logo
allArticlesConferencesPresentations

Uncovering a Sophisticated Kubernetes Attack in Real-Time

Conference:  KubeCon + CloudNativeCon Europe 2021

Authors:   Jed Salazar, Natalia Reka Ivanko

Summary

The presentation discusses the importance of observability in detecting and responding to attacks on Kubernetes clusters, and how eBPF technology can provide unique visibility into the system.
  • Observability is crucial in detecting issues and improving the stability and security of a system
  • Data-driven security using observability can help detect and respond to attacks in real-time
  • eBPF technology provides unique visibility into Kubernetes pods, allowing for network and process-level visibility to detect and respond to sophisticated attacks
  • Immutability enables the declaration of patterns to understand the behavior of an object, allowing for the detection of tactics, techniques, and procedures (TTPs) used in attacks
  • Collecting the right data is key to detecting sophisticated attacks in a system
The presenters demonstrate how eBPF technology can be used to detect a live sophisticated attack on a Kubernetes cluster, and how immutability can be used to identify suspicious behavior such as the execution of a binary that is not part of the container image.

Abstract

As Kubernetes adoption continues to explode, the threat actors working on attacks are growing in sophistication. Simple mitigations and security best practices are no longer sufficient alone to protect production workloads. While tools like vulnerability scanning, signed container images, and distroless containers help, constant monitoring must take place in a running environment to ensure it remains safe from compromise. eBPF, an emerging Linux kernel technology, provides us unique visibility directly into any Kubernetes pod. Because pods on a node share a single kernel, a single eBPF program has full visibility to the entire node’s workloads. We’ll show how using such a program gives us the network and process-level visibility to detect and a live sophisticated attack on our cluster. We’ll finish by showcasing how security teams can easily put these same tools to use to protect their critical Kubernetes environments from threats.
Materials:
Slides
Tags:

Post a comment

Related work

The Next Log4jshell?! Preparing for CVEs with eBPF!

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Natalia Reka Ivanko, John Fastabend
2023-04-21

The Four Golden Signals of Security Observability

Conference:  Cloud Native SecurityCon North America 2023
Authors: Duffie Cooley

Cloud Native Superpowers with eBPF

Conference:  KubeCon + CloudNativeCon North America 2021
Authors: Liz Rice
2021-10-14

Armoring Cloud Native Workloads With LSM Superpowers

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Barun Acharya
2022-10-26

100Gbit/S Clusters With Cilium: Building Tomorrow’s Networking Data Plane

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Daniel Borkmann, Nikolay Aleksandrov
2022-10-27

Sponsored Session: Kubernetes Package Management Using Unix Philosophy with Carvel

Conference:  KubeCon + CloudNativeCon Europe 2021
Authors: Helen George, João Pereira