Containers have been crucial in helping organizations orchestrate their infrastructure requirements. The scalability and reproducibility aspects of containerized environments have enabled applications and web components to be deployed seamlessly in the cloud. While containers have multiple benefits, they also come with distinct security issues, resulting in attackers gaining access to the container, the host, and eventually the data. The first step towards implementing Container Runtime Security is to understand the current threat scenarios and adversary trends affecting the cloud containers. To aptly evaluate the container threat landscape in any environment, an attack matrix should be formulated to ensure that relevant techniques and tactic are identified for every attack stage.
The ATT&CK framework from MITRE has been a go-to framework to formulate a threat matrix, identify an adversary’s tactics and methods/techniques used to attain their end game of privilege escalation or data exfiltration. This presentation is targeted towards:
Today’s container runtime security landscape
Apply ATT&CK methodology on the container runtime environment
Provide a practical approach towards attack surface, scenarios, and attack trends
Validations and Security Best Practices
5. CONTAINERS – MOST RECENT VULNERABILITIES
CVE-2020-
2121
Jenkins Kubernetes
Engine plugin
Remote Code
Execution with
arbitrary installs
https://www.tigera.io/blog/kubernetes-q3-2020-threats-exploits-and-ttps/
https://sysdig.com/blog/falco-cve-2020-8566-ceph/
https://sysdig.com/blog/cve-2020-8563-vsphere-credentials-cloud-controller-
manager/
CVE-2020-
14386
Linux Kernel
Privilege Escalation
due to packet
socket memory
corruption
CVE-2020-
8563
CVE-2020-
8558
kube-controller-
manager vSphere
credential leak
Ceph cluster
adminSecrets
exposed when
logLevel >=4
6. CONTAINERS – MISCONFIG ATTACKS
https://jarv.is/notes/shodan-search-queries/
Exposed Containers
Including Public Containers
Using Privileged Containers
https://containerjournal.com/topics/container-security/why-running-a-privileged-container-is-not-a-good
7. CONTAINER RUNTIME CHALLENGES
Monitoring
• Containers are ephemeral, lightweight.
• Deployed in large numbers
• Monitoring containers different from VM hosts
Isolation
• Share same underlying operating system, volumes, and disks
• Container breakout exploits at large (running with privileged flags)
• More containers, more data and network traffic, more access controls
Orchestration
• Confusion in setting configurations
• Data Leaks in Log files
• Vulnerabilities in other orchestration components
Response
• Taking down compromised and bringing up brand new image
• What if CI/CD limitations to push from Dev-Prod?
• What if image compromised?
ttps://capsule8.com/blog/security-challenges-for-containers-in-runtime/
Source: Forrester Research Report
9. ATT&CK FOR CONTAINERS – USE CASES
https://attack.mitre.org/docs/training-cti/CTI%20Workshop%20Full%20Slides.pdf
10. ATT&CK FOR CONTAINERS – THREAT MAP
Initial Access : Adversary exploits an application
vulnerability and gains initial access to a container.
Execution: Adversary gets SSH credentials and connects
to the service.
Privilege Escalation: Adversary utilizes privileged
container misconfiguration to gain total control of container.
Defense Evasion: Adversary deletes container logs to
hide their footprints.
Credential Access: Adversary finds application
credentials in configuration or log files.
Lateral Movement: Adversary mounts writeable
volumes of the host
Impact: Adversary utilizes the host to mine cryptocurrencies
https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
Adversary Emulation