Practical Approach to Breaking & Pwning Kubernetes Clusters (Virtual)

May 25 & 26, 2023

Course Abstract

Containers and Kubernetes are everywhere. The adoption of Kubernetes use in production has increased to 83% from a survey by CNCF. Still, most security teams struggle to understand these modern technologies.

In this training, we will learn tactics, techniques, and procedures (TTP). We will start with understanding architecture and its attack surface. Then we will dive into each layer of security starting from the supply chain, infrastructure, runtime, and many others. From an attacker’s perspective participants can assess and attack Kubernetes Cluster environments to gain access to microservices, sensitive data, escaping containers, escalating to clusters privileges, and even its underlying cloud environments.

Outline

Day 1

Section-1

  • Introduction to Training & Customised Lab
  • Kubernetes 101 - Fasttrack Edition
  • Security Architecture review & Attack Trees using MITRE ATT&CK framework
  • kubectl kung-fu to explore the cluster
  • Attacking the supply chain by exploiting private registry
  • Pwning the container images and gaining access to the cluster
  • Exploiting security misconfigurations in the cluster

Section-2

  • Escaping out of the container to the host system to gain more privileges
  • Bypassing NSP and gaining unauthorized access to other microservices
  • Lateral movement from container to node and then complete cluster access
  • Escalating from ServiceAccount to more RBAC privileges (No least privileges)
  • Helm with Tiller service = ClusterPwn (Complete cluster takeover)
  • Gaining access to k8s volumes, logs of the services, and sensitive data
  • From application vulnerability to cloud provider access (attack chain)

Day 2

Section-3

  • Hacker Container - The Swiss Army knife for hacking Kubernetes Clusters
  • Exploiting Kubernetes Secrets and gaining access to third-party services
  • DoS the services and cluster nodes by resources exemption
  • Understanding Admission controller and possible attack surface around Webhooks
  • Persisting in the clusters using Sidecar/Cronjob/DaemonSets
  • Defense evasion techniques for Kubernetes Cluster environments
  • Some useful hacks around kubectl (cheatsheet will be provided)

Section-4

  • Tools, techniques for beyond manual exploitation and analysis
  • KubeAudit, KubeSec, k9s, trivy, dockle, rakkess, linters, and many others…
  • Performing Docker & K8S CIS benchmarks to find all the possible security risks
  • Auditing the cluster security posture from Code to Production running cluster
  • Real-World case studies of Kubernetes Hacking, Vulnerabilities and Exploits
  • Best practices, Recommendations based on the Security Maturity
  • Resources & references to further your attacks, exploitation, more learning

Who Should Attend

  • Security Engineers, Penetration Testers, and Security Architects
  • Red & Blue Teams, who wish to see both offensive and defensive side
  • Cloud, SRE, DevOps, and DevSecOps teams
  • Anyone interested in learning more about Kubernetes Securityested in learning more about attacks and the offensive side of Kubernetes and Containersed environments security

What You Need

  • Laptop with a modern browser and wireless internet connectivity

Bio

Madhu Akula Security Analyst,

Madhu Akula is a pragmatic security leader and creator of Kubernetes Goat, an intentionally vulnerable by design Kubernetes Cluster to learn and practice Kubernetes Security. Also published author and Cloud-Native Security Architect with extensive experience. Also, he is an active member of the international security, DevOps, and Cloud-Native communities (null, DevSecOps, AllDayDevOps, AWS, CNCF, USENIX, etc). He holds industry certifications like CKA (Certified Kubernetes Administrator), OSCP (Offensive Security Certified Professional), etc. Madhu frequently speaks and runs training sessions at security events and conferences around the world including DEFCON 24, 26, 27, 29 & 30, BlackHat EU, Asia, USA 2018, 19, 21 & 22, USENIX LISA 2018, 19 & 21, SANS Cloud Security Summit 21 & 22, O’Reilly Velocity EU 2019, Github Satellite 2020, OWASP AppSec EU 2018 & 19, 22, All Day DevOps 2016, 17, 18, 19, 20, 21 & 22, DevSecCon (London, Singapore, Boston), DevOpsDays India, c0c0n 2017, 18, 20, Nullcon 2018, 19, 21 & 22, SACON, Serverless Summit, null and multiple others. His research has identified vulnerabilities in over 200+ companies and organizations including; Google, Microsoft, LinkedIn, eBay, AT&T, WordPress, NTOP, Adobe, etc. and is credited with multiple CVEs, Acknowledgements, and rewards. He is co-author of Security Automation with Ansible2, which is listed as a technical resource by Red Hat Ansible. He is the technical reviewer for Learn Kubernetes Security, Practical Ansible2 books by Packt Pub. Also won 1st prize for building an Infrastructure Security Monitoring solution at InMobi flagship hackathon among 100+ engineering teams.

Return to training sessions