Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Advanced Persistence Threats: The Future of Kubernetes Attacks

Ian Coldwater
August 20, 2020
Technology
1
2.5k

Advanced Persistence Threats: The Future of Kubernetes Attacks

Presented with Brad Geesaman at KubeCon EU/Virtual 2020.

What would happen if your cluster was successfully compromised by an attacker who understands Kubernetes at a deep level? How could they attempt to avoid detection, cover their tracks, achieve full cluster access, obtain persistence, steal credentials, and launch additional attacks in your environment? As Kubernetes grows in popularity, the sophistication of attackers will improve, and security by obscurity will no longer be sufficient. Cluster operators need to be aware of what a skilled and knowledgeable attacker can be capable of.

Let’s explore the dark corners of clusters and shine a light on how features such as privileged containers and validating webhooks can be used to maliciously mutate pods, exfiltrate data, deploy “shadow” control planes, and more. The audience will learn how to detect these advanced approaches and how to prevent these attacks using practical, proven methods.

Ian Coldwater

August 20, 2020
Tweet

More Decks by Ian Coldwater

See All by Ian Coldwater
Bridge Construction Kit: DevOps and Security Don’t Have to Be Islands
iancoldwater
2
430
Hello World
iancoldwater
1
150
Hello From the Other Side
iancoldwater
0
430
The Path Less Traveled: Abusing Kubernetes Defaults
iancoldwater
7
6.9k
Crafty Requests: Deep Dive into Kubernetes CVE-2018-1002105
iancoldwater
2
320
Ship of Fools: Shoring Up Kubernetes Security
iancoldwater
3
2.4k

Other Decks in Technology

See All in Technology
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
0
280
AOAI をきっかけに​ 社内の Azure 管理を見直した話​
recruitengineers
PRO
1
270
マルチアカウント環境への発見的統制の導入
ch1aki
1
1.3k
20240418_Google ColabにLLMが搭載されたようなのでPython x データ分析の勉強方法を考えてみる
doradora09
0
120
Meta Quest 3 で動く桜マシマシ WebXR アプリを IBM Cloud Code Engine と Babylon.js で作った話
1ftseabass
PRO
0
120
Azure Container Apps + Bicep 〜 こんな感じで運用しています
kaz29
2
450
Terraformあれやこれ/terraform-this-and-that
emiki
8
1.4k
サーバー間 GraphQL と webmock-graphql の話 / server-to-server graphql and webmock-graphql
qsona
2
180
TechFeed Experts Night#27 〜 フロントエンドフレームワーク最前線 (Svelte)
baseballyama
1
410
20240416_devopsdaystokyo
kzkmaeda
1
220
GraphQL 成熟度モデルの紹介と、プロダクトに当てはめた事例 / GraphQL maturity model
mh4gf
7
1.3k
私が trocco を推す理由
__allllllllez__
1
210

Featured

See All Featured
In The Pink: A Labor of Love
frogandcode
138
21k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
659
120k
Ruby is Unlike a Banana
tanoku
96
10k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
227
16k
KATA
mclloyd
15
12k
Git: the NoSQL Database
bkeepers
PRO
422
63k
jQuery: Nuts, Bolts and Bling
dougneiner
59
7.1k
Embracing the Ebb and Flow
colly
80
4.1k
No one is an island. Learnings from fostering a developers community.
thoeni
16
2.1k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
244
20k
A better future with KSS
kneath
231
16k
A Philosophy of Restraint
colly
197
16k

Transcript

  1. ADVANCED PERSISTENCE THREATS The Future of Kubernetes Attacks @bradgeesaman @IanColdwater

  2. • Ian Coldwater is a Lead Platform Security Engineer at

    Salesforce, who specializes in hacking and hardening Kubernetes, containers and cloud infrastructure. • Brad Geesaman is the co-founder of Darkbit, who helps clients improve the security of their clusters in cloud-native environments. @bradgeesaman @IanColdwater

  3. EARLY K8S ARCHITECTURE @bradgeesaman @IanColdwater

  4. None

  5. K8S COMES AT YOU FAST @bradgeesaman @IanColdwater

  6. LOOKING FORWARD @bradgeesaman @IanColdwater

  7. GOALS What might an attacker want to do? @bradgeesaman @IanColdwater

    goose.game

  8. DEMO Tapping into the API Server Data Flow @bradgeesaman @IanColdwater

  9. VALIDATING WEBHOOKS @bradgeesaman @IanColdwater

  10. VALIDATING WEBHONKS @bradgeesaman @IanColdwater

  11. None
  12. None

  13. DEMO Shadow API Server @bradgeesaman @IanColdwater • launch an in-cluster

    “shadow” 
 API server that silently bypasses 
 main API servers • no security policy • no logs • no crime!

  14. SHADOW API SERVER @bradgeesaman @IanColdwater

  15. DEMO - C2BERNETES Use Kubernetes as a C2 infrastructure across

    multiple clusters @bradgeesaman @IanColdwater

  16. WHAT IS K3S? • A lightweight Kubernetes distribution designed for

    resource-constrained environments • Runs as a single <40MB binary • Has a simplified communication channel: only requires a single TLS connection outbound from nodes to the control plane • This is very likely to be available and blend in with other valid traffic :) @bradgeesaman @IanColdwater

  17. KUBERNETES VS K3S @bradgeesaman @IanColdwater

  18. None

  19. ALL CLOUDS ARE BROKEN @bradgeesaman @IanColdwater

  20. C2: CLUSTER OF CLUSTERS @bradgeesaman @IanColdwater

  21. WHAT'S COMING @bradgeesaman @IanColdwater

  22. CHECK YOUR --PRIVILEGE New as of Kubernetes 1.19.0 @bradgeesaman @IanColdwater

    kubectl run --privileged

  23. DYNAMIC CONFIGURATION @bradgeesaman @IanColdwater • Dynamic Audit Sink configuration --feature-gates=DynamicAuditing=true

    • Dynamic Kubelet configuration --feature-gates=DynamicKubeletConfig=true

  24. Greetz to https://github.com/kayrus/kubelet-exploit @bradgeesaman @IanColdwater

  25. DEMO Bringing It Back @bradgeesaman @IanColdwater

  26. COMING FULL CIRCLE @bradgeesaman @IanColdwater

  27. None
  28. None