Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Advanced Persistence Threats: The Future of Kub...

Ian Coldwater
August 20, 2020
Technology
1
2.6k

Advanced Persistence Threats: The Future of Kubernetes Attacks

Presented with Brad Geesaman at KubeCon EU/Virtual 2020.

What would happen if your cluster was successfully compromised by an attacker who understands Kubernetes at a deep level? How could they attempt to avoid detection, cover their tracks, achieve full cluster access, obtain persistence, steal credentials, and launch additional attacks in your environment? As Kubernetes grows in popularity, the sophistication of attackers will improve, and security by obscurity will no longer be sufficient. Cluster operators need to be aware of what a skilled and knowledgeable attacker can be capable of.

Let’s explore the dark corners of clusters and shine a light on how features such as privileged containers and validating webhooks can be used to maliciously mutate pods, exfiltrate data, deploy “shadow” control planes, and more. The audience will learn how to detect these advanced approaches and how to prevent these attacks using practical, proven methods.

Ian Coldwater

August 20, 2020
Tweet

More Decks by Ian Coldwater

See All by Ian Coldwater
Bridge Construction Kit: DevOps and Security Don’t Have to Be Islands
iancoldwater
2
440
Hello World
iancoldwater
1
170
Hello From the Other Side
iancoldwater
0
460
The Path Less Traveled: Abusing Kubernetes Defaults
iancoldwater
7
7.1k
Crafty Requests: Deep Dive into Kubernetes CVE-2018-1002105
iancoldwater
2
340
Ship of Fools: Shoring Up Kubernetes Security
iancoldwater
3
2.5k

Other Decks in Technology

See All in Technology
ガチ勢によるPipeCD運用大全〜滑らかなCI/CDを添えて〜 / ai-pipecd-encyclopedia
cyberagentdevelopers
PRO
3
200
AWS re:Inventを徹底的に楽しむためのTips / Tips for thoroughly enjoying AWS re:Invent
yuj1osm
1
560
物価高なラスベガスでの過ごし方
zakky
0
380
使えそうで使われないCloudHSM
maikamibayashi
0
170
グローバル展開を見据えたサービスにおける機械翻訳プラクティス / dp-ai-translating
cyberagentdevelopers
PRO
1
150
分布で見る効果検証入門 / ai-distributional-effect
cyberagentdevelopers
PRO
4
700
[JAWS-UG金沢支部×コンテナ支部合同企画]コンテナとは何か
furuton
3
250
Fargateを使った研修の話
takesection
0
110
「視座」の上げ方が成人発達理論にわかりやすくまとまってた / think_ perspective_hidden_dimensions
shuzon
2
2.2k
生成AIと知識グラフの相互利用に基づく文書解析
koujikozaki
1
140
コンテンツを支える 若手ゲームクリエイターの アートディレクションの事例紹介 / cagamefi-game
cyberagentdevelopers
PRO
1
130
Nix入門パラダイム編
asa1984
2
200

Featured

See All Featured
Art, The Web, and Tiny UX
lynnandtonic
296
20k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.2k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
Navigating Team Friction
lara
183
14k
How to Ace a Technical Interview
jacobian
275
23k
Building Your Own Lightsaber
phodgson
102
6k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
43
6.6k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
GraphQLの誤解/rethinking-graphql
sonatard
66
9.9k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k

Transcript

  1. ADVANCED PERSISTENCE THREATS The Future of Kubernetes Attacks @bradgeesaman @IanColdwater

  2. • Ian Coldwater is a Lead Platform Security Engineer at

    Salesforce, who specializes in hacking and hardening Kubernetes, containers and cloud infrastructure. • Brad Geesaman is the co-founder of Darkbit, who helps clients improve the security of their clusters in cloud-native environments. @bradgeesaman @IanColdwater

  3. EARLY K8S ARCHITECTURE @bradgeesaman @IanColdwater

  4. None

  5. K8S COMES AT YOU FAST @bradgeesaman @IanColdwater

  6. LOOKING FORWARD @bradgeesaman @IanColdwater

  7. GOALS What might an attacker want to do? @bradgeesaman @IanColdwater

    goose.game

  8. DEMO Tapping into the API Server Data Flow @bradgeesaman @IanColdwater

  9. VALIDATING WEBHOOKS @bradgeesaman @IanColdwater

  10. VALIDATING WEBHONKS @bradgeesaman @IanColdwater

  11. None
  12. None

  13. DEMO Shadow API Server @bradgeesaman @IanColdwater • launch an in-cluster

    “shadow” 
 API server that silently bypasses 
 main API servers • no security policy • no logs • no crime!

  14. SHADOW API SERVER @bradgeesaman @IanColdwater

  15. DEMO - C2BERNETES Use Kubernetes as a C2 infrastructure across

    multiple clusters @bradgeesaman @IanColdwater

  16. WHAT IS K3S? • A lightweight Kubernetes distribution designed for

    resource-constrained environments • Runs as a single <40MB binary • Has a simplified communication channel: only requires a single TLS connection outbound from nodes to the control plane • This is very likely to be available and blend in with other valid traffic :) @bradgeesaman @IanColdwater

  17. KUBERNETES VS K3S @bradgeesaman @IanColdwater

  18. None

  19. ALL CLOUDS ARE BROKEN @bradgeesaman @IanColdwater

  20. C2: CLUSTER OF CLUSTERS @bradgeesaman @IanColdwater

  21. WHAT'S COMING @bradgeesaman @IanColdwater

  22. CHECK YOUR --PRIVILEGE New as of Kubernetes 1.19.0 @bradgeesaman @IanColdwater

    kubectl run --privileged

  23. DYNAMIC CONFIGURATION @bradgeesaman @IanColdwater • Dynamic Audit Sink configuration --feature-gates=DynamicAuditing=true

    • Dynamic Kubelet configuration --feature-gates=DynamicKubeletConfig=true

  24. Greetz to https://github.com/kayrus/kubelet-exploit @bradgeesaman @IanColdwater

  25. DEMO Bringing It Back @bradgeesaman @IanColdwater

  26. COMING FULL CIRCLE @bradgeesaman @IanColdwater

  27. None
  28. None