Kubernetes From an Attacker's Perspective Abhisek Datta Head, Security Products Appsecco

fwd:cloudsec 2020 https://fwdcloudsec.org/

About Me – Abhisek Datta • Head, Security Products (appsecco.com) • Application & Cloud Security • Kubernetes Security • TechWing @ null0x00 (null.co.in) • An Open Security Community • Security Researcher • Discovered vulnerabilities in enterprise software and credited with CVE • Open Source Contributor • https://github.com/abhisek @abh1sek on Twitter

1. A quick introduction to Kubernetes 2. Kubernetes from an Attacker's Perspective 3. Attacking Kubernetes (Scenario) Key Take Away

Kubernetes Architecture https://v1-16.docs.kubernetes.io/docs/concepts/overview/components/

Kubernetes: From an Attacker's Perspective https://v1-16.docs.kubernetes.io/docs/concepts/overview/components/

A Simple Threat Model WHO ARE THE ATTACKERS? WHAT CAN THEY ATTACK? HOW CAN THEY ATTACK?

A Simple Threat Model Detailed Threat Model available from CNCF/TOB https://github.com/kubernetes/community/tree/master/wg-security-audit

Demo(s)

• Check out my slides on Kubernetes 101 for Penetration Testers – Meant as a reference to do hands-on • https://speakerdeck.com/abhisek/kubernetes-101-for-penetration-testers-null-mumbai • Try out Appsecco's free training labs on Docker & Kubernetes security • https://github.com/appsecco/attacking-and-auditing-docker-containers-and-kubernetes- clusters • Try out Kubernetes Goat by @madhuakula • https://github.com/madhuakula/kubernetes-goat Getting Started with Kubernetes Penetration Test

Kubernetes ATT&CK Matrix https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/

• The Illustrated Children's Guide to Kubernetes • https://www.cncf.io/the-childrens-illustrated-guide-to-kubernetes/ • Get started with learning Docker (Containers) • https://www.katacoda.com/courses/docker • Get started with learning Kubernetes using Katacoda • https://www.katacoda.com/courses/kubernetes • Attacking and Auditing Docker Containers and Kubernetes Clusters – Our recently released training material • https://bit.ly/k8s-pentesting Useful Resources

• Hacker Container for Kubernetes Security Assessments • Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesaman, Symantec • Advanced Persistent Threats: The Future of Kubernetes Attacks • Kubernetes From an Attacker's Perspective — OWASP Bay Area Meetup • CIS Benchmark for Kubernetes • aquasecurity/kube-hunter: Hunt for security weaknesses in Kubernetes clusters • aquasecurity/kube-bench: Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark • kelseyhightower/kubernetes-the-hard-way: Bootstrap Kubernetes the hard way on Google Cloud Platform. No scripts. More Useful Resources..

• https://www.cisecurity.org/benchmark/docker/ • https://www.cisecurity.org/benchmark/kubernetes/ • https://cloud.google.com/kubernetes- engine/docs/concepts/cis-benchmarks • https://www.cisecurity.org/benchmark/ubuntu_linux/ (Relevant) CIS Benchmarks

Thank You Keep Learning https://twitter.com/abh1sek https://github.com/abhisek Please provide feedback https://bit.ly/fwdcs-13