Awesome
Awesome Kubernetes (K8s) Threat Detection
A curated list of resources about detecting threats and defending Kubernetes systems.
Contents
- ๐ Books
- ๐ซ Conferences
- ๐น Talks and Videos
- ๐ฐ Blogs and Articles
- ๐งฎ TTPs / Attack Matrices
- ๐ Tools
- ๐ Detection Rules and Analytics
- ๐ค People
Books
- Hacking Kubernetes By Andrew Martin, Michael Hausenblas [free download] [amazon]
- Kubernetes Security and Observability by Brendan Creane, Amit Gupta [amazon]
- Security Observability with eBPF by Jed Salazar and Natalia Reka Ivanko
- Gray Hat Hacking, 6th Ed. (relevant chapters) By Allen Harper, Ryan Linn, Stephen Sims, Michael Baucom, Huascar Tejeda, Daniel Fernandez, Moses Frost [amazon]
- Kubernetes Patterns, 2nd Edition, Part 5: Security Patterns by Bilgin Ibryam and Roland Huss [amazon]
- Container Security Book by Liz Rice [amazon]
Conferences
- eBPF Summit [2022] [2021] [2020]
- CloudNative SecurityCon
Talks and videos
All of these videos can also be found in this YouTube playlist.
Detection
- Keynote: Detecting Threats in GitHub with Falco
- Threat Hunting at Scale: Auditing Thousands of Clusters With Falco
- Security Kill Chain Stages in a 100k+ Daily Container Environment with Falco
- Falco to Pluginfinity and Beyond
- Purple Teaming Like Skyโs the Limit โ Adversary Emulation in the Cloud
- Uncovering a Sophisticated Kubernetes Attack in Real Time Part II.
- Keeping your cluster safe from attacks with eBPF
- Threat Modeling Kubernetes: A Lightspeed Introduction
Hardening
- Securing Kubernetes Applications by Crafting Custom Seccomp Profiles
- The Hitchhiker's Guide to Pod Security
- You and Your Security Profiles; Generating Security Policies with the Help of eBPF
- Using the EBPF Superpowers To Generate Kubernetes Security Policies
- Komrade: an Open-Source Security Chaos Engineering (SCE) Tool for
Attacks
- Advanced Persistence Threats: The Future of Kubernetes Attacks
- Bypassing Falco: How to Compromise a Cluster without Tripping the SOC
- A Treasure Map of Hacking (and Defending) Kubernetes
- How Attackers Use Exposed Prometheus Server to Exploit
- Trampoline Pods: Node to Admin PrivEsc Built Into Popular K8s Plat
- Three Surprising K8s Networking โFeaturesโ and How to Defend Against Them
- A Compendium of Container Escapes
- The Path Less Traveled: Abusing Kubernetes Defaults
Supply Chain
- Securing Your Container Native Supply Chain with SLSA, Github and Te
- Keynote: Securing Shopify's Software Supply Chain - Shane Lawrence, Shopify
Networking
- Kubernetes Networking 101 (1h26m)
- A Guided Tour of Cilium Service Mesh
- Cilium: Welcome, Vision and Updates
- Cloud-Native Building Blocks: An Interactive Envoy Proxy Workshop (1h25m)
Blogs and Articles
Detection
- Detecting a Container Escape with Cilium and eBPF
- Detecting and Blocking log4shell with Isovalent Cilium Enterprise
- Threat Hunting with Kubernetes Audit Logs
- Threat Hunting with Kubernetes Audit Logs - Part 2
- Lateral movement risks in the cloud and how to prevent them โ Part 2: from compromised container to cloud takeover
- Lateral movement risks in the cloud and how to prevent them โ Part 3: from compromised cloud resource to Kubernetes cluster takeover
- Dive into BPF: a list of reading material
- Deep Dive into Real-World Kubernetes Threats
- Understanding Docker container escapes
- Consider All Microservices Vulnerable โ And Monitor Their Behavior
- K8 Audit Logs
- Kubernetes Hunting & Visibility
- SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft
- Detecting Cryptomining Attacks in the wild
- Threat Alert: Kinsing Malware Attacks Targeting Container Environments
- TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations
- TeamTNT Targeting AWS, Alibaba
- Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes
- Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments
- CrowdStrike Discovers First-Ever Dero Cryptojacking Campaign Targeting Kubernetes
Hardening
- NSA Kubernetes Hardening Guide
- Securing Kubernetes Clusters by Eliminating Risky Permissions
- Container security fundamentals: Exploring containers as processes
- Container security fundamentals part 2: Isolation & namespaces
- Kubernetes Security Checklist
- Under-documented Kubernetes Security Tips
Attacks
- Attacker persistence in Kubernetes using the TokenRequest API: Overview, detection, and prevention
- Tetragone: A Lesson in Security Fundamentals
- How I Hacked Play-with-Docker and Remotely Ran Code on the Host
- The Route to Root: Container Escape Using Kernel Exploitation
- (twitter thread)Quick and dirty way to get out of a privileged k8s pod or docker container by using cgroups release_agent feature.
- Bad Pods: Kubernetes Pod Privilege Escalation [code/examples]
- Kernel privilege escalation: how Kubernetes container isolation impacts privilege escalation attacks
- GKE Kubelet TLS Bootstrap Privilege Escalation
TTPs / Attack Matrices
- MITRE ATT&CK Containers Matrix
- Threat matrix for Kubernetes
- Secure containerized environments with updated threat matrix for Kubernetes
- OWASP Kubernetes Top 10
- OWASP Kubernetes Top 10 (Sysdig)
- AVOLENS Kubernetes Threat Matrix
Tools
Detection
Hardening
- seccomp - "can be used to sandbox the privileges of a process, restricting the calls it is able to make from userspace into the kernel."
- AppArmor - "AppArmor is a Linux kernel security module that supplements the standard Linux user and group based permissions to confine programs to a limited set of resources. AppArmor can be configured for any application to reduce its potential attack surface and provide greater in-depth defense."
- Kubernetes Network Policy Recipes
- OPA Gatekeeper - "A customizable cloud native policy controller that helps enforce policies and strengthen governance"
Simulation / Experimentation
- Stratus Red Team - Stratus Red Team is "Atomic Red Teamโข" for the cloud, allowing to emulate offensive attack techniques in a granular and self-contained manner.
- falcosecurity/event-generator
- minikube - minikube implements a local Kubernetes cluster on macOS, Linux, and Windows. minikube's primary goals are to be the best tool for local Kubernetes application development and to support all Kubernetes features that fit.
- controlplaneio/simulator
- kubernetes-goat
- Sock Shop: A Microservices Demo Application
Attack
- kubesploit
- Falco-bypasses
- go-pillage-registries
- ConMachi
- peirates
- botb
- kubernetes-info.nse script
- kube-hunter
- MTKPI
Platforms
- m9sweeper - "m9sweeper is a free and easy kubernetes security platform. It integrates industry-standard open source utilities into a one-stop-shop kubernetes security tool that can walk most kubernetes adminstrators through securing a kubernetes cluster as well as the apps running on the cluster."
- anchore - "Software Composition Analysis from Code to Cloud: Enables security teams to find every piece of software in cloud native applications. Block and fix security issues in minutes rather than days."
- Prisma Cloud Compute Edition (formerly Twistlock) - "Prisma Cloud secures applications from code to cloud, enabling security and DevOps teams to effectively collaborate to accelerate secure cloud-native application development and deployment."
- sysdig - "Sysdig is a universal system visibility tool with native support for containers"
- Aqua Security - "Unified Cloud Security: Accelerate secure innovation and protect your entire development lifecycle from code to cloud and back."
Misc
Detection Rules and Analytics
- Elastic kubernetes detection rules
- Falco Rules
- Panther Labs gcp_k8s_rules
- Sigma cloud/azure/kube*.yml
- Sigma cloud/gcp/kube*.yml
- Splunk Analytic Story: Kubernetes Scanning Activity
- Splunk Analytic Story: Kubernetes Sensitive Object Access Activity
- Tracee Signatures
- Projectdiscovery/nuclei-templates
People
All the twitter accounts below are on this Twitter list: awesome-k8-threat-detect
- @_fel1x
- @Antonlovesdnb
- @bibryam
- @bradgeesaman
- @christophetd
- @g3rzi
- @htejeda
- @iancoldwater
- @jrfastab
- @LachlanEvenson
- @lizrice
- @mhausenblas
- @mhausenblas
- @mosesrenegade
- @nataliaivanko
- @raesene
- @ramesh-ramani
- @randyabernethy
- @saschagrunert
- @sethsec
- @shaul-ben-hai
- @sshaybbc
- @Steph3nSims
- @sublimino
- @sussurro
- @sys_call
- @tgraf__
- @tixxdz
- @tpapagian
- @willfindlay
- @yuvalavra
- @jimmesta