Kubernetes has rapidly transitioned to a widely adopted tool for managing containerized applications, with 66% of users deploying it in production. However, security challenges persist, leading to project delays and revenue losses for many organizations. The urgent need for strong security measures is underscored by recent breaches and vulnerabilities. Indicators of compromise include inadequate access controls, exploitative vulnerabilities, and unsafe secrets management. Affected: Kubernetes, Organizations, Technology Sector
Keypoints :
- Kubernetes adoption has grown, with 66% of users deploying it in production.
- 53% of organizations experience project delays due to security/compliance issues related to Kubernetes.
- 89% of organizations faced at least one security incident involving containers or Kubernetes in the past year.
- Significant vulnerabilities were identified, including IngressNightmare, impacting many cloud environments.
- Kubernetes Audit Logs play a crucial role in monitoring and securing Kubernetes environments.
- Effective monitoring of audit logs can enhance operational efficiency and security compliance.
MITRE Techniques :
- Mitre ATT&CK Technique: External Remote Service (T1133) β Attackers may locate and exploit Kubernetes API Endpoints.
- Mitre ATT&CK Technique: Container Administration Command (T1609) β Attackers gain shell access to containers for command execution.
- Mitre ATT&CK Technique: Deploy Container (T1610) β Sidecar containers are injected into legitimate pods for executing unauthorized code.
- Mitre ATT&CK Technique: Scheduled Task/Job (T1053.007) β Suspicious creation or modification of cron jobs to execute malicious tasks.
- Mitre ATT&CK Technique: Unsecured Credentials (T1552.007) β Unauthorized modifications or access to Kubernetes secrets.
- Mitre ATT&CK Technique: Data Destruction (T1485) β Unauthorized modifications or deletions of critical Kubernetes resources.
Indicator of Compromise :
- [IP Address] 192.168.56.11
- [IoC Type] user=kubernetes-admin
- [IoC Type] user_agent=kubectl/v1.26.0
- [IoC Type] annotations_authorization_k8s_io_decision=allow
- [IoC Type] requestURI=/api/v1/namespaces/default/pods/test
Full Story: https://www.logpoint.com/en/blog/emerging-threats/kubernetes-threat-hunting-using-api-server-audit-logs/