From ATT&CKcon 4.0
By Matthew Mills, Nathaniel Beckstead, and Ryan Simon, Datadog
Cloud native computing has fundamentally changed traditional security methodologies and attack surfaces. This new architectural approach combines new operational tools and services like continuous integration, container engines, and orchestrators. Some organizations struggle to identify and respond to threats they specifically face when running cloud native workloads.
Perimeter-centric security evangelizes defense-in-depth or the onion model to implement different layers of defense. Cloud native security hyper-focuses on four unique layers: Cloud, Clusters, Containers, and Code.
Today's defenders have to look across several existing ATT&CK matrices including Linux Enterprise, Containers, Kubernetes, and IaaS to holistically evaluate and model threats or attack paths across the four distinct layers of cloud native workloads.
In conclusion, we will discuss some of the challenges facing threat modeling cloud native workloads, including showing how to leverage several different ATT&CK matrices to create a distinct Cloud Native Workload ATT&CK matrix. The creation of this matrix will help defenders take the guesswork out of identifying what tactics serve as potential threats against a cloud native workload in order to enhance their defensive baseline and detection coverage.
11. 11
Challenges securing cloud native workloads
Complexity
The automated nature of cloud environments creates complex systems.
Velocity
Utilization of APIs increases the speed of developers and attackers.
Visibility
Data sources are scattered and often not consumed by security teams.
12. The 4 Cs of Cloud Native Security
12
Code
Application Events
Container
OS Events
Cluster
Orchestrator Audit Logs
Cloud
Cloud Audit Logs
26. Cloud Workload Matrix
The Enterprise Matrix is information overload
● 185 total techniques
○ 367 sub-techniques
● Many of those techniques are out of scope
for workloads
● Trouble identifying what is important at the
workload
26
Cloud Workload Matrix
● X number of techniques
● Scoped to JUST what is relevant and
detectable at runtime
● Saving defenders time and pain from
evaluating inapplicable techniques