Last April, we liberated the first version of the threat matrix for Kubernetes. It was the first attempt to systematically map the threat landscape of Kubernetes. As we described in the previous post, we chose to adapt the structure of MITRE ATT& CK( r) framework which, became almost an industry standard for describing threats.

Since the publication of the threat matrix last year, things have changed 😛 TAGEND

New threats were located as attackers targeted more and more Kubernetes workloads. We were glad to see that the security community adopted the matrix and added more techniques. As Kubernetes evolves, it becomes more secure by default and some techniques are no longer relevant.

Today, we are releasing the second version of the threat matrix for Kubernetes, which considers these changes. The updated matrix adds new techniques that were found by Microsoft researchers, as well as techniques that were suggested by the community. We also deprecate several techniques, which do not apply anymore to newer versions of Kubernetes. In this version, we likewise add a new tactic taken from MITRE ATT& CK( r ): collection.

The threat matrix to Kubernetes. The matrix consists of the various attacking techniques that target Kubernetes.

What has deprecated?

Kubernetes evolved and became more secure by default; techniques that appeared in last year’s matrix aren’t relevant to newer environments. Therefore, we decided to deprecate some of the method used 😛 TAGEND Exposed Kubernetes Dashboard

The Kubernetes dashboard’s usage has been in decline for a while now. Cloud-managed clusters, such as Microsoft’s AKS and Google’s GKE, deprecated this service and moved to a centralized interface in their portals. Moreover, the recent versions of the Kubernetes dashboard require authentication and it’s less likely to find exposed dashboards that do not require authentication. Consequently, we likewise removed the method used, “Access Kubernetes dashboard, ” under lateral motion tactic. Older versions of Kubernetes, including newer clusters that have the dashboard manually installed, are still affected by this technique. The idea of this technique was generalized in the new technique: disclosed sensitive interfaces( see below ).

Access tiller endpoint

As of version 3, Helm doesn’t use its server-side component, Tiller. This is a major improvement in the security of Helm. Currently, Helm operates( by default) on behalf of the user’s credentials as they appear in the kubeconfig file. Consumers of older different versions of Helm are still affected by this technique.

New techniques for the threat matrix 1. Initial access Exposed sensitive interfaces

Exposing a sensitive interface to the internet poses a security risk. Some popular frameworks were not intended to be exposed to the internet, and therefore don’t require authentication by default. Thus, exposing them to the internet lets unauthenticated be made available to a sensitive interface which might enable go code or deploying containers in the cluster by a malicious performer. Examples of such interfaces “thats been” seen exploited include Apache NiFi, Kubeflow, Argo Workflows, Weave Scope, and the Kubernetes dashboard.

2. Execution Sidecar injection

A Kubernetes Pod is a group of one or more containers with shared storage and network resources. Sidecar receptacle is a word that is used to describe an additional container that resides alongside the main container. For instance, service-mesh proxies are operating as sidecars in the applications’ husks. Attackers can run their code and hide their activity by injecting a sidecar receptacle to a legitimate husk in the cluster instead of running their own separated husk in the cluster.

3. Persistence Malicious admission controller

Admission controller is a Kubernetes component that intercepts, and maybe modifies, requests to the Kubernetes API server. There are two types of admissions controllers: corroborating and mutating controllers. As the name implies, a mutating admission controller can modify the intercepted request and change its properties. Kubernetes has a built-in generic admission controller named MutatingAdmissionWebhook. The behavior of this admission controller is determined by an admission webhook that the user deploys in the cluster. Attackers can use such webhooks for gaining persistence in the cluster. For instance, attackers can intercept and modify the husk creation functionings in the cluster and add their malicious container to every created pod.

4. Credential access Access managed identity credential

Managed identities are identities that are managed by the cloud provider and can be allocated to cloud resources, such as virtual machines. Those identities are used to authenticate with cloud services. The identity’s secret is fully managed by the cloud provider, which eliminates the need to manage the credentials. Applications can obtain the identity’s token by accessing the Instance Metadata Service( IMDS ). Attackers who get access to a Kubernetes pod can leverage their access to the IMDS endpoint to get the managed identity’s token. With a token, the attackers can access cloud resources.

Malicious admission controller

In addition to persistency, a malicious admission controller can be used to access credentials. One of the built-in admission controllers in Kubernetes is ValidatingAdmissionWebhook. Like MutatingAdmissionWebhook, this admission controller is also generic, and its behaviour is determined by an admission webhook that is deployed in the cluster. Attackers can use this webhook to intercept the requests to the API server, record secrets, and other sensitive information.

5. Lateral movement CoreDNS poisoning

CoreDNS is a modular Domain Name System( DNS) server written in Go, hosted by Cloud Native Computing Foundation( CNCF ). CoreDNS is the main DNS service that is being used in Kubernetes. The configuration of CoreDNS can be modified by a file named corefile. In Kubernetes, this file is stored in a ConfigMap object, located at the kube-system namespace. If attackers have permissions to modify the ConfigMap, for example by using the container’s service account, they can change the behavior of the cluster’s DNS, poison it, and take the network identity of other services.

ARP poisoning and IP spoofing

Kubernetes has numerous network plugins( Container Network Interfaces or CNIs) that can be used in the cluster. Kubenet is the basic, and in many cases the default, network plugin. In this configuration, a bridge is generated on each node( cbr0) to which the various pods are connected utilizing veth pairs. The reality that cross-pod traffic is through a bridge, a level-2 component, means that performing ARP poisoning in the cluster is possible. Therefore, if attackers get access to a husk in the cluster, they can perform ARP poisoning, and spoof the traffic of other husks. By using this technique, attackers can perform several attempts at the network-level which can lead to lateral motions, such as DNS spoofing or stealing cloud the identity cards of other pods( CVE-2 021 -1 677 ).

6. Collection

In this update, we likewise add a new tactic to the threat matrix: collecting. In Kubernetes, collection consists of techniques that are used by attackers to collect data from the cluster or through use the cluster.

Image from private registry

The images that are running in the cluster can be stored in a private registry. For pulling those images, the receptacle runtime locomotive( such as Docker or containerd) need to use valid credentials to those registries. If the registry is hosted by the cloud provider, in services like Azure Container Registry( ACR) or Amazon Elastic Container Registry( ECR ), cloud credentials are used to authenticate to the registry. If attackers get access to the cluster, in some cases they can obtain access to the private registry and pull its images. For example, attackers can use the managed identity token as described in the “Access oversaw identity credential” technique. Similarly, in EKS, attackers can use the AmazonEC2ContainerRegistryReadOnly policy that is bound by default to the node’s IAM role.

Protect your containerized environments

Understanding the attack surface of containerized environments is the first step of house security solutions for these environments. The revised menace matrix for Kubernetes offers an opportunity to organizations identify the current gaps in their defenses’ coverage against the different menaces that target Kubernetes.

We recommend that you start protecting your containerized environment with Azure Defender today. Learn more about Azure Defender’s support for container security.

To learn more about Microsoft Security solutions visit our website . Bookmark the Security blog to keep up with our expert coverage on security matters. Likewise, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Secure containerized environments with updated menace matrix for Kubernetes appeared first on Microsoft Security .

Read more: