|Initial access||Execution||Persistence||Privilege escalation||Defense evasion||Credential access||Discovery||Lateral movement||Collection||Impact|
|Using Cloud||Exec into Container||Backdoor Container||Privileged Container||Clear Container Logs||List K8s secrets||Access the K8s API server||Access cloud resources||Images from a private repository||Data Destruction|
|Compromised images in registry||bash/cmd in container||Writable hostPath mount||Cluster-admin binding||Delete k8s events||Mount service principal||Access Kubelet API||Container service account||Ressource hijacking|
|Kubeconfig file||New container||Kubernetes CronJob||hostPath mount||Pod / container name similarity||Access container service account||Network mapping||Cluster internal networking||Denial of Service|
|Application vulnerability||Application exploit (RCE)||Malicious admission controller||Access cloud resources||Connect from proxy server||Applications credentials in configuration files||Access Kubernetes dashboard||Applications credentials in configuration files|
|Exposed sensitive interfaces||SSH server running in inside container||Disable Namespacing||Access managed identity credentials||Instance metadata API||Writable volume mounts on the host|
|Sidecar injection||Malicious admission controller||CoreDNS poisoning|
|ARP poisoning and IP spoofing|
The MITRE ATT&CK® framework is a knowledge base of known tactics and techniques that are involved in cyberattacks. Started with coverage for Windows and Linux, the matrices of MITRE ATT&CK cover the various stages that are involved in cyberattacks (tactics) and elaborate the known methods in each one of them (techniques). Those matrices help organizations understand the attack surface in their environments and make sure they have adequate detections and mitigations to the various risks. MITRE ATT&CK framework tactics include:
Many attack techniques are different in the context of Kubernetes than those that target Linux or Windows, the tactics on the other hand are actually similar. For example, a translation of the first four tactics from OS to container clusters would look like 1. “initial access to the computer” becomes “initial access to the cluster”, 2. “malicious code on the computer” becomes “malicious activity on the containers”, 3. “maintain access to the computer” becomes “maintain access to the cluster”, and 4. “gain higher privileges on the computer” becomes “gain higher privileges in the cluster”.
Microsoft therefore created the first Kubernetes attack matrix: an ATT&CK-like matrix comprising the major techniques that are relevant to container orchestration security, with focus on Kubernetes. Redguard has extended the version of the Kubernetes Attack Matrix, especially by adding specific examples to simulate the techniques and references to learn even more about them and related topics.
Thanks to Microsoft for creating the initial version of the Kubernetes Threat Matrix ❤️
We really appreachiate your work which we further extended and made more accessible.