HF 2022 - Call for Papers

Kubernetes Security: Attacking and Defending K8s Clusters
2022-10-29, 16:30–17:20, Track 1
Language: English

This presentation aims to talk about different attack scenarios leveraging Kubernetes clusters. We'll dig deeper into an attack scenario using real-world applications to demonstrate different ways attackers and malicious users can use to exploit your cluster and the applications running on it. But first, we’ll give an overview of Kubernetes and its architecture, covering the main components from the Control Plane and the Worker Nodes. Then, we'll use the K8s Threat Matrix, and the MITRE ATT&CK for Containers published this year to discuss the Tactics, Techniques, and Procedures to demonstrate the Recon, Exploitation, and Post-Exploitation phases. After that, we'll provide some best practices for securing your cluster based on the scenarios and the CIS Benchmarks for Kubernetes. We'll show how to use Role-based access control (RBAC) for Access Control, to enable audit logs for security and troubleshooting, and we'll set up some network policies to avoid communication between pods and prevent any lateral movement from attackers.

​Introduction to Kubernetes
Outline of K8s Architecture​
Control Plane
Kube API Server
Kube Controller Manager
Kube Scheduler
Cloud Controller Manager
Worker Nodes
CRE (Container Runtime Engine)
- K8s Threat Matrix ​
- MITRE ATT&CK for Containers ​(and K8s)
- K8s ATT&CK Scenario & Flow​
Attacking K8s​
- Recon / Initial Access​
- Exploitation / Execution
- Post-Exploitation / Persistence​
Defending K8s​
- API Server​
- CIS Benchmark​
- Image Scanning​
- Runtime Protection​
- Network Policy​
- Pod Security Policy (PSP)​ - Deprecated
- PSP Alternatives​
- Audit Logs

Was this talk already given? – yes Are you releasing a tool? – no

Magno Logan works as an Information Security Specialist for Trend Micro. He specializes in Cloud, Container, and Application Security Research, Threat Modelling, and DevSecOps. In addition, he has been tapped as a resource speaker for numerous security conferences around the globe.