Home

Week Roundup #2: June 24th - June 30th

Quick roundup of the ~security~ stuff I’ve been working on in the past week!

Best [placeholder] of the Week

Album of the week:

• Chat Pile - God's Country - saw these guys live this week and it was as heavy as I expected, but a lot more talking about Paddy Considine films

Article of the week:

• Keep Hackers Out of Your Kubernetes Cluster with These 5 Simple Tricks! - Christophe Tafani-Dereeper & Frederic Baguelin was just the right amount of meme-to-heavy research ratio, I speak more about this in the Articles section at the end

Video of the week:

• Do You Really Need Anyone Else - COD Montage should be locked away in a time capsule, this is prime Youtube baby

Week Roundup

Projects:

• Released part 1 of my Guide to Pragmatic Container Security focusing on practical steps to reduce runtime security risk

• Set up phase 1 of my purple-team home lab

  • Span up a GKE cluster and installed Falco for runtime monitoring
  • Was a good intro into the nuances of GCP (e.g. tag-based firewalls, which have grown on me a lot)
  • Was cool to measure the difference between Falco’s native detection rules vs. GuardDuty’s runtime monitoring tool’s rules. The main takeaway here is that the extensibility of Falco with custom rules places it hand-over-foot to actually mature your runtime monitoring capability, for the little cost of a helm install
  • Want to work on setting up an Elastic SIEM to start ingesting some of my GKE/GCP logs to. It’d be cool to map these logs to threat matrices like Microsoft’s to create a blue-team handbook for building comprehensive security monitoring for Kubernetes clusters.

• Played around with custom AppArmor profiles

  • Started setting up AppArmor profiles for container processes running in my purple-team cluster
  • Ended up being a lot longer winded than it needed to be (did not set up the NAT gateway correctly and realised so far too late)
  • The process for loading these into the Host kernels in the cluster proved to be as tedious as with AWS, DaemonSet worked well to install the profiles, but loading them into the kernel is a different kettle of fish

Articles and Videos

• <article> Stop worrying about ‘allowPrivilegeEscalation’

  • Good overview of what the allowPrivilegeEscalation option can and cannot do to secure a container
  • Would be cool to have a map of known ‘common’ privilege escalation techniques and the effectiveness of allowPrivilegeEscalation for each of these

• <article> Microsoft’s Threat Matrix for Kubernetes

  • Pretty nice overview of the major attacker techniques in Kubernetes
  • Not exhaustive (and not trying to be!) but would be a great place to start considering the logs needed for observing each of these techniques
  • Crazy how it’s just the law that everything comes back to RBAC
  • I know work is being done to develop a red-team spin-off of this threat matrix with Graham Helton’s Kubenomicon, it would be cool if a similar resource existed for blue-team to outline the defensive controls and telemetry we should have in place for each technique.

• <handbook> Pivot Atlas

  • This is a cyber threat intelligence handbook authored by Amitai Cohen to provide digital pivots to make with threat intelligence artifacts
  • I’ve always found threat intelligence work one of the dark arts of cyber security, but this handbook makes it much more straightforward to progress from single artifacts like domain names to a full holistic view of a threat actor and their digital assets
  • The handbook makes frequent reference to real-life attacks and threat actors to show the value in pivoting from digital artifacts, which really brings home the value of this kind of threat intel work

• <article> Keep Hackers Out of Your Kubernetes Cluster with These 5 Simple Tricks!

  • Typical attacker path is to schedule new workloads via privileged Pods or DaemonSets
  • Typically use their own images - not ones default in the cluster (e.g. purpose-built cryptominer image)
  • No public reports of poisoned container images used in a supply chain attack
  • Once an attacker gains code-execution capabilities on a container, they frequently use curl or wget to retrieve second-stage Bash scripts for execution
  • Importance of admission controllers to enforce intentional running of resources in cluster - no unvetted image repositories, no privileged pods, no pods mounting the host filesystem
  • Usage of read only root filesystem for stateless workloads to prevent many common exploits relying on writing to disk