Know Your Enemy: Mapping Security Risks Using Threat Matrix for Kubernetes


Authors:   Ram Pliskin, Yossi Weizman


The presentation discusses the importance of building a knowledge base for understanding the unique security threats that target orchestration level of Kubernetes. The speakers present the Threat Metrics for Kubernetes, which focus on this specific layer and provide a way to measure coverage to real-world attacks.
  • The Threat Metrics for Kubernetes were developed to map threats targeting Kubernetes and to keep track of the interface
  • The Metrics are split into tactics and techniques, with each technique representing a specific method that attackers might use
  • The Metrics can be used to measure coverage to real-world attacks
  • An anecdote is given about an attack that targeted Kubeflow and exploited a misconfigured dashboard
The presentation gives an example of an attack that targeted Kubeflow, a popular framework for machine learning tasks that run on top of Kubernetes. The attack exploited a misconfigured dashboard that didn't require any authentication, allowing free access to a management interface. This anecdote illustrates the importance of understanding the unique security threats that target orchestration level of Kubernetes and the need for a knowledge base to measure coverage to real-world attacks.


In April, Microsoft released an updated version of the Threat Matrix for Kubernetes which was originally released in 2020. The Threat Matrix is a knowledge base for security threats that target Kubernetes. This matrix was the first attempt to systematically cover the attack landscape of Kubernetes. In this session, we will explain how defenders and SecOps engineers can use the matrix to protect their Kubernetes workloads. We will demonstrate how a real-world attack is mapped to the techniques in the matrix and how organizations can measure their coverage to the attack using the matrix. Inspired by the Threat Matrix for Kubernetes, MITRE expanded their ATT&CK framework to include also containers. In the session, we will examine the differences between the Threat Matrix and MITRE ATT&CK and explain how users can leverage both matrices to gain a better security visibility for their environments.