Our team members are frequently sought after for speaking engagements at various industry events. Whenever possible, we make the recordings available.
Kubernetes has become the defacto standard for container orchestration. This shift brings with it a new set of security challenges. If an attacker got inside your cluster, would you know about it? In many environments, the logs needed to pinpoint malicious activity are not being collected properly or much less monitored for the key indicators that something has gone wrong.
One of the biggest problems we see for security minded Kubernetes administrators and security teams is that they simply have no idea what to look for when it comes to malicious activity. They don’t know which logs to collect, what’s in them, and how to determine activities that mean something very wrong is happening. In this talk, Darkbit founders Brad Geesaman and Josh Larsen explore realistic Kubernetes and cloud attack paths and illustrate several techniques to gain better visibility into your cloud-native environments.
If you are in tech and security and not paying attention to the technology called Kubernetes, it’s time to start. – Robert Rounsavall
Robert featured Brad Geesaman, co-founder of Darkbit on the SynAckFinAck podcast. Brad is one of the first 20 people in the world to obtain the Google Cloud Certified Fellow designation and is now helping clients secure their cloud-native architectures across all of the major cloud service providers.
As Kubernetes grows in popularity, the sophistication of attackers will improve, and security by obscurity will no longer be sufficient. What could an attacker who understands Kubernetes at a deep level be capable of? Let’s explore the dark corners of clusters and shine a light on several new advanced attacks on Kubernetes, and learn how to detect and prevent them using practical, proven methods.
Is your Kubernetes cluster able to resist the most common attacks? Are all the necessary detection mechanisms in place to know if a security issue did occur? In this hands-on workshop, the instructors dive into the art and science of Kubernetes security through a series of interactive attack and defense scenarios.
Attendees in this session learned through instructor-led exercises how to identify and exploit realistic misconfigurations in Kubernetes clusters to achieve full cluster compromise. Each attack step was matched with hardening measures and specific methods for detection and response workflows. Each workshop attendee was provided with a pre-configured Kubernetes cluster running realistic workloads in a cloud-based lab environment. The tools and methodologies covered by these exercises can directly help attendees secure their own organization’s clusters.
Until recently, major public cloud providers have offered relatively basic toolsets for identifying suspicious activity occurring inside customer accounts that may indicate a compromise. Some organizations have invested significant resources to build their own tools or have leveraged industry vendor offerings to provide this visibility. The reality is, that barrier has meant that a large number of organizations haven’t dedicated those resources to this problem and therefore operate without sufficient detection and response capabilities that monitor their cloud accounts for compromise.
Amazon Web Services, Google Cloud Platform, and Microsoft Azure have recently launched a new set of native platform threat and anomalous behavior detection services to help their customers better identify and respond to certain issues and activities occurring inside their cloud accounts. From detecting crypto-currency mining to identifying bot-infected systems to alerting on suspicious cloud credential usage to triggering on cloud-specific methods of data exfiltration, these new services aim to make these kinds of detections much easier and simpler to centrally manage.
But what new and unique insights do they offer? What configuration is required to achieve the full benefits of these detections? What types of activities are not yet covered? What attack methods and techniques can avoid detection by these systems and still be successful? What practical guidelines can be followed to make the best use of these services in an organization?
Follow along as we attempt to answer these questions using practical demonstrations that highlight the real threats facing cloud account owners and how the new threat detection capabilities perform in reducing the risks of operating workloads in the public cloud.
While Kubernetes offers new and exciting ways to deploy and scale container-based workloads in production, many organizations may not be aware of the security risks inherent in the out-of-the-box state of most Kubernetes installations and the common practices for deploying workloads that could lead to unintentional compromise. Join Brad Geesaman, the Cyber Skills Development team lead at Symantec, on an eye-opening journey examining real compromises and sensitive data leaks that can occur inside a Kubernetes cluster, highlighting the configurations that allowed them to succeed, applying practical applications of the latest built-in security features and policies to prevent those attacks, and providing actionable steps for future detection.
The hardening measures taken in response to the attacks demonstrated will include guidelines for improving configurations installed by common deployment tools, securing the sources of containers, implementing firewall and networking plugin policies, isolating workloads with namespaces and labels, controlling container security contexts, better handling of secrets and environment variables, limiting API server access, examining audit logs for malicious attack patterns, and more.