Professional Documents
Culture Documents
Mapping Risks and Threats in Kubernetes To The MITRE ATT&CK Framework
Mapping Risks and Threats in Kubernetes To The MITRE ATT&CK Framework
in Kubernetes to the
MITRE ATT&CK Framework
Introduction
In April, MITRE published the ATT&CK matrix for Containers covering adversarial techniques
that target container technologies. At Aqua, we were proud to support this effort by sharing our
knowledge and helping refine and extend the matrix. As for the risks in Kubernetes, Microsoft
created a framework for Azure-based environments (AKS), but what about vanilla K8s? We
incorporated techniques that Aqua researchers have observed in real-world attacks and developed
our own dedicated threat matrix for Kubernetes, mapped to the MITRE ATT&CK Framework.
This holistic tool can help security teams better understand the various tactics and techniques
used by attackers to exploit K8s-based environments as well as provide a foundation for
developing more effective defense practices against them.
With the threat landscape evolving fast, it’s critical to understand security risks and key attack
vectors in Kubernetes.
Initial Access
Compromising a kubeconfig file. It’s a popular attack vector in Kubernetes as this file contains the
location data and credentials of the clusters. If malicious actors can gain access to this file via a
compromised client, they can get access to the whole cluster.
Defense Evasion
Pod Name Similarity. This is a sophisticated technique where an attacker leverages how
Kubernetes names system pods and creates a malicious pod with a similar name, using a random
suffix to hide it within the cluster. Then this pod is used to execute malicious code or get access to
additional resources.
Lateral Movement
Cluster Internal Networking. By default, there are no network restrictions between pods in a
Kubernetes cluster. In case attackers get access to a single pod that can communicate with other
running pods or applications, they can move laterally within your cluster.
Lateral Movement
Writable volume mounts on the host. This technique exploits the way that containers work, the
hostPath volume mounts a file or directory to the container, which allows an attacker to achieve
persistence on the host.
Conclusion
As new threats come to light every month, Aqua’s team Nautilus conducts threat research entirely
focused on the cloud native stack, uncovering new vulnerabilities, threats, and attacks that
target containers, Kubernetes, serverless functions, and public cloud infrastructure. This helps
us constantly develop new security methods and tools to efficiently address the ever-expanding
threat landscape of cloud native technologies.
With a more holistic overview of the Kubernetes threat matrix, dedicated to the whole cloud native
stack, organizations can gain a comprehensive understanding of adversary tactics and techniques,
develop robust defense strategies and, ultimately, improve the security posture of their Kubernetes
applications.
Subscribe Me!
Team Nautilus focuses on cybersecurity research of the cloud native stack. Its mission is to uncover
new vulnerabilities, threats and attacks that target containers, Kubernetes, serverless, and public cloud
infrastructure — enabling new methods and tools to address them.
aquasec.com/research blog.aquasec.com/topic/security-threats
@AquaSecurity @AquaSecurity
in/AquaSecurity @AquaSecurity