logo
allArticlesConferencesPresentations

Automated Cloud-Native Incident Response with Kubernetes and Service Mesh

Conference:  KubeCon + CloudNativeCon Europe 2023

2023-04-20

Authors:   Matt Turner, Francesco Beltramini

Summary

The presentation discusses the importance of intelligence-driven defense in cybersecurity and how it can be implemented in cloud-native infrastructure using automation and orchestration tools.
  • Intelligence-driven defense involves knowing the enemy and their tactics to break the kill chain
  • Attack is an open-source framework that provides a taxonomy of tactics and techniques used by attackers
  • SOAR (Security Orchestration Automation Response) is a platform that enables organizations to collect data about security threats and respond to security events with little or no human assistance
  • Cloud-native platforms offer advanced capabilities and automation tools that can be leveraged for incident response
  • GitOps can provide an audit trail and a deterministic, reproducible way of working
  • An operator can be used to automate response actions based on security events
The speaker demonstrated how an operator can be used to automate response actions based on security events by taking the deployment name and pod name as input and creating a CRD that is committed to Git. The operator then picks up the CRD and issues imperative commands on a retry loop, patching in declarative resources as needed.

Abstract

Security incident response is a well-understood operation, with established best practices like the MITRE Att&ck Framework and the Lockheed Martin Kill Chain. Tooling to aid and automate incident response exists, but not all of it is applicable to cloud-native platforms. For example, playbook apps are generally applicable, but the steps to move compromised workloads to an isolated forensics network are platform-specific, and new implementations are needed for the cloud-native world. In this talk, Francesco and Matt will * Recap incident response 101 * Introduce some cloud-native tech including Kubernetes, Istio, and GitOps * Show an Operator built by Matt for dynamically adding complex layer-7 traffic rules in response to changes in the environment, which will be used as part of the demo * Walk you through a response to a log4shell attack against a workload in a k8s cluster: sensor alert, SIEM analysis, IRP automation (honeypots, isolation), building the IoC, and killing the attack.
Materials:
Slides
Tags:
Security
incident
Response
MITRE
ATT&CK

Post a comment

Related work

Experimenting with Real-Time Event Feeds

Conference:  BlackHat USA 2020
Authors:
2020-08-06

Conti Playbook: Infiltrate the Most Profitable Ransomware Gang

Conference:  RSA Conference 2022
Authors:
2022-06-06

Mapping Motives Tells a Story: Analysis of 2,000 Enterprise Cloud Detections

Conference:  Cloud Native SecurityCon North America 2023
Authors: David Wolf, Joshua Smith

Lightning Talk: A GNN Based Framework for Kubernetes Security Agents: Threat and Vulnerability Detectors, Recommenders and Attack Simulators

Conference:  OpenAI + Data Forum 2022
Authors: Zeyno A Dodd
2022-06-23

It's Getting Real & Hitting the Fan! Real World Cloud Attacks

Conference:  RSA Conference 2022
Authors:
2022-06-06

Sponsored Session: Palo Alto Networks

Conference:  KubeCon + CloudNativeCon Europe 2021
Authors: Ashley Ward, Keith Mokris