logo

Automated Cloud-Native Incident Response with Kubernetes and Service Mesh

2023-04-20

Authors:   Matt Turner, Francesco Beltramini


Summary

The presentation discusses the importance of intelligence-driven defense in cybersecurity and how it can be implemented in cloud-native infrastructure using automation and orchestration tools.
  • Intelligence-driven defense involves knowing the enemy and their tactics to break the kill chain
  • Attack is an open-source framework that provides a taxonomy of tactics and techniques used by attackers
  • SOAR (Security Orchestration Automation Response) is a platform that enables organizations to collect data about security threats and respond to security events with little or no human assistance
  • Cloud-native platforms offer advanced capabilities and automation tools that can be leveraged for incident response
  • GitOps can provide an audit trail and a deterministic, reproducible way of working
  • An operator can be used to automate response actions based on security events
The speaker demonstrated how an operator can be used to automate response actions based on security events by taking the deployment name and pod name as input and creating a CRD that is committed to Git. The operator then picks up the CRD and issues imperative commands on a retry loop, patching in declarative resources as needed.

Abstract

Security incident response is a well-understood operation, with established best practices like the MITRE Att&ck Framework and the Lockheed Martin Kill Chain. Tooling to aid and automate incident response exists, but not all of it is applicable to cloud-native platforms. For example, playbook apps are generally applicable, but the steps to move compromised workloads to an isolated forensics network are platform-specific, and new implementations are needed for the cloud-native world. In this talk, Francesco and Matt will * Recap incident response 101 * Introduce some cloud-native tech including Kubernetes, Istio, and GitOps * Show an Operator built by Matt for dynamically adding complex layer-7 traffic rules in response to changes in the environment, which will be used as part of the demo * Walk you through a response to a log4shell attack against a workload in a k8s cluster: sensor alert, SIEM analysis, IRP automation (honeypots, isolation), building the IoC, and killing the attack.

Materials: