Slide 1

Slide 1 text

1 Rebuilding the Kubernetes Threat Matrix and Validating Attack Detection by Falco Summer Internship 2022 @hi120ki

Slide 2

Slide 2 text

2 @hi120ki Hiroki Akamatsu / Security Engineering ● Full Name : 赤松宏紀 (Hiroki Akamatsu) ● GitHub : hi120ki ● Twitter : hi120ki ● Joining Time : 2022/08/16 ● Career : M1 student @Osaka University

Slide 3

Slide 3 text

3 What I have done Re-evaluate Sysdig Secure

Slide 4

Slide 4 text

4 Sysdig Secure SaaS for Kubernetes Security Attack detection by Falco Record container activity Container image scan Kubernetes audit log

Slide 5

Slide 5 text

5 How to attack Kubernetes? Before thinking about detection, we have to know

Slide 6

Slide 6 text

6 How to attack Kubernetes? Microsoft’s Threat Matrix includes all of attack techniques to Kubernetes https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/

Slide 7

Slide 7 text

7 How to attack Kubernetes? Rebuild the Kubernetes Threat Matrix

Slide 8

Slide 8 text

8 Falco Syscall based attack detection OSS Linux Kernel Falco probe Process Process syscall syscall Syscall execute open files, network connections, spawn new process, etc Catch and analyze syscall → Detect secret file read, malicious network access, spawn malicious process, etc

Slide 9

Slide 9 text

9 Contribute to Falco OSS Validating attack detection by Falco with Rebuilded Kubernetes Threat Matrix Add attack detection rules ・Add read environment variable from /proc files - falco#2193 ・Add rule to detect bypass by symlink files - falco#2202 ・Add containerd.sock to sensitive_vol_mount - k8saudit#146 ・Add Launch Excessively Capable Pod into k8saudit rule - k8saudit#147 Fix attack detection rules ・Add GKE default pod into allowlist in Mount Launched rule - falco#2198 ・Fix mount detection in falco_rules.yaml - falco#2199 ・Fix k8saudit rule EphemeralContainers Created - k8saudit#151 Fix ・Add ka.sourceips in k8saudit plugin - k8saudit#143 ・Add userAgent to auditEvent - stackdriver-webhook-bridge#16 Created 9PR to OSS Contribute not only Mercari but Kubernetes Security

Slide 10

Slide 10 text

10 Published a blog post! https://engineering.mercari.com/blog/entry/20220928-kubern etes-threat-matrix-and-attack-detection-by-falco/