Slide 1

Slide 1 text

Madhu Akula Interactive Playground to Learn Kubernetes and Cloud Native Security https://sched.co/1HyQj

Slide 2

Slide 2 text

๐Ÿ‘‹ Whoami - Madhu Akula ๐Ÿ‘‰ Pragmatic Security Leader, working on Cloud Native Infra, Security, and Startups ๐Ÿ‘‰ Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many other OSS projects. ๐Ÿ‘‰ Speaks & Trains at Black Hat (USA, EU, Asia), DEF CON, GitHub, USENIX, OWASP, All Day DevOps, SANS, DevSecCon, CNCF, c0c0n, Nullcon, null, many others around the globe. ๐Ÿ‘‰ Author of Security Automation with Ansible2, OWASP KSTG, whitepapers, etc. ๐Ÿ‘‰ Technical reviewer (multiple books) & Review board member of multiple conferences, organizations, communities, advisory, etc. ๐Ÿ‘‰ Found security vulnerabilities in 200+ organizations and products including Google, Microsoft, AT&T, Adobe, eBay, WordPress, Ntop, Cloud๏ฌ‚are, Yahoo, LocalBitcoins, etc. ๐Ÿ‘‰ Certi๏ฌed Kubernetes(CKA/CKS), O๏ฌ€ensive Security Certi๏ฌed Professional, etc. ๐Ÿ‘‰ Never ending learner! @madhuakula

Slide 3

Slide 3 text

๐Ÿ“… Agenda - Our next 30 minutes or soโ€ฆ ๐Ÿค” We will start thinking together โ—‹ Why Kubernetes and Cloud Native security? โ—‹ What are the challenges in the security? ๐Ÿค– We start brainstorming some approaches on how can we solve those problems? ๐Ÿ’ฅ Can you take over cluster - Are you sure? You can't be serious ๐Ÿ‘‹ Introducing an Interactive Learning Playground - โŽˆ Kubernetes Goat ๐Ÿ โ—‹ Showcase of real-world mappings (OWASP Top 10, MITRE ATT&CK, etc.) โ–  Attacks, Defenses, Approaches, Many Others. ๐Ÿš€ Key takeaways - Go back, hack, learn & build secure Cloud Native Ecosystem ๐Ÿ™ Feedback, Questions, and a BIG THANK YOU! @madhuakula

Slide 4

Slide 4 text

Why Security? Kubernetes & Cloud Native @madhuakula

Slide 5

Slide 5 text

Why K8S & Cloud Native Security? Lack of knowledge in security teams Understanding the technology gap Maturity of the cloud native ecosystem Popular Hacks & Attacks in the real-world Speed of the changes & adoption Improving the experience @madhuakula

Slide 6

Slide 6 text

Lack of knowledge in security teams Why K8S & Cloud Native Security? @madhuakula

Slide 7

Slide 7 text

Understanding the technology gap Why K8S & Cloud Native Security? @madhuakula

Slide 8

Slide 8 text

Maturity of the cloud native ecosystem Why K8S & Cloud Native Security? @madhuakula

Slide 9

Slide 9 text

Speed of the changes & adoption Why K8S & Cloud Native Security? @madhuakula

Slide 10

Slide 10 text

Popular Hacks & Attacks in the real-world Why K8S & Cloud Native Security? @madhuakula

Slide 11

Slide 11 text

Why K8S & Cloud Native Security? Improving the experience @madhuakula

Slide 12

Slide 12 text

Can we do something about these Kubernetes security problems? @madhuakula

Slide 13

Slide 13 text

๐Ÿค– Some approaches to K8S Security https://github.com/cncf/๏ฌnancial-user-group/tree/main/projects/k8s-threat-model Threat Model Your Architecture @madhuakula

Slide 14

Slide 14 text

๐Ÿค– Some approaches to K8S Security https://github.com/cncf/๏ฌnancial-user-group/tree/main/projects/k8s-threat-model/AttackTrees Attack Trees @madhuakula

Slide 15

Slide 15 text

๐Ÿค– Some approaches to K8S Security https://www.cncf.io/reports/cloud-native-security-whitepaper/ CNCF Whitepaper & O๏ฌƒcial K8S Security Docs https://kubernetes.io/docs/concepts/security/ @madhuakula

Slide 16

Slide 16 text

๐Ÿค– Some approaches to K8S Security Many othersโ€ฆ @madhuakula

Slide 17

Slide 17 text

Are these enough? @madhuakula

Slide 18

Slide 18 text

Attack Path / Kill Chain What it looks like? @madhuakula

Slide 19

Slide 19 text

Kubernetes - Attack Path / Kill Chain @madhuakula

Slide 20

Slide 20 text

Kubernetes - Attack Path / Kill Chain https://youtu.be/7nc78ZrvP4Y T A K E O V E R E N T R Y P O I N T @madhuakula

Slide 21

Slide 21 text

Can we try practicing them like an attacker? @madhuakula

Slide 22

Slide 22 text

Introducing โŽˆ Kubernetes Goat ๐Ÿ @madhuakula

Slide 23

Slide 23 text

Kubernetes Goat is an interactive Kubernetes security learning playground ๐Ÿš€ ๐Ÿ What is Kubernetes Goat? @madhuakula

Slide 24

Slide 24 text

๐Ÿšจ Disclaimer Kubernetes Goat has intentionally created vulnerabilities, applications, and con๏ฌgurations to attack and gain access to your cluster and workloads. Please DO NOT run alongside your production environments and infrastructure. So we highly recommend running this in a safe and isolated environment. Kubernetes Goat is used for educational purposes only, do not test or apply these attacks on any systems without permission. Kubernetes Goat comes with absolutely no warranties, by using it you take full responsibility for all the outcomes. @madhuakula

Slide 25

Slide 25 text

๐Ÿ”ฅ Kubernetes Goat Audience ๐Ÿ’ฅ Attackers & Red Teams ๐Ÿ›ก Defenders & Blue Teams ๐Ÿงฐ Products & Vendors ๐Ÿ” Developers & DevOps Teams ๐Ÿ’ก Interested in Kubernetes Security @madhuakula

Slide 26

Slide 26 text

๐Ÿš€ Scenarios in Kubernetes Goat 1. Sensitive keys in codebases 2. DIND (docker-in-docker) exploitation 3. SSRF in the Kubernetes (K8S) world 4. Container escape to the host system 5. Docker CIS benchmarks analysis 6. Kubernetes CIS benchmarks analysis 7. Attacking private registry 8. NodePort exposed services 9. Helm v2 tiller to PwN the cluster - [Deprecated] 10. Analyzing crypto miner container 11. Kubernetes namespaces bypass 12. Gaining environment information 13. DoS the Memory/CPU resources 14. Hacker container preview 15. Hidden in layers 16. RBAC least privileges miscon๏ฌguration 17. KubeAudit - Audit Kubernetes clusters 18. Falco - Runtime security monitoring & detection 19. Popeye - A Kubernetes cluster sanitizer 20. Secure network boundaries using NSP 21. Cilium Tetragon - eBPF-based Security Observability and Runtime Enforcement 22. Securing Kubernetes Clusters using Kyverno Policy Engine More scenarios releasing soonโ€ฆ โค @madhuakula

Slide 27

Slide 27 text

๐Ÿงฐ How can I setup Kubernetes Goat โ˜ธ Vanilla Kubernetes Cluster โ˜ AWS Kubernetes (EKS) โ˜ GCP Kubernetes (GKE) โ˜ Azure Kubernetes (AKS) โ˜ธ Kubernetes IN Docker (KiND) โ˜ธ Lightweight Kubernetes (K3S) โ˜ธ Digital Ocean, Vagrant, Many othersโ€ฆ @madhuakula

Slide 28

Slide 28 text

โŽˆ Setting up in your Kubernetes Cluster โ— Make sure you have Kubernetes cluster with cluster-admin privileges. Also kubectl and helm installed in your system before running the following commands to setup the Kubernetes Goat โ— Now you can access the Kubernetes Goat by navigating to http://127.0.0.1:1234 @madhuakula

Slide 29

Slide 29 text

โšก Get Started with Kubernetes Goat ๐Ÿ @madhuakula

Slide 30

Slide 30 text

โšก Get Started with Kubernetes Goat ๐Ÿ @madhuakula

Slide 31

Slide 31 text

https://madhuakula.com/kubernetes-goat โšก Get Started with Kubernetes Goat ๐Ÿ @madhuakula

Slide 32

Slide 32 text

๐Ÿ”Ÿ OWASP Kubernetes Top 10 https://owasp.org/www-project-kubernetes-top-ten/ @madhuakula

Slide 33

Slide 33 text

๐Ÿ›ก MITRE ATT&CK - Kubernetes https://attack.mitre.org https://microsoft.github.io/Threat-Matrix-for-Kubernetes/ @madhuakula

Slide 34

Slide 34 text

Letโ€™s explore the @madhuakula

Slide 35

Slide 35 text

๐Ÿ“ Security Tools Reports @madhuakula

Slide 36

Slide 36 text

๐Ÿฅณ Adoption of Kubernetes Goat https://youtu.be/62_Cj6yseno?t=352 @madhuakula

Slide 37

Slide 37 text

Key Takeaways! ๐Ÿง A lot of gaps in the knowledge & understanding of the Cloud Native Ecosystem โฉ The speed & adoption are growing faster, and the security maturity? ๐Ÿ“š Lots of resources, frameworks, and tools. But not practical enough! ๐Ÿ›ก Think & train practically like a hacker with real-world scenarios ๐Ÿš€ Learn, practice & build a security cloud native ecosystem with Kubernetes Goat @madhuakula

Slide 38

Slide 38 text

Spread the โค #KubernetesGoat ๐Ÿ™Œ Give it a try ๐Ÿš€ Contribute ideas & suggestions ๐Ÿค Work with the project & improve ๐Ÿ™ Share your valuable feedback ๐ŸŒŸ Star in GitHub ๐ŸŽ‰ Spread word #KubernetesGoat We have some awesome Kubernetes Goat Stickers ๐Ÿฅณ Take a photo of your one & only cool sticker and share with #KubernetesGoat hashtag! @madhuakula

Slide 39

Slide 39 text

๐Ÿ™ Thank You @madhuakula https://madhuakula.com @madhuakula https://madhuakula.com Want to learn more, have some idea, or just wanted to say ๐Ÿ‘‹ Talk Feedback & Review #KubernetesGoat https://github.com/madhuakula/kubernetes-goat https://sched.co/1HyQj