jasontrost-databricks/awesome-kubernetes-threat-detection

A curated list of resources about detecting threats and defending Kubernetes systems.

Awesome Kubernetes (K8s) Threat Detection

A curated list of resources about detecting threats and defending Kubernetes systems.

Contents

• 📚 Books
• 🏫 Conferences
• 📹 Talks and Videos
• 📰 Blogs and Articles
• 🧮 TTPs / Attack Matrices
• 🛠 Tools
• 🔍 Detection Rules and Analytics
• 🤖 People

Books

• Hacking Kubernetes By Andrew Martin, Michael Hausenblas [amazon]
• Kubernetes Security and Observability by Brendan Creane, Amit Gupta [amazon]
• Security Observability with eBPF by Jed Salazar and Natalia Reka Ivanko
• Gray Hat Hacking, 6th Ed. (relevant chapters) By Allen Harper, Ryan Linn, Stephen Sims, Michael Baucom, Huascar Tejeda, Daniel Fernandez, Moses Frost [amazon]
  • Ch 29. Hacking on Containers [Ch 29 Labs]
  • Ch 30. Hacking on Kubernetes [Ch 30 Labs]
• Kubernetes Patterns, 2nd Edition, Part 5: Security Patterns by Bilgin Ibryam and Roland Huss [amazon]
• Container Security Book by Liz Rice [amazon]

Conferences

• eBPF Summit [2022] [2021] [2020]
• CloudNative SecurityCon

Talks and videos

All of these videos can also be found in this YouTube playlist.

Detection

• Keynote: Detecting Threats in GitHub with Falco
• Threat Hunting at Scale: Auditing Thousands of Clusters With Falco
• Security Kill Chain Stages in a 100k+ Daily Container Environment with Falco
• Falco to Pluginfinity and Beyond
• Purple Teaming Like Sky’s the Limit – Adversary Emulation in the Cloud
• Uncovering a Sophisticated Kubernetes Attack in Real Time Part II.
• Keeping your cluster safe from attacks with eBPF
• Threat Modeling Kubernetes: A Lightspeed Introduction

Hardening

• Securing Kubernetes Applications by Crafting Custom Seccomp Profiles
• The Hitchhiker's Guide to Pod Security
• You and Your Security Profiles; Generating Security Policies with the Help of eBPF
• Using the EBPF Superpowers To Generate Kubernetes Security Policies
• Komrade: an Open-Source Security Chaos Engineering (SCE) Tool for

Attacks

• Advanced Persistence Threats: The Future of Kubernetes Attacks
• Bypassing Falco: How to Compromise a Cluster without Tripping the SOC
• A Treasure Map of Hacking (and Defending) Kubernetes
• How Attackers Use Exposed Prometheus Server to Exploit
• Trampoline Pods: Node to Admin PrivEsc Built Into Popular K8s Plat
• Three Surprising K8s Networking “Features” and How to Defend Against Them
• A Compendium of Container Escapes

Supply Chain

• Securing Your Container Native Supply Chain with SLSA, Github and Te
• Keynote: Securing Shopify's Software Supply Chain - Shane Lawrence, Shopify

Networking

• Kubernetes Networking 101 (1h26m)
• A Guided Tour of Cilium Service Mesh
• Cilium: Welcome, Vision and Updates
• Cloud-Native Building Blocks: An Interactive Envoy Proxy Workshop (1h25m)

Blogs and Articles

Detection

• Detecting a Container Escape with Cilium and eBPF
• Detecting and Blocking log4shell with Isovalent Cilium Enterprise
• Threat Hunting with Kubernetes Audit Logs
• Threat Hunting with Kubernetes Audit Logs - Part 2
• Lateral movement risks in the cloud and how to prevent them – Part 2: from compromised container to cloud takeover
• Lateral movement risks in the cloud and how to prevent them – Part 3: from compromised cloud resource to Kubernetes cluster takeover
• Dive into BPF: a list of reading material
• Deep Dive into Real-World Kubernetes Threats
• Understanding Docker container escapes
• Consider All Microservices Vulnerable — And Monitor Their Behavior
• K8 Audit Logs
• Kubernetes Hunting & Visibility
• SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft
• Detecting Cryptomining Attacks in the wild

Hardening

• NSA Kubernetes Hardening Guide
• Securing Kubernetes Clusters by Eliminating Risky Permissions
• Container security fundamentals: Exploring containers as processes
• Kubernetes Security Checklist
• Under-documented Kubernetes Security Tips

Attacks

• Attacker persistence in Kubernetes using the TokenRequest API: Overview, detection, and prevention
• Tetragone: A Lesson in Security Fundamentals
• How I Hacked Play-with-Docker and Remotely Ran Code on the Host
• The Route to Root: Container Escape Using Kernel Exploitation
• (twitter thread)Quick and dirty way to get out of a privileged k8s pod or docker container by using cgroups release_agent feature.
• Bad Pods: Kubernetes Pod Privilege Escalation [code/examples]
• Kernel privilege escalation: how Kubernetes container isolation impacts privilege escalation attacks
• GKE Kubelet TLS Bootstrap Privilege Escalation

TTPs / Attack Matrices

• MITRE ATT&CK Containers Matrix
• Threat matrix for Kubernetes
• Secure containerized environments with updated threat matrix for Kubernetes
• OWASP Kubernetes Top 10
• OWASP Kubernetes Top 10 (Sysdig)

Tools

Detection

• falco
• tetragon
• sysdig
• tracee
• security-guard

Hardening

• seccomp - "can be used to sandbox the privileges of a process, restricting the calls it is able to make from userspace into the kernel."
• AppArmor - "AppArmor is a Linux kernel security module that supplements the standard Linux user and group based permissions to confine programs to a limited set of resources. AppArmor can be configured for any application to reduce its potential attack surface and provide greater in-depth defense."
• Kubernetes Network Policy Recipes

Simulation / Experimentation

• Stratus Red Team - Stratus Red Team is "Atomic Red Team™" for the cloud, allowing to emulate offensive attack techniques in a granular and self-contained manner.
  • see Kubernetes Attacks
• falcosecurity/event-generator
• minikube - minikube implements a local Kubernetes cluster on macOS, Linux, and Windows. minikube's primary goals are to be the best tool for local Kubernetes application development and to support all Kubernetes features that fit.
• controlplaneio/simulator
• kubernetes-goat
• Sock Shop: A Microservices Demo Application

Attack

• kubesploit
• Falco-bypasses
• go-pillage-registries
• ConMachi
• peirates
• botb
• kubernetes-info.nse script
• kube-hunter

Misc

• kube-iptables-tailer
• inspektor-gadget

Detection Rules and Analytics

• Elastic kubernetes detection rules
• Falco Rules
• Panther Labs gcp_k8s_rules
• Sigma cloud/azure/kube*.yml
• Sigma cloud/gcp/kube*.yml
• Splunk Analytic Story: Kubernetes Scanning Activity
• Splunk Analytic Story: Kubernetes Sensitive Object Access Activity
• Tracee Signatures
• Projectdiscovery/nuclei-templates
  • technologies/kubernetes
  • exposed-panels/kube*.yaml
  • misconfiguration/kubernetes
  • exposures/configs/kube*.yaml

People

All the twitter accounts below are on this Twitter list: awesome-k8-threat-detect

• @_fel1x
• @Antonlovesdnb
• @bibryam
• @bradgeesaman
• @christophetd
• @g3rzi
• @htejeda
• @iancoldwater
• @jrfastab
• @LachlanEvenson
• @lizrice
• @mhausenblas
• @mhausenblas
• @mosesrenegade
• @nataliaivanko
• @raesene
• @ramesh-ramani
• @randyabernethy
• @saschagrunert
• @sethsec
• @shaul-ben-hai
• @sshaybbc
• @Steph3nSims
• @sublimino
• @sussurro
• @sys_call
• @tgraf__
• @tixxdz
• @tpapagian
• @willfindlay
• @yuvalavra
• @jimmesta