A new MITRE ATT&CK security framework for Containers and Kubernetes

Last week (April 29th) the MITRE org released the ATT&CK matrix for Containers. The release marks the culmination of a research project investigating the viability of container-related techniques into an ATT&CK matrix. Based on extensive community feedback and contributions (which I was happy to take part in) a new ATT&CK for Containers matrix was created and published. In Cisco, we’re working hard to support and contribute to this effort. We started it a few months back when we reached the conclusion that the existing frameworks used to assess Kubernetes clusters security level were not adequate to the real needs and threats. The common Kubernetes risk assessment framework was based on the popular CIS benchmarks for Kubernetes. This framework consists of a comprehensive set of tests covering all the Kubernetes elements' configuration security best practices. Yet, the framework doesn't address other attack vectors which are not based on security misconfigurations. Malicious attacks can start by multiple elements expanding beyond security misconfigurations. But there were additional operational elements that pushed for a new framework. The popular managed Kubernetes services (for example, AWS EKS, Azure AKS, or Google’s GKE) doesn’t provide access to the clusters elements which are tested by the CIS benchmarks, making it hard to assess the security status of these services. These considerations led us to work on a new risk-assessment framework verifying that all other attack methods, steps, and stages are covered. In addition, what makes the ATT&CK matrix a great candidate is the fact it’s based only on tactics and techniques which were used in real attacks, making it very concrete (even if not exclusive). Kubernetes is fast becoming the industry standard in cloud-native container orchestration, but simultaneously it’s also super complex, and not everyone really understands it well. On top of that, managing its security with rapid deployments and constant changes involves many different roles collaborating together, which has its obvious advantages, but can make things even more complicated. This is especially true when dealing with technology that at its core is so advanced. And, despite the shift-left movement, in fact, it turns out that not all developers are even entirely aware that this is what they’re using! This all makes it hard to manage security for Kubernetes. Understanding Kubernetes security starts with understanding how Kubernetes can be breached. Hence, security teams need a complete picture to every role involved in protecting the security of your organization’s Kubernetes clusters, like that of the original MITRE ATT&CK® matrix assessing all the attack stages and reviewing each tactic and technique which can be exercised in malicious attacks. The ATT&CK® matrix provides the technical detail of how attacks are performed, alongside an explanation as to what attackers aim to achieve by performing said technical steps. This combination is fundamental in aiding collaboration between the different technical roles, each of which naturally has a different perspective, and therefore needs different details in order to take action. Accordingly, the model accounts for:

• Tactics – the attack vector, the ultimate objective of an attacker
• Techniques and sub-techniques – the methods used to achieve said objectives
• Documented attacks describing how adversaries achieved these tactics by using the associated techniques
• Recommendations for remediation

In our next blog, we’ll drill down into each of the tactics and techniques to see what it’s really all about.