The Art of Hiding Yourself

Kubernetes security is an ongoing effort today. In this talk we look at how a hacker would attempt to remain anonymous while compromising a Kubernetes cluster. Seconds after a node or a cluster are compromised, the bad actors start to take measures to make sure their hard work can profit for a while. What do they do? They start hiding their traces. Depending on the attack vector, they will need to hide their traces at multiple levels. They will begin by asking themselves some questions: - Are there are audit log mechanisms? - Kubernetes audit log is enabled? Can I tamper it? - There is deep packet inspection? Can I tamper it? - How to hide processes, containers, tasks to the owners? - There’s any non-conventional place where I can put files? - What about hiding my files in the kubernetes etcd? - How can I hide the network connections I make? In this talk we are going to discuss the broader picture of how the second part of an attack is handled by a bad actor.