Kubernetes / Security / Contributed

Kubernetes Is a High-Value Cyberwar Target

9 Mar 2022 10:00am, by
Michael Clark
Michael Clark is the director of threat research at Sysdig, managing a team of experts tasked with discovering and defending against novel security threats. Michael has more than 20 years of industry experience in many different roles, including incident response, threat intelligence, offensive security research, and software development at companies like Rapid7, ThreatQuotient, and ManTech. Prior to joining Sysdig, Michael worked as a Gartner analyst, advising enterprise clients on security operations topics.

Modern military conflicts are not limited to the conventional domains of air, ground, and sea, but also include cyberspace. There is some evidence to suggest that cyber operations have already begun. In a conflict, an adversary may go after many different areas of an organization, in tandem, to accomplish their goal. In this article, we will explore how modern technologies like Kubernetes could be affected by such a conflict. 

Cyber operations can be generally classified into three areas: Computer Network Defense (CND), Computer Network Exploitation (CNE) and Computer Network Attack (CNA). CNA is most closely related to military activity as it involves the following goals: Disrupt, Deny, Degrade or Destroy. During a military conflict, CNA operations will be launched against an adversary’s critical infrastructure and other targets which can help their war effort. These would include traditional targets such as the power grid and communications, but also economic and technology targets.  

Kubernetes is seeing broad adoption because it allows an organization to scale their workloads very easily. More legacy applications are being converted to containerized workloads all the time, and they all rely on tools like Kubernetes to be managed. This benefit is also a critical weakness when thinking about how an attacker may attempt to disrupt your organization’s operations.

As easy as it is to scale your workloads with Kubernetes, it is just as easy for an attacker to leverage the same technology to bring them all down. Consider an organization with an on-premises Kubernetes environment which has moved much of its operations to containers from legacy servers. A determined attacker, which they would certainly be during a military conflict, just needs to gain access to the underlying operating system on a node in the cluster and they can potentially bring down all of the workloads being managed across the Kubernetes network, not just on that one node.  

The first step, assuming the attacker doesn’t already have a foothold in the network, might be to gain access to a container. For example, the Log4j vulnerability in late 2021 can provide this access as it doesn’t even need to be located on an organization’s perimeter to be dangerous. Once an attacker has access to a container, they would need to escape it to gain access to the underlying host. Container escapes are not uncommon, as a recent Linux kernel vulnerability (CVE-2022-0185) shows. Misconfigurations can also allow an attacker to pivot to the node OS.  

Once access is gained at the OS level, the next step would be to gain access to service account tokens, find privileged containers, spread to other clusters or a number of other strategies. The end result would be gaining access to the control plane and bringing down the entire cluster and all of the managed workloads. The attacker wouldn’t simply turn them off as recovery might occur too quickly. One option, which is popular, is to wipe the server or otherwise corrupt the Operating System. However, this is often recoverable through image backups. Instead, they might introduce misconfigurations to the network settings or other areas to make understanding what has happened more time-consuming. It might not even be obvious that the organization was attacked.

Since Kubernetes and other orchestration platforms make it very easy to scale, they can also make it easy to reverse that scale and disrupt the operations of the target organization. These technologies have developed relatively quickly and are being adopted at a rapid rate. It is critical that they not be forgotten in an organization’s security plan. There are several ways to reduce the risk of the above scenario occurring:

  • Kubernetes Hardening: The default install of Kubernetes isn’t necessarily secure. For example, the network access to the control plane may be too permissive or the admission controller policies may allow dangerous images to run. Your orchestration platforms must be set up in a secure way with proper configurations and be periodically validated so that they haven’t drifted over time. Hardening can reduce risk by shrinking the attack surface and consequently making an attacker have to spend much more time to accomplish their goal. 
  • Vulnerability Management: Understanding vulnerabilities present in containerized workloads is done differently than traditional IT due to the use of Software Composition Analysis tools and modern DevOps practices. Correct use of these tools can result in improved visibility, quicker remediation and better prioritization.
  • Runtime Threat Detection and Response: Containers must be monitored for suspicious behavior, and if found immediately, remediated. Containers should also be purpose-built, which enables the use of runtime profiling, which can be very effective at detecting abnormal behavior and automatically stopping it.
  • Disaster Recovery: A military conflict is a disaster, whether the damage comes from the Cyber domain or more traditional weapons. A plan must be in place to recover critical services, and it needs to include your containerized services. It is important to test the plan regularly, as well.

IT is advancing quickly with new technologies being adopted at a rapid pace to solve problems. It is critical that a security program keep pace; otherwise, these same solutions can be used against an organization. This is especially true in terms of Cyberwarfare when the goal is not to conduct espionage but to impact the operations of your organization as part of a greater goal. Traditional security program elements are still valuable, such as runtime threat detection and disaster recovery, but they must evolve.

The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Sysdig.

Feature image via Pixabay.