The MITRE ATT& CK( r) for Containers matrix was published today, establishing an industry knowledge base of assault techniques associated with containerization and associated engineerings that are increasingly more ubiquitous in the current computing landscape. Microsoft is happy to have contributed and worked closely with the Center for Threat-Informed Defense and other partners to develop this framework for understanding and investigating this growing attack surface.

The ATT&CK for Container matrix

The ATT& CK for Receptacle builds on efforts including the threat matrix for Kubernetes developed by the Azure Security Center squad for Azure Defender for Kubernetes. The Center for Threat-Informed Defense expanded on this initial framework by documenting real-world strikes, with Microsoft and other partners providing guidance and feedback throughout the process.

Building the ATT& CK for Container matrix is helpful in understanding the risks associated with containers, including misconfigurations that are often the initial vector for strikes, as well as the specific implementation of attack techniques in the wild. This knowledge informs approaches for detecting menaces, and thus helps in providing comprehensive protections, as more and more organizations adopted containers and container orchestration technologies like Kubernetes.

Organizations use containers to package software code, configuration files and libraries, and dependencies to enable fast software development and deployment. Containerization involves abstracting the OS and hardware. This abstraction makes scenarios where customers are unaware that the base image of a container has exploitable vulnerabilities or where customers may not pay close attention to what libraries and binaries are present on the images they’re using.

The convenience of platform-agnostic deployment of containers can benefit software developers, but it can also potentially benefit attackers aiming to run malware on multiple platforms. In addition, the ease in the deployment of containers can signify containers with vulnerabilities can be distributed across an organization as part of normal deployment operations.

Microsoft security coverage for menaces and hazards associated with receptacles

Microsoft delivers protection against container menaces in two areas: on endpoints and on Kubernetes clusters.

Microsoft Defender for Endpoint detects threats on endpoints operating receptacle hosts, focusing on behavior commonly observed on endpoints, including stealing locally stored credentials for accessing the cloud, downloading and running malicious images, and privilege escalation from dockers to hosts. Below is a mapping of Microsoft Defender for Endpoint detections with the ATT& CK for Containers techniques.

ATT& CK for Receptacle technique Microsoft Defender for Endpoint detection

Valid Accounts

Suspicious cloud credential access Unix credentials were illegitimately accessed

Unsecured Credentials

Suspicious cloud credential access Unix credentials were illegitimately accessed

Build Image on Host

Malicious Docker image operated Suspicious network connection from Docker container

Deploy Container

Malicious Docker image run Suspicious network connection from Docker container

User Execution: Malicious Image

Malicious Docker image operated Suspicious network connection from Docker container

Resource Hijacking

Malicious Docker image run

Container Resource Discovery

Suspicious kubectl exploratory command sequence

Exploit Public-Facing Application

Suspicious connection to unsecured Docker daemon

Escape to Host

Suspicious file opens by WSL

Detections of malicious or suspicious behaviors associated with receptacles are reported as alerts in Microsoft 365 security centre, enabling champions to investigate and remediate the threat and hunt for referred or similar behaviors. These detections enrich the telemetry that Microsoft Defender for Endpoint uses to build device timelines and cross-domain end-to-end attack chains 😛 TAGEND

Screenshot of Microsoft Defender Security Center showing detection of malicious Docker image

Azure Defender offers a Kubernetes plan to protect Kubernetes clusters, both in the orchestration layer and in the node level. The orchestration layer protection monitors Kubernetes API procedures to find suspicious and malicious the actions of the Kubernetes control plane. The node-level protection, based on the Server plan of Azure Defender, inspects activity on the Kubernetes worker-node to see suspicious activity that run by the receptacles on the nodes. Below is a mapping of Azure Defender detections with the ATT& CK for Receptacle techniques.

ATT& CK for Receptacle technique Azure Defender detection Exploit Public-Facing Application

Azure Defender for receptacle registries can help you to avoid from deploying vulnerable image to the clusters.

External Remote Service

Orchestration level alerts:

Exposed Kubeflow dashboard detected Exposed Kubernetes dashboard saw Exposed Kubernetes service detected Exposed Redis service in AKS detected

Node level alarms:

Exposed Docker daemon saw( node level)

Valid accounts

Orchestration level alarms:

AKS API petitions from proxy IP address detected Node level alarms: Successful SSH brute force attack( node level) Suspicious incoming SSH network activity from multiple sources( node level) Suspicious incoming SSH network activity( node degree)

Container Administration Command

Orchestration level alerts:

Suspicious command executed in container

Node level alerts:

Privileged command run in container Suspicious request to Kubernetes API

Deploy Container

Orchestration level alerts:

AKS API requests from proxy IP address detected Digital currency mining container saw

Node level alertings:

Suspicious request to Kubernetes API

Scheduled Task/ Job

Kubernetes CronJob controller, such as other controllers, makes a pod resource. See “Deploy Container” technique for relevant detectings.

User Execution

Digital currency mining receptacle detected

Implant Internal Image

Azure Defender for container registries regularly scan the images that are pushed to the registry.

Escape to Host

Orchestration level alerts:

Container with a sensitive volume mount detected Privileged receptacle saw

Exploitation for Privilege Escalation

Orchestration level alerts:

Privileged receptacle saw

Build Image on Host

Node level alerts:

Docker build operation detected on a Kubernetes node

Indicator Removal on Host

Orchestration level alerts:

Kubernetes events deleted


New receptacle in the kube-system namespace saw

Brute Force

Successful SSH brute force attack( node level) Suspicious incoming SSH network activity from multiple sources( node level) Suspicious incoming SSH network activity( node level)

Unsecured Credentials

Suspicious request to Kubernetes API( node level)

Resource Hijacking

Digital currency mining receptacle detected( Orchestration) Suspicious command executed in container( Orchestration) Process associated with digital currency mining saw( node level) Possible Crypto coin miner download detected( node level) Digital currency mining pertained behavior detected( node level)

In addition, as was observed is several attacks like the one that targets Kubeflow workloads, many incidents begins with a misconfiguration. Azure Defender offers an opportunity to see misconfiguration, such as exposure of sensitive interfaces to the internet. In addition, Azure Defender are also welcome to is to reduce the two attacks surface by discover sensitive runnings like creating high-privilege RBAC regulations, auditing for Kubernetes best practices, and providing deployment gates.

The work to secure containers continues

The partnership between MITRE Engenuity’s Center for Threat-Informed Defense and Microsoft on investigating and understanding container threats doesn’t stop with the release of ATT& CK for Containers. We will continue to work with MITRE and the rest of the industry to share intelligence and insights from Microsoft’s products, sensors, and research. We will continue to look for innovative ways for surfacing telemetry, especially from within the container , not just on hosts, and for detecting behavior associated with both malicious activity and misconfigurations.

To learn more about how Microsoft can help you protect receptacles and relevant technologies today, read about Microsoft Defender for Endpoint and Azure Defender.

To learn more about the Center for Threat-Informed Defense, read about the Center’s collaborative approach to advancing threat-informed defense.

Microsoft 365 Defender Research Team

Azure Defender Team

The post Center for Threat-Informed Defense squads up with Microsoft, spouses to build the ATT& CK( r) for Receptacle matrix appeared first on Microsoft Security .

Read more: