From the cluster to the cloud and back to the cluster: Lateral movements in Kubernetes

Back to the list of Speakers and Sessions
Watch the stream
Lateral movement is usually the point where a cyber-attack becomes interesting. After gaining initial access, attackers might try to move laterally in the IT environment to reach other, more sensitive, resources. This is not different in Kubernetes: attackers won’t stop in a single compromised container: they would try to move laterally inside the cluster and more importantly, also outside the cluster. As Kubernetes clusters usually reside in the cloud, access to a container can be a foothold to the entire cloud workload. This can allow attackers to reach various cloud services, such as VMs, storages, secret stores, and also other Kubernetes clusters. We will go over various techniques attackers use for lateral movement in Kubernetes and explain how we, as defenders, can prevent them.

In this session we will take a deep dive into Kubernetes lateral movements. We will elaborate about the different identity types used by Kubernetes and how attackers use those identities to escalate their privileges in the cluster and move laterally to external cloud resources. We will explain the various cluster-to-cloud authentication methods in the various cloud providers (AKS, EKS and GKE) and the risks that each one poses. We will show real-world examples of misconfigurations that led to cluster takeovers and explain how they could be prevented.