SlideShare a Scribd company logo

How to think like a threat actor for Kubernetes.pptx

Download as PPTX, PDF
L
LibbySchulze1

This document discusses how to think like a threat actor in Kubernetes environments. It covers three pillars: 1) gaining visibility across the supply chain, 2) starting with RBAC and diving deeper into access controls, and 3) correlating data plane and control plane telemetry for incident response. Examples discussed include malicious and vulnerable packages in container images, masqueraded cluster role bindings, and lateral movements via default service accounts. The document advocates developing a snapshot of the security posture, leveraging concepts like zero trust and IAM, and collecting telemetry across processes, Kubernetes, and cloud platforms to detect attacks.

Internet
1 of 33
Nov. 29, 2023 How (and why) to think like a threat actor in your Kubernetes Environments Abhinav Mishra Abhinav Mishra Rewanth Tammana Director of Product Management, Uptycs Consultant, Uptycs
2 Abhinav Mishra Director of Product Management › Leading Uptycs product team on Containers & Kubernetes › 10+ years of Security and Engineering Experience
3 Rewanth Tammana Consultant › Speaker, Trainer, Open-source contributor, GSoCer & more › DevSecOps, Cloud & Container security - Red, Blue & Purple teams
By the Numbers - Kubernetes Attacks Source: 2023 Red Hat State of Kubernetes Security Report Threat actors are now Kubernetes security experts 4
Which room am I in? How many floors are in this house? What doors can I open? Where are the security cameras? Where are the valuable items?
Which room am I in? Specific Pod or Namespace What other rooms can I get into? Kubernetes Network Policies/Lateral Movements What doors can I open? Access Controls (Role Bindings) Where are the security cameras? Kubernetes Audit Log Data Where are the valuable items? Secrets/Sensitive Data
Tools 7 Kubernetes GOAT RedKube
Pillar 1 - Visibility Across Your Supply Chain
Pillar 1 - Visibility Across Your Supply Chain 9 Developer Laptop Development Container Images Control Plane Data Plane Code Development Git Repository Code Pull Node 1 Node 2 Node 3 Registry Container Runtime Container Orchestration Registry Scanning Confidential. All rights reserved. CI / CD Tool CI Scanning
Pillar 1 - Visibility Across Your Supply Chain
Example - Malicious & Vulnerable Packages 11 Container Image - Image is Signed - Registry and CI where image is built and stored is scanned for vulnerabilities - Image Layer vulnerabilities are scanned - What were the ingredients used to make the cookie? Are they safe? - What are the contents of the cookie on the inside? - What was the state of the factory when the cookie was built?
Example - Malicious & Vulnerable Packages Need to inspect: - the contents of the image when it is built - the traceability of the image - where did it come from, who built it? - the provenance of the image - what was the security of the supply chain components?
Example - Malicious Admission Controllers 13 Admission Controls: - enforce sensible & secure defaults (such as namespace quotas) - only allow trusted repositories - don’t allow insecure resources (ex. wildcard ingress controllers or over privileged service accounts) to be deployed The Challenge: How do I know my admission controller is secure at any given point in time?
Example - Malicious Admission Controllers 14 Source: https://blog.rewanthtammana.com/creating-malicious-admission-controllers
Let’s take a look at a crypto mining example to see what information we need 1. Attacker created malicious mutating webhook to gain persistence to the system 2. Injects crypto mining init container/side car to each deployment. 3. As an attacker, you want to make everything still seem normal - the application will still work normal but in the backend, it’s eating your compute resources 4. This cannot be identified with static checks like CIS benchmarking, misconfiguration checks using kubescape, etc. 15
Cryptomining DEMO
Pillar 1 Takeaways - Visibility Across Your Supply Chain - always have point in time snapshot of your security posture - rely on a combination of the following: - image scanning: across layers of malicious/vulnerable packages - image provenance: what was the security posture of my supply chain components at the time of an image build? need snapshot information - image traceability: where did the image come from? who committed it? did it go through the right set of security pipelines? - Image signing and verification: is the image signed by a trusted author? 17
Pillar 2 - Start with RBAC and Dive Deeper
Pillar 2 - Start with RBAC and Dive Deeper 19 Source: MITRE ATT&CK Framework - Containers Matrix
Example - Masqueraded Cluster Role Bindings 20 Threat Actors will try to hide behind benign names or components that seem important but are actually harmful Source: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters NOTE: Misconfigurations can also be introduced via human error or using defaults
Example - Lateral Movements via Default Service Accounts Team Alpha Namespace alpha-1 Namespace alpha-2 SHARED EKS CLUSTER Team Beta Namespace alpha-3 The lock/key is now used to access namespaces including ones belonging to the other tenant if malware is present in one namespace or vulnerabilities, it can laterally move across the entire cluster! You need a platform that can tell you where these misconfigurations are present! Use Security Tools That Map Real- Time Threats To Misconfigurations In Your Cluster
Leverage Principles of Zero Trust and IAM in the Cloud Source: https://blog.rewanthtammana.com/securing-aws-eks-implementing-least-privilege-access-with-irsa
Pillar 2 Takeaways - Start with RBAC and Dive Deeper - always monitor your identities in and across your clusters - leverage concepts such as IRSAs and Pod Identity to map Kubernetes service accounts to core IAM roles that are properly managed and audited - use security platforms that enable you to answer key questions about your RBAC posture 23
DEMO
Pillar 3 - Correlating Data Plane and Control Plane Telemetry for Incident Response
Pillar 3 - Build and Collect Telemetry Across Control and Data Plane 26 Runtime Security relies on observability - you don’t know what you don’t know Example: User Space vs Kernel Space
Collect and Correlate Across A Security Data Lake 27 SHARED EKS CLUSTER Audit Logs eBPF Telemetry - API Calls - Policy Creations - User/Service Account Activity - Process Events - Network Events - File Changes
Pillar 3 Takeaways - Correlate Telemetry Across Data Plane and Control Plane - Security starts with observability - you need to collect telemetry from the processes running in a container all the way to your Kubernetes and Cloud control plane - Attackers can hide behind seemingly benign processes - leverage eBPF Telemetry and forensic techniques such as YARA rule scanning to catch these nasty attacks 28
Malware Developer laptop Threat Actor Identity Provider Code Repository Cloud service provider 1 2 3 4 5 Uptycs Sensor How Uptycs Can Help - Pillar 1: Visibility Across the Supply Chain Cloud Security Early Warning System EKS Cluster
How Uptycs Can Help - Pillar 2: Start with RBAC and Go Deeper
How Uptycs Can Help - Pillar 3: Correlating Data Plane and Control Plane Telemetry for Incident Response
Q&A Shift up your cybersecurity with Uptycs! › Learn more at uptycs.com
Thank You Shift up your cybersecurity with Uptycs! › Learn more at uptycs.com

Recommended

Understand, verify, and act on the security of your Kubernetes clusters - Sca...
Understand, verify, and act on the security of your Kubernetes clusters - Sca...Understand, verify, and act on the security of your Kubernetes clusters - Sca...
Understand, verify, and act on the security of your Kubernetes clusters - Sca...
Scaleway
 
Owasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainOwasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chain
Michele Chubirka
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.
Michael Ducy
 
Kubernetes Ransomware Threat - How to Protect and Recover.pdf
Kubernetes Ransomware Threat - How to Protect and Recover.pdfKubernetes Ransomware Threat - How to Protect and Recover.pdf
Kubernetes Ransomware Threat - How to Protect and Recover.pdf
Urolime Technologies
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019
Alexander Master
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
ThreatModeling.ppt
ThreatModeling.pptThreatModeling.ppt
ThreatModeling.ppt
tashon2
 
Security Practices in Kubernetes
Security Practices in KubernetesSecurity Practices in Kubernetes
Security Practices in Kubernetes
Fibonalabs
 

Recommended

Understand, verify, and act on the security of your Kubernetes clusters - Sca...
Understand, verify, and act on the security of your Kubernetes clusters - Sca...Understand, verify, and act on the security of your Kubernetes clusters - Sca...
Understand, verify, and act on the security of your Kubernetes clusters - Sca...
Scaleway
 
Owasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainOwasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chain
Michele Chubirka
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.
Michael Ducy
 
Kubernetes Ransomware Threat - How to Protect and Recover.pdf
Kubernetes Ransomware Threat - How to Protect and Recover.pdfKubernetes Ransomware Threat - How to Protect and Recover.pdf
Kubernetes Ransomware Threat - How to Protect and Recover.pdf
Urolime Technologies
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019
Alexander Master
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
ThreatModeling.ppt
ThreatModeling.pptThreatModeling.ppt
ThreatModeling.ppt
tashon2
 
Security Practices in Kubernetes
Security Practices in KubernetesSecurity Practices in Kubernetes
Security Practices in Kubernetes
Fibonalabs
 
Under-reported Security Defects in Kubernetes Manifests
Under-reported Security Defects in Kubernetes ManifestsUnder-reported Security Defects in Kubernetes Manifests
Under-reported Security Defects in Kubernetes Manifests
Akond Rahman
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
Splunk
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
Shannon Cuthbertson
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
Runcy Oommen
 
Offensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaOffensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agenda
ShivamSharma909
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
InfosecTrain
 
Offensive cyber security engineer
Offensive cyber security engineerOffensive cyber security engineer
Offensive cyber security engineer
ShivamSharma909
 
Best Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes ClusterBest Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes Cluster
Urolime Technologies
 
The State of Kubernetes Security
The State of Kubernetes Security The State of Kubernetes Security
The State of Kubernetes Security
Jimmy Mesta
 
The Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on KubernetesThe Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on Kubernetes
Jacopo Nardiello
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster
Suman Chakraborty
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security Ninja
Amazon Web Services
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfK8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
MichaelOLeary82
 
Unveiling-Patchwork
Unveiling-PatchworkUnveiling-Patchwork
Unveiling-Patchwork
Brandon Levene
 
SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill Chain
Erik Van Buggenhout
 
Module 17 (novell hacking)
Module 17 (novell hacking)Module 17 (novell hacking)
Module 17 (novell hacking)
Wail Hassan
 
Cloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New Reality
Carlos Andrés García
 
Cloud-Native Security
Cloud-Native SecurityCloud-Native Security
Cloud-Native Security
VMware Tanzu
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friend
Eric Smalling
 
CNCF Webinar June 20 _ McMahon v2.pptx
CNCF Webinar June 20 _ McMahon v2.pptxCNCF Webinar June 20 _ McMahon v2.pptx
CNCF Webinar June 20 _ McMahon v2.pptx
LibbySchulze1
 
Kubernetes 1.27 Webinar.pdf
Kubernetes 1.27 Webinar.pdfKubernetes 1.27 Webinar.pdf
Kubernetes 1.27 Webinar.pdf
LibbySchulze1
 

More Related Content

Similar to How to think like a threat actor for Kubernetes.pptx

Under-reported Security Defects in Kubernetes Manifests
Under-reported Security Defects in Kubernetes ManifestsUnder-reported Security Defects in Kubernetes Manifests
Under-reported Security Defects in Kubernetes Manifests
Akond Rahman
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
Splunk
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
Shannon Cuthbertson
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
Runcy Oommen
 
Offensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaOffensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agenda
ShivamSharma909
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
InfosecTrain
 
Offensive cyber security engineer
Offensive cyber security engineerOffensive cyber security engineer
Offensive cyber security engineer
ShivamSharma909
 
Best Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes ClusterBest Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes Cluster
Urolime Technologies
 
The State of Kubernetes Security
The State of Kubernetes Security The State of Kubernetes Security
The State of Kubernetes Security
Jimmy Mesta
 
The Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on KubernetesThe Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on Kubernetes
Jacopo Nardiello
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster
Suman Chakraborty
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security Ninja
Amazon Web Services
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfK8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
MichaelOLeary82
 
Unveiling-Patchwork
Unveiling-PatchworkUnveiling-Patchwork
Unveiling-Patchwork
Brandon Levene
 
SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill Chain
Erik Van Buggenhout
 
Module 17 (novell hacking)
Module 17 (novell hacking)Module 17 (novell hacking)
Module 17 (novell hacking)
Wail Hassan
 
Cloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New Reality
Carlos Andrés García
 
Cloud-Native Security
Cloud-Native SecurityCloud-Native Security
Cloud-Native Security
VMware Tanzu
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friend
Eric Smalling
 

Similar to How to think like a threat actor for Kubernetes.pptx (20)

Under-reported Security Defects in Kubernetes Manifests
Under-reported Security Defects in Kubernetes ManifestsUnder-reported Security Defects in Kubernetes Manifests
Under-reported Security Defects in Kubernetes Manifests
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
 
Offensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaOffensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agenda
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
 
Offensive cyber security engineer
Offensive cyber security engineerOffensive cyber security engineer
Offensive cyber security engineer
 
Best Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes ClusterBest Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes Cluster
 
The State of Kubernetes Security
The State of Kubernetes Security The State of Kubernetes Security
The State of Kubernetes Security
 
The Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on KubernetesThe Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on Kubernetes
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security Ninja
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
 
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfK8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
 
Unveiling-Patchwork
Unveiling-PatchworkUnveiling-Patchwork
Unveiling-Patchwork
 
SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill Chain
 
Module 17 (novell hacking)
Module 17 (novell hacking)Module 17 (novell hacking)
Module 17 (novell hacking)
 
Cloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New Reality
 
Cloud-Native Security
Cloud-Native SecurityCloud-Native Security
Cloud-Native Security
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friend
 

More from LibbySchulze1

CNCF Webinar June 20 _ McMahon v2.pptx
CNCF Webinar June 20 _ McMahon v2.pptxCNCF Webinar June 20 _ McMahon v2.pptx
CNCF Webinar June 20 _ McMahon v2.pptx
LibbySchulze1
 
Kubernetes 1.27 Webinar.pdf
Kubernetes 1.27 Webinar.pdfKubernetes 1.27 Webinar.pdf
Kubernetes 1.27 Webinar.pdf
LibbySchulze1
 
CNCF Live Webinar 2023, 12 Apr - Exploring Kubernetes Windows HostProcess Ins...
CNCF Live Webinar 2023, 12 Apr - Exploring Kubernetes Windows HostProcess Ins...CNCF Live Webinar 2023, 12 Apr - Exploring Kubernetes Windows HostProcess Ins...
CNCF Live Webinar 2023, 12 Apr - Exploring Kubernetes Windows HostProcess Ins...
LibbySchulze1
 
CNCF Webinar - Krius.pdf
CNCF Webinar - Krius.pdfCNCF Webinar - Krius.pdf
CNCF Webinar - Krius.pdf
LibbySchulze1
 
TiDB operator in Action.pdf
TiDB operator in Action.pdfTiDB operator in Action.pdf
TiDB operator in Action.pdf
LibbySchulze1
 
Get started with gitops and flux
Get started with gitops and fluxGet started with gitops and flux
Get started with gitops and flux
LibbySchulze1
 
Deploy a full cncf based observability stack in under 5 minutes with tobs
Deploy a full cncf based observability stack in under 5 minutes with tobsDeploy a full cncf based observability stack in under 5 minutes with tobs
Deploy a full cncf based observability stack in under 5 minutes with tobs
LibbySchulze1
 
Deploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vms Deploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vms
LibbySchulze1
 
Akri cncf-jobs-webinar-final
Akri cncf-jobs-webinar-finalAkri cncf-jobs-webinar-final
Akri cncf-jobs-webinar-final
LibbySchulze1
 
Kubescape single pane of glass
Kubescape single pane of glassKubescape single pane of glass
Kubescape single pane of glass
LibbySchulze1
 
Dynamic observability the quest for real time data in cloud-native applications
Dynamic observability the quest for real time data in cloud-native applicationsDynamic observability the quest for real time data in cloud-native applications
Dynamic observability the quest for real time data in cloud-native applications
LibbySchulze1
 
Deploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vmsDeploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vms
LibbySchulze1
 

More from LibbySchulze1 (12)

CNCF Webinar June 20 _ McMahon v2.pptx
CNCF Webinar June 20 _ McMahon v2.pptxCNCF Webinar June 20 _ McMahon v2.pptx
CNCF Webinar June 20 _ McMahon v2.pptx
 
Kubernetes 1.27 Webinar.pdf
Kubernetes 1.27 Webinar.pdfKubernetes 1.27 Webinar.pdf
Kubernetes 1.27 Webinar.pdf
 
CNCF Live Webinar 2023, 12 Apr - Exploring Kubernetes Windows HostProcess Ins...
CNCF Live Webinar 2023, 12 Apr - Exploring Kubernetes Windows HostProcess Ins...CNCF Live Webinar 2023, 12 Apr - Exploring Kubernetes Windows HostProcess Ins...
CNCF Live Webinar 2023, 12 Apr - Exploring Kubernetes Windows HostProcess Ins...
 
CNCF Webinar - Krius.pdf
CNCF Webinar - Krius.pdfCNCF Webinar - Krius.pdf
CNCF Webinar - Krius.pdf
 
TiDB operator in Action.pdf
TiDB operator in Action.pdfTiDB operator in Action.pdf
TiDB operator in Action.pdf
 
Get started with gitops and flux
Get started with gitops and fluxGet started with gitops and flux
Get started with gitops and flux
 
Deploy a full cncf based observability stack in under 5 minutes with tobs
Deploy a full cncf based observability stack in under 5 minutes with tobsDeploy a full cncf based observability stack in under 5 minutes with tobs
Deploy a full cncf based observability stack in under 5 minutes with tobs
 
Deploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vms Deploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vms
 
Akri cncf-jobs-webinar-final
Akri cncf-jobs-webinar-finalAkri cncf-jobs-webinar-final
Akri cncf-jobs-webinar-final
 
Kubescape single pane of glass
Kubescape single pane of glassKubescape single pane of glass
Kubescape single pane of glass
 
Dynamic observability the quest for real time data in cloud-native applications
Dynamic observability the quest for real time data in cloud-native applicationsDynamic observability the quest for real time data in cloud-native applications
Dynamic observability the quest for real time data in cloud-native applications
 
Deploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vmsDeploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vms
 

Recently uploaded

Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
ukwwuq
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
uehowe
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
vmemo1
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 

Recently uploaded (20)

Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 

How to think like a threat actor for Kubernetes.pptx

  • 1. Nov. 29, 2023 How (and why) to think like a threat actor in your Kubernetes Environments Abhinav Mishra Abhinav Mishra Rewanth Tammana Director of Product Management, Uptycs Consultant, Uptycs
  • 2. 2 Abhinav Mishra Director of Product Management › Leading Uptycs product team on Containers & Kubernetes › 10+ years of Security and Engineering Experience
  • 3. 3 Rewanth Tammana Consultant › Speaker, Trainer, Open-source contributor, GSoCer & more › DevSecOps, Cloud & Container security - Red, Blue & Purple teams
  • 4. By the Numbers - Kubernetes Attacks Source: 2023 Red Hat State of Kubernetes Security Report Threat actors are now Kubernetes security experts 4
  • 5. Which room am I in? How many floors are in this house? What doors can I open? Where are the security cameras? Where are the valuable items?
  • 6. Which room am I in? Specific Pod or Namespace What other rooms can I get into? Kubernetes Network Policies/Lateral Movements What doors can I open? Access Controls (Role Bindings) Where are the security cameras? Kubernetes Audit Log Data Where are the valuable items? Secrets/Sensitive Data
  • 8. Pillar 1 - Visibility Across Your Supply Chain
  • 9. Pillar 1 - Visibility Across Your Supply Chain 9 Developer Laptop Development Container Images Control Plane Data Plane Code Development Git Repository Code Pull Node 1 Node 2 Node 3 Registry Container Runtime Container Orchestration Registry Scanning Confidential. All rights reserved. CI / CD Tool CI Scanning
  • 10. Pillar 1 - Visibility Across Your Supply Chain
  • 11. Example - Malicious & Vulnerable Packages 11 Container Image - Image is Signed - Registry and CI where image is built and stored is scanned for vulnerabilities - Image Layer vulnerabilities are scanned - What were the ingredients used to make the cookie? Are they safe? - What are the contents of the cookie on the inside? - What was the state of the factory when the cookie was built?
  • 12. Example - Malicious & Vulnerable Packages Need to inspect: - the contents of the image when it is built - the traceability of the image - where did it come from, who built it? - the provenance of the image - what was the security of the supply chain components?
  • 13. Example - Malicious Admission Controllers 13 Admission Controls: - enforce sensible & secure defaults (such as namespace quotas) - only allow trusted repositories - don’t allow insecure resources (ex. wildcard ingress controllers or over privileged service accounts) to be deployed The Challenge: How do I know my admission controller is secure at any given point in time?
  • 14. Example - Malicious Admission Controllers 14 Source: https://blog.rewanthtammana.com/creating-malicious-admission-controllers
  • 15. Let’s take a look at a crypto mining example to see what information we need 1. Attacker created malicious mutating webhook to gain persistence to the system 2. Injects crypto mining init container/side car to each deployment. 3. As an attacker, you want to make everything still seem normal - the application will still work normal but in the backend, it’s eating your compute resources 4. This cannot be identified with static checks like CIS benchmarking, misconfiguration checks using kubescape, etc. 15
  • 17. Pillar 1 Takeaways - Visibility Across Your Supply Chain - always have point in time snapshot of your security posture - rely on a combination of the following: - image scanning: across layers of malicious/vulnerable packages - image provenance: what was the security posture of my supply chain components at the time of an image build? need snapshot information - image traceability: where did the image come from? who committed it? did it go through the right set of security pipelines? - Image signing and verification: is the image signed by a trusted author? 17
  • 18. Pillar 2 - Start with RBAC and Dive Deeper
  • 19. Pillar 2 - Start with RBAC and Dive Deeper 19 Source: MITRE ATT&CK Framework - Containers Matrix
  • 20. Example - Masqueraded Cluster Role Bindings 20 Threat Actors will try to hide behind benign names or components that seem important but are actually harmful Source: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters NOTE: Misconfigurations can also be introduced via human error or using defaults
  • 21. Example - Lateral Movements via Default Service Accounts Team Alpha Namespace alpha-1 Namespace alpha-2 SHARED EKS CLUSTER Team Beta Namespace alpha-3 The lock/key is now used to access namespaces including ones belonging to the other tenant if malware is present in one namespace or vulnerabilities, it can laterally move across the entire cluster! You need a platform that can tell you where these misconfigurations are present! Use Security Tools That Map Real- Time Threats To Misconfigurations In Your Cluster
  • 22. Leverage Principles of Zero Trust and IAM in the Cloud Source: https://blog.rewanthtammana.com/securing-aws-eks-implementing-least-privilege-access-with-irsa
  • 23. Pillar 2 Takeaways - Start with RBAC and Dive Deeper - always monitor your identities in and across your clusters - leverage concepts such as IRSAs and Pod Identity to map Kubernetes service accounts to core IAM roles that are properly managed and audited - use security platforms that enable you to answer key questions about your RBAC posture 23
  • 24. DEMO
  • 25. Pillar 3 - Correlating Data Plane and Control Plane Telemetry for Incident Response
  • 26. Pillar 3 - Build and Collect Telemetry Across Control and Data Plane 26 Runtime Security relies on observability - you don’t know what you don’t know Example: User Space vs Kernel Space
  • 27. Collect and Correlate Across A Security Data Lake 27 SHARED EKS CLUSTER Audit Logs eBPF Telemetry - API Calls - Policy Creations - User/Service Account Activity - Process Events - Network Events - File Changes
  • 28. Pillar 3 Takeaways - Correlate Telemetry Across Data Plane and Control Plane - Security starts with observability - you need to collect telemetry from the processes running in a container all the way to your Kubernetes and Cloud control plane - Attackers can hide behind seemingly benign processes - leverage eBPF Telemetry and forensic techniques such as YARA rule scanning to catch these nasty attacks 28
  • 29. Malware Developer laptop Threat Actor Identity Provider Code Repository Cloud service provider 1 2 3 4 5 Uptycs Sensor How Uptycs Can Help - Pillar 1: Visibility Across the Supply Chain Cloud Security Early Warning System EKS Cluster
  • 30. How Uptycs Can Help - Pillar 2: Start with RBAC and Go Deeper
  • 31. How Uptycs Can Help - Pillar 3: Correlating Data Plane and Control Plane Telemetry for Incident Response
  • 32. Q&A Shift up your cybersecurity with Uptycs! › Learn more at uptycs.com
  • 33. Thank You Shift up your cybersecurity with Uptycs! › Learn more at uptycs.com