Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Advanced Persistence Threats: The Future of Kubernetes Attacks

Advanced Persistence Threats: The Future of Kubernetes Attacks

Presented with Brad Geesaman at KubeCon EU/Virtual 2020.

What would happen if your cluster was successfully compromised by an attacker who understands Kubernetes at a deep level? How could they attempt to avoid detection, cover their tracks, achieve full cluster access, obtain persistence, steal credentials, and launch additional attacks in your environment? As Kubernetes grows in popularity, the sophistication of attackers will improve, and security by obscurity will no longer be sufficient. Cluster operators need to be aware of what a skilled and knowledgeable attacker can be capable of.

Let’s explore the dark corners of clusters and shine a light on how features such as privileged containers and validating webhooks can be used to maliciously mutate pods, exfiltrate data, deploy “shadow” control planes, and more. The audience will learn how to detect these advanced approaches and how to prevent these attacks using practical, proven methods.

Ian Coldwater

August 20, 2020

More Decks by Ian Coldwater

Other Decks in Technology


  1. ADVANCED PERSISTENCE THREATS The Future of Kubernetes Attacks @bradgeesaman @IanColdwater

  2. • Ian Coldwater is a Lead Platform Security Engineer at

    Salesforce, who specializes in hacking and hardening Kubernetes, containers and cloud infrastructure. • Brad Geesaman is the co-founder of Darkbit, who helps clients improve the security of their clusters in cloud-native environments. @bradgeesaman @IanColdwater
  3. EARLY K8S ARCHITECTURE @bradgeesaman @IanColdwater

  4. None
  5. K8S COMES AT YOU FAST @bradgeesaman @IanColdwater

  6. LOOKING FORWARD @bradgeesaman @IanColdwater

  7. GOALS What might an attacker want to do? @bradgeesaman @IanColdwater

  8. DEMO Tapping into the API Server Data Flow @bradgeesaman @IanColdwater

  9. VALIDATING WEBHOOKS @bradgeesaman @IanColdwater

  10. VALIDATING WEBHONKS @bradgeesaman @IanColdwater

  11. None
  12. None
  13. DEMO Shadow API Server @bradgeesaman @IanColdwater • launch an in-cluster

 API server that silently bypasses 
 main API servers • no security policy • no logs • no crime!
  14. SHADOW API SERVER @bradgeesaman @IanColdwater

  15. DEMO - C2BERNETES Use Kubernetes as a C2 infrastructure across

    multiple clusters @bradgeesaman @IanColdwater
  16. WHAT IS K3S? • A lightweight Kubernetes distribution designed for

    resource-constrained environments • Runs as a single <40MB binary • Has a simplified communication channel: only requires a single TLS connection outbound from nodes to the control plane • This is very likely to be available and blend in with other valid traffic :) @bradgeesaman @IanColdwater
  17. KUBERNETES VS K3S @bradgeesaman @IanColdwater

  18. None
  19. ALL CLOUDS ARE BROKEN @bradgeesaman @IanColdwater

  20. C2: CLUSTER OF CLUSTERS @bradgeesaman @IanColdwater

  21. WHAT'S COMING @bradgeesaman @IanColdwater

  22. CHECK YOUR --PRIVILEGE New as of Kubernetes 1.19.0 @bradgeesaman @IanColdwater

    kubectl run --privileged
  23. DYNAMIC CONFIGURATION @bradgeesaman @IanColdwater • Dynamic Audit Sink configuration --feature-gates=DynamicAuditing=true

    • Dynamic Kubelet configuration --feature-gates=DynamicKubeletConfig=true
  24. Greetz to https://github.com/kayrus/kubelet-exploit @bradgeesaman @IanColdwater

  25. DEMO Bringing It Back @bradgeesaman @IanColdwater

  26. COMING FULL CIRCLE @bradgeesaman @IanColdwater

  27. None
  28. None