Mitre ATT&CK Frameworks Get a Handle on Kubernetes Security Defense

We all know securing Kubernetes is a pain. One of our problems is that while we know how to secure this or that component, getting our arms around the whole gamut of possible attacks on containers and Kubernetes is really hard. That’s why Mitre, the US government non-profit corporation dedicated to security, is working on an ATT&CK knowledge base for containers and Kubernetes.
Mitre ATT&CKs are globally accessible knowledge bases of adversary tactics and techniques based on observing real-world attacks. The ATT&CK knowledge base is a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
Originally Mitre, and its partners, Citigroup, JPMorgan Chase, and Microsoft, were just going to tackle building an ATT&CK knowledge base for containers. They quickly realized however, they needed to cover orchestration-level (e.g. Kubernetes) and container-level (e.g. Docker) adversary behaviors in a single Containers platform in ATT&CK.
Along the way to creating this knowledge base, the security researchers discovered that while the vast majority of attacks on containers and Kubernetes clusters are all about crypto-mining. But, evidence shows that adversaries are also using containers for more “traditional” purposes, such as exfiltration and collection of sensitive data. Worse still these kinds of attacks are being underreported. So, if you see something odd going on in your clusters and you didn’t worry much about it because you didn’t see a crypto-mining attack such as Monero Cryptojacking Malware in your containers, think again. You may still be under an attack after all.
While building out the knowledge base, the Mitre team also added other kinds of attacks. These include adversaries exploiting software vulnerabilities to facilitate escaping to the underlying host; Cases where security tools related to container deployment are disabled by an attacker; and network security attacker scanning within a Kubernetes network.
As for malware, MITRE has placed container-specific malware programs — Kinsing, Doki, and Hildegard — into ATT&CK. They hope this will help sysadmins and security leaders to get a better idea of the abstraction level of techniques with the Containers matrix when compared to Linux and Infrastructure-as-a-Service (IaaS).
Thinking of abstractions, you may wonder what good does such a high-level abstraction of Kubernetes and containers security threats do Kubernetes developers and administrators in the field. Ariel Shuper, who works on new technology and cloud applications security at Cisco, explained that while “The common Kubernetes risk assessment framework was based on the popular CIS benchmarks for Kubernetes. This framework consists of a comprehensive set of tests covering all the Kubernetes elements’ configuration security best practices.”
That’s fine as far it goes, Shuper continued, but it doesn’t address “attack vectors which are not based on security misconfigurations.” After all, “Malicious attacks can start by multiple elements expanding beyond security misconfigurations. But there were additional operational elements that pushed for a new framework. The popular managed Kubernetes services, such as Amazon Web Services‘ EKS, Azure AKS, or Google’s GKE doesn’t provide access to the elements which are tested by the CIS benchmarks, making it hard to assess the security status of these services.”
So Shuper thinks the ATT&CK matrix works well as a new risk-assessment framework since it verifies all other attack methods, steps, and stages. In addition, the ATT&CK matrix is “based only on tactics and techniques which were used in real attacks, making it very concrete.”
In addition, as Shuper points out too correctly, “not all developers are even entirely aware that this is what they’re using! This all makes it hard to manage security for Kubernetes.” You think? I’ve seen far too many Kubernetes experts who are anything but.
Shuper concluded, “Understanding Kubernetes security starts with understanding how Kubernetes can be breached. Hence, security teams need a complete picture of every role involved in protecting the security of your organization’s Kubernetes clusters. And that’s where a high-level Mitre ATT&CK security knowledge base comes in.