From the Cluster to the Cloud: Lateral Movements in Kubernetes

The presentation discusses the need for a holistic strategy for Kubernetes security, including monitoring identities, auditing, and using mitigation techniques.

• Kubernetes security requires a holistic strategy that considers both cluster and cloud levels
• Monitoring identities and adhering to the least privileged principle are key aspects of Kubernetes security
• Auditing tools like Kubernetes audit log and cloud provider auditing services can help detect suspicious activity
• Mitigation techniques, such as allocating specific identities to pods and disabling service account auto mount, can prevent potential attacks
• The Microsoft threat matrix for Kubernetes includes mitigation techniques to reduce attack surfaces

The presentation describes how customers and competitors have started measuring security coverage based on metrics, leading to the adoption of Microsoft metrics into the Enterprise attacks framework. The third version of Microsoft metrics includes a new layer of mitigation techniques to prevent Kubernetes attacks. The motivation behind this was to map each TTP to corresponding mitigation steps that will instruct Kubernetes users on how to reduce their attack surface.

As K8s clusters usually reside in the cloud, access to a container in the cluster can be a foothold to the entire cloud workload. In this session, we’ll present novel techniques used in recent real-world attacks which allowed adversaries to move laterally from a container in a K8s cluster to external cloud resources. We'll start with inner-cluster lateral movement: We'll talk about K8s RBAC configurations that unexpectedly allowed inner-cluster lateral movement and were the root-cause of vulnerabilities in containerized apps. We'll discuss how one can identify such activities by native K8s tools. We'll continue to cluster-to-cloud lateral movement. The key concept in this area is cluster-to-cloud authentication. We'll introduce the various authentication methods used by the major cloud providers: Azure, AWS and GCP. All of the methods fall into one of these 3 buckets: Direct\modified access to IMDS, using K8s as an OIDC identity provider or storing credentials on the underlying nodes. Every authentication method comes with its default configuration, many of those unknowingly grant excessive permissions. We'll present real-world recent incidents of cloud environment takeovers which originated in K8s clusters. We'll explain how users can prevent and detect such activities.