Detect and Mitigate Common Attack Techniques for Containers
The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework and its corresponding matrices help us understand how an organization’s attack surface can be exploited by an adversary and how they would likely approach an attack.
With a rising number of Kubernetes vulnerabilities being discovered each day, it’s important for organizations to be aware of the various attack vectors, and corresponding tactics and techniques, that are relevant to containerized applications in the cloud. Let’s look at the tactics and techniques outlined in MITRE’s containers matrix, and the types of detection and mitigation solutions you’ll need to address each tactic outlined in the matrix.
Mitre Att&Ck Framework and the Containers Matrix
In this article, I’ll be focusing on MITRE’s containers matrix. The matrix is a table organized by tactic, with each column listing the techniques related to that tactic.
In addition to the containers matrix, the MITRE ATT&CK framework includes a wide range of enterprise matrices that include Linux, cloud and network matrices. To make sure you have a strong overall security posture, I suggest you also explore these matrices.
Detecting and Mitigating Common Attack Techniques
Let’s look at the tactics and techniques outlined in the containers matrix by organizing them into the four main stages of an attack: reconnaissance, delivery and exploitation, installation and spread, and command and control. For each tactic, I’ll identify the types of detection and mitigation solutions you’ll need to address the related attack techniques.
Reconnaissance
Initial Access
The containers matrix begins with initial access (how attackers enter an organization’s environment). This initial access can be achieved through scanning for any public-facing application that the organization has built.
To mitigate risk, you need a solution that offers granular, zero trust runtime security features, including:
- Vulnerability management (image scanning and admission controller).
- Deep packet inspection.
- Workload-centric web application firewall (WAF) with application-level visibility.
- Identity-based microsegmentation to reduce attack surface.
- Domain Name Service (DNS) policies with least-privilege access.
Execution
After gaining access, an attacker will attempt to execute some type of malicious code, spin up a new container, execute some code from the container orchestration platform or get a user to unsuspectingly execute the code on the attacker’s behalf via social engineering, for example, phishing campaigns using file extensions such as .doc. During this stage, the attacker has not fully gained access to critical data or resources.
To mitigate the risks posed by this tactic, you need a solution that enables you to strengthen your runtime threat defense. Features to look for include:
- Center for Internet Security (CIS) benchmark reports for KSPM (Kubernetes Security Posture Management).
- Malware protection through signature-based detection.
- Container threat detection with behavioral-based learning to detect unknown container threats.
- Identity-based microsegmentation to reduce attack surface.
- DNS policies.
CIS benchmark reports for KSPM can help track and fix misconfigurations in the platform control-plane components. All types of role-based access control (RBAC)-related configurations where users are allocated permissions based on their roles should be taken care of in the Kubernetes platform.
Persistence
Persistence refers to a determined bad actor trying to find alternate methods to infiltrate an organization’s network. In other words, even though a first attempt at access might have been futile, continued attempts are made to gain access.
Deploy-time security features can help to mitigate the risks posed by this tactic. Look for a solution that offers these features:
- Image scanner.
- CIS benchmark reports for KSPM.
- Identity-based microsegmentation to reduce attack surface.
- DNS policies.
Privilege Escalation
Privilege escalation refers to the additional resources through which an adversary can introduce malware directly or further move to a different component in a container environment. Techniques under privilege escalation give the attacker a higher-level privilege (system, root) for a container or the host.
A combination of build- and deploy-time security features can mitigate the risk of privilege escalation. These features include:
- CIS benchmark reports for KSPM.
- Workload-based IDS/IPS (intrusion detection and prevention).
- Global threat feed intelligence.
Delivery and Exploitation
Defense Evasion
Many security solutions offer a wide range of features to detect and track malicious behavior in containers. Defense evasion techniques are meant to obfuscate these tools so that everything the bad actor has done is wiped out, leaving no trace of malicious activity. Attackers use defense evasion techniques to delete all logs and events related to their malicious activities so the administrator of a security, security information and event management (SIEM) or observability tool has no idea that an unauthorized event or process has occurred.
To protect against defense evasion, you need a container security solution that detects malware during runtime and provides threat detection and blocking capabilities, including:
- Container threat detection with behavior-based learning
- Runtime threat defense to protect against malware
- Honeypods to capture malicious actors and activity
Credential Access
If, after employing defensive evasion techniques, an attacker has not been successful in obtaining sensitive data, they are probably looking at accounts, passwords and other credentials that will let them access the data they’re looking for. There are multiple ways an attacker can get the credentials they need, such as social engineering, spear phishing, brute force and network sniffing.
In a Kubernetes-based environment, access tokens for APIs are required to authorize API communication (OAuth 2.0) that happens between the Kubernetes API server and the container processes. If these tokens are compromised, any attacker can run Kubernetes commands as an authorized user.
Mitigation strategies for this tactic include:
- Container threat detection with behavior-based detection
- Workload-centric WAF
- DNS policies
Discovery
This is a critical tactic for both the attacker and the organization (defender). Once an adversary gets enough information about all the resources such as pods, nodes, images, etc., they’ll have an approximate blueprint of the entire application. This information can be used to plan how to move from workload to workload until their desired outcome is reached. Most threat actors and teams spend a considerable amount of time in this phase.
To mitigate risks posed by this tactic, you’ll need features that are designed for zero trust workload access and deliver the following mitigation strategies:
- DNS policies and workload access controls to limit access to resources.
- Identity-based microsegmentation to reduce the attack surface and prevent sensitive workloads from being discovered.
Installation and Spread
Lateral Movement
Lateral movement is a critical aspect when it comes to container security as it can be a way to evade traditional security tools that are not designed to be deployed in a Kubernetes-based application. Since the basic Kubernetes networking premise is flat and all pods can talk to each other, lateral movement is easier for a threat actor looking to steal data, install ransomware or use botnets in an application.
To combat this tactic, you need a security solution that provides:
- Identity-based microsegmentation to reduce attack surface.
- Fine-grained egress access controls for workloads (with the ability to apply DNS policies).
- Global default-deny policy and least-privilege access.
With these features, an attacker will have less chance of moving laterally since the number of nodes they are exposed to is smaller.
Command and Control
Impact
Organizations are most worried about losing critical data — both internal and customer information — through command and control activity. Any security system, no matter how good it is at detecting vulnerabilities or threat activity, must be able to block the transfer of sensitive data from inside the organization to an external actor. In a containerized environment, this means applying the principle of least privilege to workloads when they communicate with other workloads within a cluster, with external applications and workloads outside the cluster, and with end users.
To protect workloads from severe impact from an attack, you need a solution that provides:
- A suite of zero trust security policies.
- Microsegmentation to limit an attack’s blast radius.
- A global default-deny policy.
- Alerting for anomaly detection.
Final Thoughts
A comprehensive runtime security solution is something that can both detect and mitigate reconnaissance techniques, while also providing a robust zero trust architecture to thwart unauthorized network activity that can lead to command-and-control situations. Cloud native applications have a unique architecture, so when dealing with containers and Kubernetes, you need a security solution that is built with cloud native architecture in mind. Without this, it will be a challenge to detect, mitigate and prevent attacks. My recommendation is to invest in a tailor-made security approach for containers and Kubernetes. A solid defense-in-depth strategy along with a Kubernetes-native solution will help you stay one step ahead of attackers.
To learn more about cloud native approaches for establishing security and observability for containers and Kubernetes, check out this O’Reilly eBook, authored by Tigera.
