More Related Content
Similar to Defence strategy against kubernetes attack ttp's (tactics, techniques and procedures).pptx
Similar to Defence strategy against kubernetes attack ttp's (tactics, techniques and procedures).pptx (20)
More from LibbySchulze
More from LibbySchulze (20)
Recently uploaded
Recently uploaded (20)
Defence strategy against kubernetes attack ttp's (tactics, techniques and procedures).pptx
- 1. Defence strategy against Kubernetes attack TTPs Manoj Ahuje, Threat Researcher Tigera
- 2. © 2020 Tigera, Inc. Proprietary and Confidential 2 Your Speaker: Manoj Ahuje ● Threat Researcher with Tigera focusing on Kubernetes and cloud attack surfaces ● Vulnerability research, malware reverse engineer and exploit development SME ● Previous roles at Juniper Networks and Intel
- 3. Agenda ● Introduction ● Attack Surface ● External Threat actors(ITW) ● Mitigation
- 5. © 2020 Tigera, Inc. Proprietary and Confidential 5 Primary security threats to Kubernetes environments... ● External threats: Crypto-mining ● Configuration errors: mis-configured Docker API, Kubernetes API ● Privileged escalations and lateral movement ● Unpatched CVEs External Threat Trends
- 6. © 2020 Tigera, Inc. Proprietary and Confidential 6 Threat Matrix for Kubernetes
- 7. © 2020 Tigera, Inc. Proprietary and Confidential 7 • Kubernetes API • Kubelet API • Docker API • Exposed Service(Vulnerable application or svc like SSH) • Malicious docker image External Threats: Attack Surface Current vulnerable attack surface used by threat actors
- 8. © 2020 Tigera, Inc. Proprietary and Confidential 8 External Threat Trends: A point in time Discovered Kubernetes artifact by Palo Alto
- 10. © 2020 Tigera, Inc. Proprietary and Confidential 10 External Threats: TeamTNT Hildegard ● Used exposed unsecure Kubelet API to gain foothold into Kubernetes ● Previously exploited exposed Docker interface ● Installation using bash shell scripts Focus ➔ Monero coin mining ➔ Credential theft (Cloud IAM like AWS, k8s, ssh) ➔ C&C ➔ Evasion and DDoS
- 11. © 2020 Tigera, Inc. Proprietary and Confidential 11 External Threats: TeamTNT rootkit ● Hildegard rootkit dependencies ● Binary is dynamically linked
- 12. © 2020 Tigera, Inc. Proprietary and Confidential 12 External Threats: TeamTNT Hildegard Rootkit ● LD_PRELOAD to insert into globally insert itself into a process ● Got a handle to usermod readdir64() to overwrite it (ps, ls commands use it) ● We found in-the-wild rootkit mimics genuine utilities name - ld.preload.so - cat.so - curl.so LD_PRELOAD Technique
- 13. © 2020 Tigera, Inc. Proprietary and Confidential 13 External Threats: TeamTNT Hildegard Rootkit ● LD_PRELOAD to insert into globally insert itself into a process ● Got a handle to usermod readdir64() to overwrite it (ps, ls commands use it) ● We found in-the-wild rootkit mimics genuine utilities name - ld.preload.so - cat.so - curl.so
- 14. © 2020 Tigera, Inc. Proprietary and Confidential 14 External Threats: TeamTNT hiding a process ● Hiding netcat backdoor from ‘ps’ using LD_PRELOAD
- 15. © 2020 Tigera, Inc. Proprietary and Confidential 15 External Threats: TeamTNT container breakout ● Breaking out of privileged container using `botb` ● Abuses CGROUP’s ‘notify_on_release’ to breakout of privileged container
- 16. © 2020 Tigera, Inc. Proprietary and Confidential 16 ● Threat actor heavily used third-party integration to develop capabilities External Threats: TeamTNT summary
- 18. © 2020 Tigera, Inc. Proprietary and Confidential 18 External Threats: Kinsing ● Targets exposed Docker API ● Used docker repository to spread malicious images ● Sophisticated rootkit compared to TeamTNT ● Installation using shell scripts ● Modified https://github.com/unix-thrust/beurk ● Focus - Monero coin mining - C&C - Encryption - Evasion
- 19. © 2020 Tigera, Inc. Proprietary and Confidential 19 External Threats: Kinsing rootkit ● Kinsing rootkit dependencies ● Binary is dynamically linked
- 20. © 2020 Tigera, Inc. Proprietary and Confidential 20 External Threats: Kinsing ● Comparatively advanced ● Uses XOR encryption ● But uses techniques similar to TeamTNT - LD_PRELOAD to hook system calls Functions implemented in rootkit
- 21. © 2020 Tigera, Inc. Proprietary and Confidential 21 Public Registry: Infected Image
- 23. © 2020 Tigera, Inc. Proprietary and Confidential 23 External Threats: Doki Backdoor ● Doki backdoor is previously undetected binary with ngrok botnet ● Uses Domain Generation Algorithm to contact C&C ● Novel DGA seed ● Uses dogechain.info API to get last amount spent by hardcoded wallet address
- 24. © 2020 Tigera, Inc. Proprietary and Confidential 24 External Threats: Doki Backdoor DGA ● Using seed as dogecoin wallet last sent money by attacker ● Use of ddns.net (DynDNS)
- 25. Mitigation 04
- 26. © 2020 Tigera, Inc. Proprietary and Confidential 26 ● Use scratch images - Can not run dynamically linked executable - Only run statically compiled binary for that architecture ● Use zero trust policy to block access - Block access Ingress Kubelet and docker API - Establish zero trust for your North-South traffic - Plan zero trust for East-West traffic inside cluster ● Block external DNS access - Only allow coreDNS access with cluster - Block access to external DNS servers like google’s 8.8.8.8 ● Use threat feeds External Threats: Mitigation Logs: L7, Process, Audit Machine Learning Threat Feeds
- 27. © 2020 Tigera, Inc. Proprietary and Confidential 27 ● Enable Docker Content Trust - Only Run images signed by you - Do not use publicly available docker images from unknown sources ● Container Isolation - Use labels to isolate container, have isolation policy ready ● Useful projects • Project Calico implements zero-trust • https://www.projectcalico.org • DGA Intel : LSTM based deep learning model • https://github.com/sudo-rushil/dga-intel-web External Threats: Mitigation DCT
- 28. Follow us on: Thank you Please visit us at www.tigera.io