiling-Patchwork
 
SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill Chain
 
Module 17 (novell hacking)
Module 17 (novell hacking)Module 17 (novell hacking)
Module 17 (novell hacking)
 
Cloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New Reality
 
Cloud-Native Security
Cloud-Native SecurityCloud-Native Security
Cloud-Native Security
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friend
 

More from LibbySchulze1

CNCF Webinar June 20 _ McMahon v2.pptx
CNCF Webinar June 20 _ McMahon v2.pptxCNCF Webinar June 20 _ McMahon v2.pptx
CNCF Webinar June 20 _ McMahon v2.pptxLibbySchulze1
 
Kubernetes 1.27 Webinar.pdf
Kubernetes 1.27 Webinar.pdfKubernetes 1.27 Webinar.pdf
Kubernetes 1.27 Webinar.pdfLibbySchulze1
 
CNCF Live Webinar 2023, 12 Apr - Exploring Kubernetes Windows HostProcess Ins...
CNCF Live Webinar 2023, 12 Apr - Exploring Kubernetes Windows HostProcess Ins...CNCF Live Webinar 2023, 12 Apr - Exploring Kubernetes Windows HostProcess Ins...
CNCF Live Webinar 2023, 12 Apr - Exploring Kubernetes Windows HostProcess Ins...LibbySchulze1
 
CNCF Webinar - Krius.pdf
CNCF Webinar - Krius.pdfCNCF Webinar - Krius.pdf
CNCF Webinar - Krius.pdfLibbySchulze1
 
TiDB operator in Action.pdf
TiDB operator in Action.pdfTiDB operator in Action.pdf
TiDB operator in Action.pdfLibbySchulze1
 
Get started with gitops and flux
Get started with gitops and fluxGet started with gitops and flux
Get started with gitops and fluxLibbySchulze1
 
Deploy a full cncf based observability stack in under 5 minutes with tobs
Deploy a full cncf based observability stack in under 5 minutes with tobsDeploy a full cncf based observability stack in under 5 minutes with tobs
Deploy a full cncf based observability stack in under 5 minutes with tobsLibbySchulze1
 
Deploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vms Deploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vmsLibbySchulze1
 
Akri cncf-jobs-webinar-final
Akri cncf-jobs-webinar-finalAkri cncf-jobs-webinar-final
Akri cncf-jobs-webinar-finalLibbySchulze1
 
Kubescape single pane of glass
Kubescape single pane of glassKubescape single pane of glass
Kubescape single pane of glassLibbySchulze1
 
Dynamic observability the quest for real time data in cloud-native applications
Dynamic observability the quest for real time data in cloud-native applicationsDynamic observability the quest for real time data in cloud-native applications
Dynamic observability the quest for real time data in cloud-native applicationsLibbySchulze1
 
Deploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vmsDeploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vmsLibbySchulze1
 

More from LibbySchulze1 (12)

CNCF Webinar June 20 _ McMahon v2.pptx
CNCF Webinar June 20 _ McMahon v2.pptxCNCF Webinar June 20 _ McMahon v2.pptx
CNCF Webinar June 20 _ McMahon v2.pptx
 
Kubernetes 1.27 Webinar.pdf
Kubernetes 1.27 Webinar.pdfKubernetes 1.27 Webinar.pdf
Kubernetes 1.27 Webinar.pdf
 
CNCF Live Webinar 2023, 12 Apr - Exploring Kubernetes Windows HostProcess Ins...
CNCF Live Webinar 2023, 12 Apr - Exploring Kubernetes Windows HostProcess Ins...CNCF Live Webinar 2023, 12 Apr - Exploring Kubernetes Windows HostProcess Ins...
CNCF Live Webinar 2023, 12 Apr - Exploring Kubernetes Windows HostProcess Ins...
 
CNCF Webinar - Krius.pdf
CNCF Webinar - Krius.pdfCNCF Webinar - Krius.pdf
CNCF Webinar - Krius.pdf
 
TiDB operator in Action.pdf
TiDB operator in Action.pdfTiDB operator in Action.pdf
TiDB operator in Action.pdf
 
Get started with gitops and flux
Get started with gitops and fluxGet started with gitops and flux
Get started with gitops and flux
 
Deploy a full cncf based observability stack in under 5 minutes with tobs
Deploy a full cncf based observability stack in under 5 minutes with tobsDeploy a full cncf based observability stack in under 5 minutes with tobs
Deploy a full cncf based observability stack in under 5 minutes with tobs
 
Deploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vms Deploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vms
 
Akri cncf-jobs-webinar-final
Akri cncf-jobs-webinar-finalAkri cncf-jobs-webinar-final
Akri cncf-jobs-webinar-final
 
Kubescape single pane of glass
Kubescape single pane of glassKubescape single pane of glass
Kubescape single pane of glass
 
Dynamic observability the quest for real time data in cloud-native applications
Dynamic observability the quest for real time data in cloud-native applicationsDynamic observability the quest for real time data in cloud-native applications
Dynamic observability the quest for real time data in cloud-native applications
 
Deploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vmsDeploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vms
 

Recently uploaded

Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Personfurqan222004
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一3sw2qly1
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewingbigorange77
 

Recently uploaded (20)

Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Person
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewing
 

How to think like a threat actor for Kubernetes.pptx

  • 1. Nov. 29, 2023 How (and why) to think like a threat actor in your Kubernetes Environments Abhinav Mishra Abhinav Mishra Rewanth Tammana Director of Product Management, Uptycs Consultant, Uptycs
  • 2. 2 Abhinav Mishra Director of Product Management › Leading Uptycs product team on Containers & Kubernetes › 10+ years of Security and Engineering Experience
  • 3. 3 Rewanth Tammana Consultant › Speaker, Trainer, Open-source contributor, GSoCer & more › DevSecOps, Cloud & Container security - Red, Blue & Purple teams
  • 4. By the Numbers - Kubernetes Attacks Source: 2023 Red Hat State of Kubernetes Security Report Threat actors are now Kubernetes security experts 4
  • 5. Which room am I in? How many floors are in this house? What doors can I open? Where are the security cameras? Where are the valuable items?
  • 6. Which room am I in? Specific Pod or Namespace What other rooms can I get into? Kubernetes Network Policies/Lateral Movements What doors can I open? Access Controls (Role Bindings) Where are the security cameras? Kubernetes Audit Log Data Where are the valuable items? Secrets/Sensitive Data
  • 8. Pillar 1 - Visibility Across Your Supply Chain
  • 9. Pillar 1 - Visibility Across Your Supply Chain 9 Developer Laptop Development Container Images Control Plane Data Plane Code Development Git Repository Code Pull Node 1 Node 2 Node 3 Registry Container Runtime Container Orchestration Registry Scanning Confidential. All rights reserved. CI / CD Tool CI Scanning
  • 10. Pillar 1 - Visibility Across Your Supply Chain
  • 11. Example - Malicious & Vulnerable Packages 11 Container Image - Image is Signed - Registry and CI where image is built and stored is scanned for vulnerabilities - Image Layer vulnerabilities are scanned - What were the ingredients used to make the cookie? Are they safe? - What are the contents of the cookie on the inside? - What was the state of the factory when the cookie was built?
  • 12. Example - Malicious & Vulnerable Packages Need to inspect: - the contents of the image when it is built - the traceability of the image - where did it come from, who built it? - the provenance of the image - what was the security of the supply chain components?
  • 13. Example - Malicious Admission Controllers 13 Admission Controls: - enforce sensible & secure defaults (such as namespace quotas) - only allow trusted repositories - don’t allow insecure resources (ex. wildcard ingress controllers or over privileged service accounts) to be deployed The Challenge: How do I know my admission controller is secure at any given point in time?
  • 14. Example - Malicious Admission Controllers 14 Source: https://blog.rewanthtammana.com/creating-malicious-admission-controllers
  • 15. Let’s take a look at a crypto mining example to see what information we need 1. Attacker created malicious mutating webhook to gain persistence to the system 2. Injects crypto mining init container/side car to each deployment. 3. As an attacker, you want to make everything still seem normal - the application will still work normal but in the backend, it’s eating your compute resources 4. This cannot be identified with static checks like CIS benchmarking, misconfiguration checks using kubescape, etc. 15
  • 17. Pillar 1 Takeaways - Visibility Across Your Supply Chain - always have point in time snapshot of your security posture - rely on a combination of the following: - image scanning: across layers of malicious/vulnerable packages - image provenance: what was the security posture of my supply chain components at the time of an image build? need snapshot information - image traceability: where did the image come from? who committed it? did it go through the right set of security pipelines? - Image signing and verification: is the image signed by a trusted author? 17
  • 18. Pillar 2 - Start with RBAC and Dive Deeper
  • 19. Pillar 2 - Start with RBAC and Dive Deeper 19 Source: MITRE ATT&CK Framework - Containers Matrix
  • 20. Example - Masqueraded Cluster Role Bindings 20 Threat Actors will try to hide behind benign names or components that seem important but are actually harmful Source: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters NOTE: Misconfigurations can also be introduced via human error or using defaults
  • 21. Example - Lateral Movements via Default Service Accounts Team Alpha Namespace alpha-1 Namespace alpha-2 SHARED EKS CLUSTER Team Beta Namespace alpha-3 The lock/key is now used to access namespaces including ones belonging to the other tenant if malware is present in one namespace or vulnerabilities, it can laterally move across the entire cluster! You need a platform that can tell you where these misconfigurations are present! Use Security Tools That Map Real- Time Threats To Misconfigurations In Your Cluster
  • 22. Leverage Principles of Zero Trust and IAM in the Cloud Source: https://blog.rewanthtammana.com/securing-aws-eks-implementing-least-privilege-access-with-irsa
  • 23. Pillar 2 Takeaways - Start with RBAC and Dive Deeper - always monitor your identities in and across your clusters - leverage concepts such as IRSAs and Pod Identity to map Kubernetes service accounts to core IAM roles that are properly managed and audited - use security platforms that enable you to answer key questions about your RBAC posture 23
  • 24. DEMO
  • 25. Pillar 3 - Correlating Data Plane and Control Plane Telemetry for Incident Response
  • 26. Pillar 3 - Build and Collect Telemetry Across Control and Data Plane 26 Runtime Security relies on observability - you don’t know what you don’t know Example: User Space vs Kernel Space
  • 27. Collect and Correlate Across A Security Data Lake 27 SHARED EKS CLUSTER Audit Logs eBPF Telemetry - API Calls - Policy Creations - User/Service Account Activity - Process Events - Network Events - File Changes
  • 28. Pillar 3 Takeaways - Correlate Telemetry Across Data Plane and Control Plane - Security starts with observability - you need to collect telemetry from the processes running in a container all the way to your Kubernetes and Cloud control plane - Attackers can hide behind seemingly benign processes - leverage eBPF Telemetry and forensic techniques such as YARA rule scanning to catch these nasty attacks 28
  • 29. Malware Developer laptop Threat Actor Identity Provider Code Repository Cloud service provider 1 2 3 4 5 Uptycs Sensor How Uptycs Can Help - Pillar 1: Visibility Across the Supply Chain Cloud Security Early Warning System EKS Cluster
  • 30. How Uptycs Can Help - Pillar 2: Start with RBAC and Go Deeper
  • 31. How Uptycs Can Help - Pillar 3: Correlating Data Plane and Control Plane Telemetry for Incident Response
  • 32. Q&A Shift up your cybersecurity with Uptycs! › Learn more at uptycs.com
  • 33. Thank You Shift up your cybersecurity with Uptycs! › Learn more at uptycs.com