Note: The content of this post is being released in conjunction with the Center for Threat-Informed Defense. It is co-authored with Chris Ante and Matthew Bajzek. The Center post can be found here.

As containers become a major part of many organizations’ IT workloads, it becomes crucial to consider the unique security threats that target such environments when building security answers. The first step in this process is understanding the relevant onslaught landscape.

The MITRE ATT& CK( r ) team “ve received” frequent questions from the community about if or when ATT& CK would include coverage for adversary behaviour in containers. Previous iterations of ATT& CK have included references to containers( for example, Resource Hijacking) and some clearly container-relevant techniques( for example, Implant Internal Image ), but the coverage was insufficient to provide network champions a holistic position of how containers are being targeted in enterprise environments.

Addressing the need for a common framework for understanding container threats

Given clear the interests of the community, inspiration from Microsoft’s work on the threat matrix for Kubernetes, and the publication of research from other squads, the Center for Threat-Informed Defense launched investigation into the cases( sponsored by several Center members including Microsoft) that examined the viability of adding receptacles content to ATT& CK. The purpose of the Container Techniques project was to investigate adversarial behaviour in containerization technologies and determine whether there was enough open-source intelligence to warrant the process of drafting an ATT& CK for Receptacle matrix, resulting in either new ATT& CK content or a report on the state of in-the-wild Container-based tactics, techniques, and procedures( TTPs ). The Center’s research team promptly concluded that there was more than enough open-source intelligence to justify technique development, ultimately resulting in the new matrix.

As of the ATT& CK v9 freeing, the ATT& CK for Container matrix is officially available. More details about the Containers matrix can be found in MITRE-Engenuity’s announcement blog. Some highlightings of the new matrix include related software entries, procedure instances to help network defenders better understand new container-centric techniques, data sources to match the recent ATT& CK data sources refactor, and many others.

A matrix of attack techniques related to containerization technologies, organized by stages of an attack.

Figure 1. ATT& CK for Receptacle matrix.

Evolving the threat matrix

MITRE ATT& CK has become the common vocabulary for describing real-world adversary behavior. ATT& CK offers organisations a technique to measuring their defenses against threats that impact their environment and recognize possible gaps. With ATT& CK’s approach of methodically outlining the possible menaces, Microsoft constructed the threat matrix for Kubernetes, which was one of the first attempts to systematically map the attack surface of Kubernetes. An updated version of the matrix was released earlier in 2021.

A matrix of attack techniques specific to Kubernetes, organized by stages of an attack.

Figure 2: Threat matrix for Kubernetes.

Microsoft took part in the Center’s project and lent knowledge that the company gained in the field of receptacle security. Microsoft’s unparalleled visibility into threats helps to identify real-world assaults against containerized workloads and provide information about tactics and techniques used in those attacks. One example of such an attack is a cryptocurrency mining campaign that targeted Kubernetes. In this incident, Microsoft insured evidence of the following techniques from the Microsoft threat matrix 😛 TAGEND

Exposed sensitive interfaces New receptacle Pod/container epithet similarity Listing Kubernetes secrets Access Kubernetes API server Resource Hijacking

The techniques that went into ATT& CK for Container are different from those in the Microsoft threat matrix. As was reflected in a blog post by the Center, it was preferable to use an existing ATT& CK technique rather than create a new one when possible. Therefore, several techniques from the threat matrix were mapped into existing Enterprise ATT& CK techniques. For instance, in the techniques listed above, “Exposed sensitive interfaces” from the threat matrix is equivalent to ATT& CK’s “External Remote Services.”

The Center’s process for leveraging Microsoft’s Kubernetes threat matrix was as follows 😛 TAGEND

Cross-referencing threat intelligence with the method used in the Kubernetes threat matrix. Determining whether techniques with sufficient intelligence backing were already covered by existing Enterprise ATT& CK techniques, or whether they justified the creation of one or more new techniques or sub-techniques.

Considering Microsoft’s tactics mapping for specific techniques and how they fit within ATT& CK’s Enterprise, Cloud, and Containers matrix scoping, as in the case of multiple forms of “lateral movement, ” the Center instead recognized pivots from one ATT& CK platform matrix to another( for example, Containers to Cloud ).

The following are examples of techniques from Microsoft’s matrix that were re-scoped to fit into existing Enterprise ATT& CK techniques 😛 TAGEND

Microsoft threat matrix


Application vulnerability -> Exploit Public-Facing Application

Exposed sensitive interfaces -> External Remote Services

Clear receptacle logs -> Indicator Removal on Host

Pod/ container name similarity -> Masquerading: Match Legitimate Name or Location

Access Kubelet API -> Network Service Scanning

Meanwhile, the following are examples of techniques from the Microsoft threat matrix that were re-scoped based on the Center’s platform decisions and additional open-source intelligence, with additional detail on each technique/ sub-technique available in its description within ATT& CK for Receptacle 😛 TAGEND

Microsoft threat matrix


Exec into container+ bash/ cmd inside container -> Container Administration Command

New container -> Deploy Container

Kubernetes CronJob -> Scheduled Task/ Job: Container Orchestration Job

HostPath mount+ Writable volume mounts on the host -> Escape to Host

Not all the techniques and tactics that appear in the Microsoft threat matrix went into the new ATT& CK matrix. ATT& CK focuses on real-world techniques that are seen in the wild. In contrast, many of the techniques in the threat matrix were observed during research work and not inevitably as one of the purposes of an active strike. For instance, “CoreDNS poisoning” from the updated matrix is a possible attack vector but hasn’t been considered to be in the wild yet.

ATT&CK is dynamic

ATT& CK for Containers is by no means finished, and we look forward to future additions based on new intelligence and further community contributions. Before the public release of ATT& CK for Receptacle, Microsoft released an updated version of the threat matrix for Kubernetes, which speaks to the fast-paced evolution of this technology space and the need to keep up with new adversary behaviors.

The next pace for the ATT& CK team is to assess the new content in Microsoft’s matrix and consider it for potential future inclusion in ATT& CK based on the factors described above. Microsoft and the ATT& CK team will continue to collaborate to ensure that container techniques coverage in ATT& CK is up-to-date and can continue to serve the need of the community.

With the completion of this Center project, ATT& CK for Receptacle will be maintained by the ATT& CK team, who would love your continuous feedback and contribution! Let the team know what you think, what could be enhanced, and most importantly what you understand antagonists doing in the wild related to containers. Feel free to send an email at any time to attack @mitre. org. If you have ideas for other research and development projects that the Center should consider, please send an email to ctid @mitre-engenuity. org.

Learn more

To learn how Microsoft can help you protect containers and relevant technologies today, read about Microsoft Defender for Endpoint and Azure Defender.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post The evolution of a matrix: How ATT& CK for Container was built seemed first on Microsoft Security Blog.

Read more: