MITRE ATT&CK Matrix for Kubernetes

Guest post originally published on the Magalix blog by Rahul Sharma

Overview

Last year, CNCF reported an extraordinary 300% increase in Kubernetes adoption from 23% in March 2016 to 92% in July 2020. The data clearly outlines Kubernetes as the industry standard for container orchestration. But the study also reports Kubernetes security remains as one of the top 3 challenges. As organizations accelerate their adoption of containers, they must invest in safeguarding this critical infrastructure.

A typical large Kubernetes cluster is a highly distributed environment with many deployed applications. There can be misconfigurations and vulnerabilities that expose various services to unintended users. An adversary can exploit these gaps to gain access and perform malicious activities. Malware and Spyware programs can be executed using containers or sidecars etc. The ephemeral nature of containers makes it hard to monitor and trace these exploits. Securing Kubernetes and cloud-native architecture using best practices is a good starting place, but it does not provide guidance to identify and mitigate attacks.

What is MITRE ATT&CK Matrix?

MITRE ATT&CK framework is a knowledge base of techniques and tactics attackers use to infiltrate and attack Kubernetes clusters. An attacker usually strategizes how to infiltrate a cluster and perform damage by following the stages that entail an attack lifecycle. The attacker must progress through each of these stages for the attack to be successful. The threat matrix identifies the tactics used at various stages of a cyberattack. 

MITRE ATT&CK framework tactics include the following: 

1. Initial Access.
2. Execution.
3. Persistence.
4. Privilege escalation.
5. Defense evasion.
6. Credential access.
7. Discovery.
8. Lateral movement.
9. Collection.
10. Impact.

In the above matrix, each column represents a different attack stage, and each item in each column represents a tactic employed by attackers during that stage. The categorization is intended to help organizations determine their attack surface and adopt suitable detection and mitigation strategies.

Understanding the ATT&CK matrix also helps the security teams implement strategies and technologies to contain the attack. Blocking adversaries at any stage breaks the attack and mitigates the incurred damage. Thus prevention must occur at each stage to block the attackers’ ability to access and move laterally within the cluster or steal sensitive data. Thus the matrix also represents a layered model for security enforcement. Layering your security in this way prevents one weak point from jeopardizing the cluster.

1- Initial Access

Initial access is the first stage of the attack. This tactic references the attacker’s objective of gaining access to Kubernetes clusters by either compromising a component within the Kubernetes control plane that handles cluster management or various resources within the cluster – for example, a running application component on a worker node, pushing malware-infected images, etc. 

Techniques in this early stage are focused on unpatched vulnerabilities or credentials leaks. Organizations must perform periodic Kubernetes upgrades, implement vulnerability scanning and limit access by leveraging Kubernetes RBAC. Implementing these measures dramatically reduces an organization’s attack surface.

2- Execution

During execution, the attacker runs code inside of a Kubernetes cluster to accomplish their goals. They can exploit an application vulnerability, access a pod, deploy a sidecar or use other means to execute the malicious code.

This tactic involves executing workloads within a cluster. Isolating workloads by creating separate namespaces is an essential step for mitigation. Furthermore, organizations can implement Pod Security Policies to govern the execution of workloads.

3- Persistence

Maintaining access to a compromised target is a key tactic used by attackers. This is most commonly done by exploiting a backdoor. In the world of Kubernetes, there are many access points to allow access to its resources. 

Attackers often execute an innocuous HTTP request to one of their machines and then upgrade this connection to an interactive remote shell. These commands are persisted as a script on the Kubernetes Node using hostPath volume mount. The script is then executed by containers scheduled using Kubernetes Cron, thus providing a persistent connection to the attacker. A Kubernetes cluster can be protected by implementing Pod Security Policy, to deny host mount and  Network Policies to control how traffic is routed in and out of the cluster.

4- Privilege Escalation

Attackers use the privilege escalation tactic to obtain higher privileges in the environment than they currently have. This can include accessing a node through a container, gaining privileges within a cluster, or even using cloud resources.

Organizations must apply the fundamental principle of least privilege that grants only required privileges and no more. To prevent security issues, it is recommended that you do not run privileged containers in your environment. Instead, provide granular permissions and capabilities to the required containers.

5- Defense Evasion

Defense Evasion techniques are focused on concealing adversary actions intended to avoid detection. This includes tactics such as deleting evidence of an attacker’s presence or obfuscating how access to a resource was gained. 

​​Audit logs allow administrators to view all security events in the Kubernetes cluster. Make sure to enable and monitor audit logs for anomalous or unwanted API calls, especially any authorization failures. Additionally, administrators should minimize container access to underlying nodes, especially in the Kubernetes control plane, by restricting host mounts. 

6- Credential Access

Having established their presence within the cluster, elevated permissions, planted backdoors, and evaded defenses, the attacker is now ready to look after data and credentials. This may include secrets that are part of a cluster, database, application credentials part of a program, or even cloud credentials for managed clusters.

It is often not recommended to mount sensitive information on all Nodes. Alternatively, teams must use Node pools effectively to schedule sensitive and secret information for only the required workloads.

7- Discovery

An adversary uses this type of attack to gather information about the cluster components and their internal networking. The information allows them to exploit vulnerabilities in the deployed services to move further to applications and databases.  

The tactic can be mitigated by limiting access to sensitive assets using the least privileged credentials, Pod security policies, and network policies.

8- Lateral Movement

With malware installed and traces removed, attackers now can access and control all nodes in the cluster. The purpose of these techniques is to allow an adversary to access and control remote systems on a network and possibly include the execution of tools on the remote system. 

All Pods in a cluster can communicate with each other unless restricted by NetworkPolicy. Attackers can use the container service account credentials available on the Pod, to connect to the Kubernetes API server to determine cluster workloads. Then they can connect to the other containers deployed in the cluster. Organizations must enable RBAC to limit cluster access and enforce Network Policies to control how traffic is routed.

9- Collection

The tactic consists of techniques adversaries use for gathering information, besides the compromised cluster. In Kubernetes, images are downloaded from a private registry like ECR, Quay, etc. If access credentials of the registry are compromised, they can access the registry to manipulate all container images. Organizations can mitigate the attack by having read-only policies for the registry credentials used in Kubernetes.

10- Impact

Disruption or destruction of resources within the target environment is the ultimate goal of an attacker. Data destruction, resource hijacking, and denial of service are some of these techniques.

An attacker can scale down deployments, remove statefulSets, delete volumes, terminate running pods, drain nodes, etc, impacting your business workflows. They can also trigger a denial of service attack by shutting down Kubernetes components like control Plane. Alternatively, Kubernetes resources can be used for crypto mining by adding new containers for this activity.

Conclusion

Disrupting cyber attacks involves several stages of the attack lifecycle. If they cannot successfully exploit vulnerabilities, they cannot penetrate and will not obtain remote control over the cluster. The MITRE ATT&CK framework provides the necessary knowledge on how such attacks happen in the real world. The framework helps to hardener your cluster security with a layered defense approach.  

Magalix Policy Enforcement Platform has 100s out-of-the-box policies and templates – PCI DSS, Application-Based Policies, and MITRE ATT&CK – enabling companies to hit the ground running.