The document evaluates container security through the lens of the ATT&CK framework, highlighting current technology trends, vulnerability timelines, and misconfiguration attack strategies. It discusses various vulnerabilities and challenges faced in container runtime, orchestration, and response practices. The conclusion emphasizes understanding adversary behavior to improve defenses and mitigate risks effectively.

1. EVALUATING CONTAINER
SECURITY WITH ATT&CK
FRAMEWORK
• Sandeep Jayashankar • Nov 2020

2. EVALUATIN
G
CONTAINER
SECURITY
WITH
ATT&CK
FRAMEWOR
K
Containers
•Current Tech Landscape
•Vuln Timeline
•Most Recent Vulnerabilities
•Misconfiguration Attacks
Container Runtime Challenges
ATT&CK for Containers
•Introduction
•Use Cases
•Threat Matrix
Practical approach to ATT&CK
Conclusion

3. CONTAINERS – CURRENT TECH LANDSCAPE

4. CONTAINERS – VULN TIMELINES

5. CONTAINERS – MOST RECENT VULNERABILITIES
CVE-2020-
2121
Jenkins Kubernetes
Engine plugin
Remote Code
Execution with
arbitrary installs
https://www.tigera.io/blog/kubernetes-q3-2020-threats-exploits-and-ttps/
https://sysdig.com/blog/falco-cve-2020-8566-ceph/
https://sysdig.com/blog/cve-2020-8563-vsphere-credentials-cloud-controller-
manager/
CVE-2020-
14386
Linux Kernel
Privilege Escalation
due to packet
socket memory
corruption
CVE-2020-
8563
CVE-2020-
8558
kube-controller-
manager vSphere
credential leak
Ceph cluster
adminSecrets
exposed when
logLevel >=4

6. CONTAINERS – MISCONFIG ATTACKS
https://jarv.is/notes/shodan-search-queries/
Exposed Containers
Including Public Containers
Using Privileged Containers
https://containerjournal.com/topics/container-security/why-running-a-privileged-container-is-not-a-good

7. CONTAINER RUNTIME CHALLENGES
Monitoring
• Containers are ephemeral, lightweight.
• Deployed in large numbers
• Monitoring containers different from VM hosts
Isolation
• Share same underlying operating system, volumes, and disks
• Container breakout exploits at large (running with privileged flags)
• More containers, more data and network traffic, more access controls
Orchestration
• Confusion in setting configurations
• Data Leaks in Log files
• Vulnerabilities in other orchestration components
Response
• Taking down compromised and bringing up brand new image
• What if CI/CD limitations to push from Dev-Prod?
• What if image compromised?
ttps://capsule8.com/blog/security-challenges-for-containers-in-runtime/
Source: Forrester Research Report

8. ATT&CK FOR CONTAINERS - INTRODUCTION
• Adversarial Tactics, Techniques, And Common Knowledge
• Understand Adversary Behavior using Threat Matrix
• Defines Tactics, Techniques, and Procedures (TTPs)
© 2020 PAYPAL INC. CONFIDENTIAL AND PROPRIETARY.
Cloud Matrix: https://attack.mitre.org/matrices/enterprise/cloud/gcp/
Advanced Persistent Threat
Group

9. ATT&CK FOR CONTAINERS – USE CASES
https://attack.mitre.org/docs/training-cti/CTI%20Workshop%20Full%20Slides.pdf

10. ATT&CK FOR CONTAINERS – THREAT MAP
Initial Access : Adversary exploits an application
vulnerability and gains initial access to a container.
Execution: Adversary gets SSH credentials and connects
to the service.
Privilege Escalation: Adversary utilizes privileged
container misconfiguration to gain total control of container.
Defense Evasion: Adversary deletes container logs to
hide their footprints.
Credential Access: Adversary finds application
credentials in configuration or log files.
Lateral Movement: Adversary mounts writeable
volumes of the host
Impact: Adversary utilizes the host to mine cryptocurrencies
https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
Adversary Emulation

11. CONCLUSION
Identify adversary
behavior
Translate behavior into
TTPs
Map data in a visualized
manner
Plan mitigations based
mapped data
Common Knowledge
helps educate
developers, security
personnel and system
administrators

12. QUESTIONS