Level: Technical
Abstract:
The approach of this presentation will be to look at the layers in a Kubernetes cluster stack, including common add-on components and highlight places where attackers can bypass common detection mechanisms and use container features to hide their cluster access. Before we discuss specific attacks we’ll mention how common default configurations have led to a large number (1 million+) Kubernetes cluster nodes being directly connected to the Internet, making the job of attacker persistence easier.
We’ll then start looking at persistence at the container layer looking at Containerd and CRI-O to talk about how attackers can create containers that aren’t easily visible to cluster level tooling.
At the node level we will also discuss how it’s possible to use static containers and invalid namespaces to add workloads to a cluster without being visible to kubectl or similar tooling.
We’ll also cover how attackers can send traffic directly to the Kubelet API to bypass audit logging and admission control. The Kubelet API is a less well documented attack surface, but is accessible when certain rights are provided at a cluster level.
Then moving up to the cluster level the talk will focus on how attackers can create phantom privileged credentials to retain access to clusters for months/years, how those attacks could be detected and the importance of Kubernetes auditing/log retention.
Bio:
Rory has worked in the Information and IT Security arena for the last 23 years in a variety of roles in information security and penetration testing. These days he spends his work time on container and cloud native security. He is an active member of the container security community having delivered presentations at a variety of IT and Information security conferences. He has also presented at major containerization conferences and is an author of the CIS Benchmarks for Docker and Kubernetes and main author of the Mastering Container Security training course which has been delivered at numerous industry conferences including Blackhat USA. When he’s not working, Rory can generally be found out walking and enjoying the scenery of the Scottish highlands.