Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:30 AM
Gadi Naor
Gadi Naor

Microsoft's Kubernetes Threat Matrix: Here's What's Missing

With a fuller picture of the Kubernetes threat matrix, security teams can begin to implement mitigation strategies to protect their cluster from threats.

The MITRE ATT&CK threat matrix is a valuable tool for security professionals to understand the various tactics and techniques employed by adversaries to exploit software and networks, from initial access to impact. The matrix covers the various stages commonly involved in a cyberattack, and the tactics exploited by attackers in each stage. Organizations can use the matrix to understand their attack surface and make sure they cover all their bases.

In April, Microsoft Azure Security Center released a threat matrix based on the MITRE ATT&CK model that identifies tactics and threats unique to environments running in Kubernetes, the most popular container orchestration platform used by cloud-native application builders today.

Related Content:

How to Secure Your Kubernetes Deployments

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Rethinking Email Security in the Face of Fearware

The Azure Kubernetes matrix adapts and translates the tactics found in the original MITRE ATT&CK framework to the challenges of Kubernetes. For example, in the MITRE ATT&CK matrix, "initial access to the computer" translates to "initial access to the cluster" in the Azure matrix, reflecting the different technology involved in that access. Azure's matrix is a major milestone in capturing the difference between traditional IT security and cloud-native security, and expanding security left and right.

However, platform engineers and security operations teams shouldn't rely solely on Azure's Kubernetes threat matrix. While Azure's matrix allows security teams to think about Kubernetes security along the same lines they do for generic enterprise IT security, there are constructs specific to Kubernetes that do not exist in traditional IT environments. Ultimately, the Azure framework is new, and security researchers are still uncovering vulnerabilities in Kubernetes.

For example, the techniques used in the recently discovered threat CVE-2020-8555 were not captured in the Azure MITRE ATT&CK threat matrix for Kubernetes. This vulnerability allows attackers to escalate access from the Kubernetes control plane to the hosting cloud environment, potentially gaining access to sensitive data from services connected to the hosting environment.

For applications on Kubernetes, the threat and risk vectors can be divided to two main areas:

● Application-level threats and risks
This should be familiar territory, but with a distinct difference from traditional monolithic applications. Applications designed to run in Kubernetes are distributed and consist of multiple ephemeral moving parts that have varying risk and threat profiles, and are usually made from a combination of first- and third-party components and tools.

● Kubernetes cluster operations threats and risks
These risks and threats are associated with:

○ The software supply chain, build, and continuous integration (CI)-related risks and the delivery automation and continuous delivery (CD) tool chains used to deploy into the cluster. CI and CD both represent initial access points in the software supply chain where threats can be introduced into the cluster.

○ Kubernetes infrastructure automation tooling, such as application and infrastructure monitoring and microservices life-cycle autonomous controllers.

○ Human operators (DevOps/site reliability engineering staff) who have privileges to perform actions within the cluster.

With that in mind, let's unpack important security elements missing from Azure's Kubernetes threat matrix. In the edited matrix below, items in bold represent noteworthy threats not found in the Azure matrix:

Source: Gadi Naor
Source: Gadi Naor

One notable component Azure's threat matrix leaves out is the "Command & Control" (C2) threat category, which was found in the original MITRE ATT&CK Matrix. As it turns out, C2 should still be a concern for Kubernetes users, and it should be a part of a Kubernetes threat matrix.

Kubernetes relies heavily on DNS as its critical infrastructure for service discovery. A common practice for establishing covert channels is to exploit inherent weaknesses in the DNS protocol messages exchange. For this reason, it's important to monitor DNS activity within your Kubernetes cluster to detect and potentially prevent C2 channels from establishing covert channels.

The Azure Matrix also has gaps surrounding privilege escalation. Recent CVEs have shown that privileges can be escalated from the node to the entire cluster, or from the cluster to the hosting cloud environment. Admission controllers and Kubernetes operators can also be compromised, and should not be an afterthought when it comes to security.

Another gap in the Azure Matrix is in Kubernetes threat persistence. Attackers can spin up containers directly on the node, which would not be managed by Kubernetes and would be a blind spot for DevOps. If attackers compromise an admission controller, they can also inject malicious sidecar containers to any pod of their desire. Lastly, attackers can execute and persist attacks by plugging scripts into the container life-cycle hooks, a Kubernetes mechanism to run scripts at predetermined points in time.

With a fuller picture of the Kubernetes threat matrix, security teams can begin to implement mitigation strategies to protect their cluster from threats. Fortunately, strong security hygiene can go a long way for addressing threats across the matrix in Kubernetes. But new threats and vulnerabilities come to light every month, and security teams need to remain vigilant in monitoring both their Kubernetes clusters and the broader threat landscape.

Gadi Naor has 18 years of engineering experience, from kernel-based development through leading development of cybersecurity products. He started his professional career at Check Point. Gadi then joined Altor Networks, a pioneer in virtualized data center security, later ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.
PUBLISHED: 2021-05-14
Hexagon G!nius Auskunftsportal before allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...