Hacker Days: Attacking & Defending Kubernetes - A brief overview

Kubernetes has emerged as the leading container orchestration and management platform of choice for on-prem and cloud environments. However, Kubernetes is a multi-headed beast with several minute and nuanced security configuration parameters. In addition, attackers take advantage of these insecurely configured and designed Kubernetes deployments and perform deep-incursions into the organization’s assets.

This talk will commence with a demonstration of a complex attack on an application deployed on a misconfigured kubernetes cluster. The objective here is to appreciate attack vectors of an application deployed by a service account with admin level privileges and pivot in-order to gain complete access to the entire cluster. Using the stolen credentials, the attacker can steal secrets and deploy malicious pods on the cluster.

The detailed observation of the attack will focus on understanding the flaws across the application, container and the cluster layers. We will also look at some of the container best practices and some container specific vulnerability assessment tools that can be used prior to deploying the containers on a kubernetes cluster. We will then discuss some of the mechanisms we can use to defend ourselves from such
attacks. Here, we delve into specific topics such as Admission Controller and usage of the AppArmor profiles as run-time security measures that can be used to secure the pods. We will also look into auditing kubernetes cluster security controls to look for pods running with insecure configurations.

The talk will conclude with a demonstration of a security specific CI/CD pipeline that leverages multiple tools. Here, we will first run Source Composition Analysis(SCA) and Static Application Security Testing(SAST) scans before we build a docker image. Once the image has been built, we will scan the docker image for vulnerabilities and also the deployment specification file for potential misconfigurations. The last stage of the pipeline will deploy the built image as a pod on the Kubernetes cluster. Finally, we will look at a tool to scan a deployed cluster for misconfigurations The talk aims to provide a view of attacking, auditing and defending Kubernetes clusters.

Speaker Profile:
Nithin Jois is a Solutions Engineer at we45 - a focused Application Security company. He has helped build ‘Orchestron’ - A leading Application Vulnerability Correlation and Orchestration Framework. He is experienced in Orchestrating containerized deployments securely to Production. Nithin and his team have extensively used Docker APIs as a cornerstone to most of we45 developed security platforms and he has also helped clients of we45 deploy their Applications securely.

Nithin is a passionate Open Source enthusiast and is the co-lead-developer of ThreatPlaybook - An Open Source framework that facilitates Threat Modeling as Code married with Application Security Automation on a single Fabric. He has also written multiple libraries that complement ThreatPlaybook. Nithin is an automation junkie who has built Scalable Scanner Integrations that leverage containers to the hilt and is passionate about Security, Containers and Serverless technology. He speaks at meetup groups, webinars and training sessions. He participates in multiple CTF events and has worked on creating Intentionally Vulnerable Applications for CTF competitions
and Secure Code Training. Nithin was a trainer and speaker at events like AppSecDC-2019, AppSecUS-2018, LasCon-2018, SHACK-2019, AppSecCali-2019, CodeBlue-Japan, DefCon-2019 and BlackHat USA 2019. In his spare time, he loves reading about personal finance, leadership, fitness, cryptocurrency, and other such topics. Nithin is an avid traveler and loves sharing stories over a cup of hot coffee.