Slide 1
Slide 1 text
1
Rebuilding the Kubernetes Threat Matrix
and Validating Attack Detection by Falco
Summer Internship 2022
@hi120ki
Slide 2
Slide 2 text
2
@hi120ki Hiroki Akamatsu / Security Engineering
● Full Name : 赤松宏紀 (Hiroki Akamatsu)
● GitHub : hi120ki
● Twitter : hi120ki
● Joining Time : 2022/08/16
● Career : M1 student @Osaka University
Slide 3
Slide 3 text
3
What I have done
Re-evaluate
Sysdig Secure
Slide 4
Slide 4 text
4
Sysdig Secure
SaaS for Kubernetes Security
Attack
detection
by Falco
Record
container
activity
Container
image
scan
Kubernetes
audit log
Slide 5
Slide 5 text
5
How to attack Kubernetes?
Before thinking about detection, we have to know
Slide 6
Slide 6 text
6
How to attack Kubernetes?
Microsoft’s Threat Matrix
includes all of attack techniques to Kubernetes
https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
Slide 7
Slide 7 text
7
How to attack Kubernetes?
Rebuild the Kubernetes Threat Matrix
Slide 8
Slide 8 text
8
Falco
Syscall based attack detection OSS
Linux Kernel
Falco probe
Process
Process
syscall
syscall
Syscall execute open files,
network connections,
spawn new process, etc
Catch and analyze syscall
→ Detect secret file read,
malicious network access,
spawn malicious process, etc
Slide 9
Slide 9 text
9
Contribute to Falco OSS
Validating attack detection by Falco with Rebuilded Kubernetes Threat Matrix
Add attack detection rules
・Add read environment variable from /proc files - falco#2193
・Add rule to detect bypass by symlink files - falco#2202
・Add containerd.sock to sensitive_vol_mount - k8saudit#146
・Add Launch Excessively Capable Pod into k8saudit rule - k8saudit#147
Fix attack detection rules
・Add GKE default pod into allowlist in Mount Launched rule - falco#2198
・Fix mount detection in falco_rules.yaml - falco#2199
・Fix k8saudit rule EphemeralContainers Created - k8saudit#151
Fix
・Add ka.sourceips in k8saudit plugin - k8saudit#143
・Add userAgent to auditEvent - stackdriver-webhook-bridge#16
Created 9PR to OSS
Contribute not only Mercari but Kubernetes Security
Slide 10
Slide 10 text
10
Published a blog post!
https://engineering.mercari.com/blog/entry/20220928-kubern
etes-threat-matrix-and-attack-detection-by-falco/