Detecting Cyber-Attacks on Kubernetes Environment

Background:

Clusters are the building blocks of Kubernetes systems. Control services assist in managing and safeguarding the containers inside each cluster. Each node runs one or more Kubelets, divided into a control plane and node components. Each Kubelet has one or more containers and a Kube-proxy.

Additionally, Kubernetes has its own security vulnerabilities. All tools are prone to configuration errors, insider threats, and more severe flaws that take advantage of the code of the tools themselves. The consequences of a compromise might be enormous because Kubernetes has authority over the systems that operate crucial business application development.

HawkEye – Managed CSOC and XDR Service powered by DTS Solution, has been helping customers monitor cyber-threats targeting container and microservices application architecture for customers hosting their containerized application on-premise or in the cloud.

Let’s have a look at how we do it by first understand the threat landscape.

Common Cyber-Attacks on Kubernetes Environment:

The most prevalent ways to compromise a Kubernetes cluster are described in the following sections, along with how to protect from them.

1. Utilizing Kubernetes components and publicly accessible vulnerabilities:
   Exploiting vulnerable components is the most common way for bad actors to gain access through the front door. Attackers search the internet for any vulnerabilities and insecure components that are accessible to the public. From there, using an exploit to gain access to a system is simple. All known vulnerabilities in base images and packages will be found using vulnerability management tools, which will also recommend upgrades. Virtual patching and other forms of runtime protection might be helpful compensatory controls in situations when vulnerabilities cannot be fixed or where no fix is available.
2. Scraping and Abusing Credentials:
   Basic credentials such as cloud access, access tokens, SSH cloud access keys, access tokens, SSH keys, Kubernetes service tokens, etc. are immediately searched by malware like Hildegard and Black-T. Using pattern-matching methods, TeamTNT a well-known APT group targeting cloud resources now searches for distinct credentials, secrets, and keys. These keys can be used for privilege escalation, spinning up privileged containers, lateral movement, spinning up virtual machines and containers with cryptominers, as well as other operations. Making it tough to obtain credentials and keeping them as locked down as possible are the greatest ways to guard against these types of vulnerabilities.
3. Installing Cryptominers:
   Public container images, such as those maintained on Docker Hub, can contain cryptomining software in a supply chain poisoning attack known as “cryptojacking.” These images are covered up as something helpful, like a well-known benign image, and frequently work as intended; however, a side process mines cryptocurrency for malicious users. Security tools can detect the signatures of known cryptomining malware or send a container or virtual machine to a sandbox to detect unknown malware if they detect an attempt to download a file or spin up a container image.
4. Lateral Movement:
   Malware can locate the next victim to infect and spread using port scanning tools like masscan, pnscan, and zgrab, as well as CLI dumps. They can then use service control software like SSH or API software like Kubernetes API commands to grant access to additional containers and virtual machines. A lateral movement must be stopped at each stage for it to be successful. Start by reducing the attack surface by micro-segmenting the services that can communicate with one another.
5. Fileless Exploits and Cleaning History:
   Running memory-only malware and erasing log history are two common obfuscation tactics. Because of this, volume-based scanning struggles to identify and stop these threats. Monitoring is the sole defense against these attacks. At the source, agents can identify and stop harmful programs and file alterations.
6. Host system vulnerabilities:
   On host systems like Linux, where vulnerabilities are frequently found, Kubernetes clusters operate. Threat actors frequently use these flaws to compromise clusters. Threat actors use these container breakouts for deeper infiltration and lateral movement. Making sure that newly developing threats and vulnerabilities are swiftly discovered is the main defense against this. The priority for patches or the implementation of corrective measures is then determined by security.

Detection:

• Monitor for container memory and CPU spike.
• Monitor anomalous inbound and outbound network traffic.
• Monitor abnormal Kubernetes user and root activity.
• Monitor unexpected changes in the file system or directory.
• Monitor DNS request anomalies or significant spikes in DNS requests from a specific host.
• Monitor unusual HTTP response sizes.
• Monitor unknown binary processes spawned.
• Monitor HTTP 403 and 404 error code spikes.
• Container security platform like HawkEye, Lacework, Palo Alto, Sysdig, NeuVector, Qetc can help in monitoring threat detection to detect unknown and known cyber threats across the runtime Kubernetes environment.
• Building the monitoring use cases and integrated the service and control plane for container monitoring.

Protection:

• Scan container images for vulnerabilities.
• Use admission control to prevent containers with high-severity vulnerabilities
  from launching.
• Configure network policies to limit external access to pods.
• Restrict service account permissions using Kubernetes RBAC.
• Do not allow pods to run as root.
• Set up the filesystem as read-only.
• Minimize container access to the underlying host.
• Container security platforms like Palo Alto Prisma Cloud, Aqua Security, PortShift, Anchore, NeuVector, etc provide protection to Kubernetesenvironments with comprehensive Container Security, DevSecOps and CI/CD Pipeline Security along with Advanced Runtime Protection.