3-DAY TRAINING 5 – Attacking and Defending Containers, Kubernetes and Serverless



CAPACITY: 15 pax




Organizations are rapidly moving towards microservice style architectures for their applications which has led to container and serverless technology being implemented and taking over at a rapid rate with a few organizations even leapfrogging containers by implementing serverless technology for scalability.

Containers have risen in popularity and has been widely used because they help package and deploy consistent-state applications across multiple environments, and are also extremely scalable especially when they’re complemented with orchestration technologies.

Serverless on the other hand, seems to be taking over at a rapid rate with increased usage of micro-services and polyglot development of applications and services across organizations. Leading container technologies like Docker have risen in popularity and have been widely used because they have helped package and deploy consistent-state applications across multiple environments. Serverless and container orchestration technologies like Kubernetes help these deployments massively scale which can potentially increase the overall attack-surface to a massive extent, if security is not given the attention required.

Security continues to remain a key challenge that both Organizations and security practitioners face with containerized and serverless deployments.While containers continue to be vulnerable to security threats that plague any typical application deployment, they also face specific security threats related to the containerization daemon, the shared kernel and other shared resources like network, process and the filesystem. Serverless deployments face risks such as insecure deployment configurations, inadequate monitoring and logging of functions, broken authentication, function event data injection, insecure secret storage, and many more. Attacking applications leveraging container and serverless technology requires specific skill set and a deep understanding of their underlying architecture.

Key Learning Objectives

This 3-day training is a practical approach with both Offensive and Defensive flavours making it ideal for security engineers, red-teammers, devops engineers and developers with a plethora of hands-on exercises that have been designed from real-world attacks and the security-specific challenges that we faced while implementing these technologies, helping them test and implement security in a scalable manner.

The training consists of, but not limited to the following focus areas in Container Security and Serverless Deployment:

  • Introduction to Container Technology
  • Containerized Deployments and Container Orchestration Technologies
  • Container Threat-Model
  • Attacking Containers and Security deep-dive
  • Introduction to Kubernetes
  • Threat-Model of Orchestration technologies
  • Attacking Kubernetes
  • Kubernetes Defense-in-Depth
  • Logging & Monitoring Orchestrated deployments
  • Introduction to Serverless
  • Deploying Application to AWS Lambda
  • Serverless Threat-Model
  • Attacking a Serverless Stack
  • Serverless Security Deep-dive

Who Should Attend

  • AppSec Engineers and Professionals
  • DevOps Professionals
  • Senior Security Managers overseeing cloud and DevSecOps initiatives
  • Penetration Testers
  • Cloud Engineers
  • Developers

Prerequisite Knowledge

  • Working knowledge of Linux command line
  • Basic knowledge of some (any) programming language may be useful but not mandatory
  • Basic knowledge of Docker may be useful but not mandatory
  • Basic/Rudimentary understanding of Cloud concepts and service

Hardware / Software Requirements

  • A laptop or a tablet(with keyboard) with a browser installed

Lab Management:

  • Our Labs are on the cloud and on-demand invoked. They are hosted on AWS. We have a self-serve lab system that allows students to run the labs from their browser. Please see this video to get an idea of how our labs work: link
  • The training material is delivered as PDF slides and handouts that can be downloaded.
  • Instructions for each lab are delivered as step by step instructions as part of the lab environment

Agenda – Day 1:

Session 1
Evolution to Container Technology and Container Tech Deep-Dive

  • Introduction to Container Technology
    • Namespace
    • Cgroups
    • Mount
  • Hands-on Lab: Setting up a Minimal Container with nothing but Namespaces and CGroups

Introduction to Containerized Deployments – Understanding and getting comfortable
using Docker

  • An Introduction to containers
    • LXC and Linux Containers
    • Introducing Docker Images and Containers
  • Deep-dive into Docker
    • Docker Commands and Cheatsheet
    • Hands-on:
      • Docker commands
      • Dockerfile
      • Images

Session 2
Introduction to Basic Container Orchestration with Docker-Compose

  • Docker Compose
    • Introduction to docker-compose
    • Hands-on:
      • Docker-compose commands
  • Docker Compose Deep-Dive
  • Application Deployment Using docker
    • Hands-on
      • Containerize an application
      • Deploying a containerized application
      • Deploy a containerized application using docker-compose

Threat Landscape- An Introduction to possible threats and attack surface when using Containers for Deployments.

  • Threat Model for Containerized Deployments
    • Daemon-related Threats
    • Network related Threats
    • OS and Kernel Threats
    • Threats with Application Libraries
    • Threats from Containerized Applications
  • Traditional Threat-Modelling for Containers with STRIDE
    • Spoofing
    • Tampering
    • Repudiation
    • Information Disclosure
    • Denial of Service
    • Elevation of privileges

Session 3
Attacking Containers and Containerized Deployments

  • Attacking Containers and Containerized Deployments
    • Hands-on
      • Container Breakout
      • Exploiting Insecure Docker Configurations
      • OS and Kernel level exploits
      • Trojanized Docker images

Securing Containers and Container Deployments

  • Container Security Deep-Dive
    • Hands-on
      • AppArmor/SecComp
      • Restricting Capabilities
      • Analysing Docker images
    • Hands-on: KataContainers
    • Container Security Mitigations
    • Hands-on: Container Vulnerability Assessment
      • Clair
      • Dagda
      • Anchore
      • Docker-bench
  • Security Specific CI for containers
    • Hands-on: Setting up a security pipeline to build, scan and push images

Agenda – Day 2:

Session 1
Introduction to Scalable Container Orchestrators

  • Introduction to Container Orchestrators
  • Getting started with Kubernetes
  • Understanding Kubernetes Architecture and Components
  • Hands-on:
    • Exploring Kubernetes Cluster
    • Deploying application to Kubernetes

Session 2
Attacking Kubernetes Cluster

  • Kubernetes Threat Model
  • Attack Surface for a Kubernetes Cluster
  • Hands on:
    • Attacking application deployed on Kubernetes
    • Exploiting a Vulnerable Kubernetes cluster
    • Maintaining Persistent Access and Pivoting in the K8s Cluster
  • Dissecting the K8s Attack and identifying Security Missteps
  • Attacking kubelet and gaining access to all configurations and secrets on the cluster

Session 3
Kubernetes Security Deep-Dive

  • K8s Threat Model and its counterpoint in Security Practices
  • Hands-on: Ideal Security Journey: Kubernetes
    • Pod Security
    • Access Control
    • Secret Management
  • Hands-on: Kubernetes Vulnerability Assessment
    • Kube-sec
    • Kube-hunter
    • Kube-bench
  • Hands-on: Logging and Monitoring
    • Logging and Monitoring specific Parameters within the K8s Cluster
    • Identifying anomalies (especially security) with the K8s Cluster
  • Hands-on: K8s Secret management
    • Integrating Vault on a K8s cluster
    • Storing secrets securely on Kamus
  • Hands-on: Kubernetes Network Security Implementation
    • Network Security Policy
    • Service Mesh – Istio/Envoy
  • Security Specific CI/CD for kubernetes
    • Setting up a security pipeline to securely deploy on a k8s cluster

Agenda – Day 3:

Session 1
Serverless Introduction

  • Understanding Serverless and FAAS(Function-As-A-Service)
  • Quick tour of FAAS(Function-As-A-Service) and BAAS(Backend-As-A-Service)
  • Introduction to AWS Lambda, S3, Open-FAAS and other Serverless options

Serverless Deep-Dive

  • Introduction to Architecture of Serverless Deployments
  • Hands-on: Deploying a Serverless application

Session 2
Attacking Serverless applications

  • Serverless Architectures Security Top 10 – A Project similar to OWASP Top 10 for Serverless Apps
  • Function Data Event Injection Attacks against FaaS Implementations:
    • Hands-on Labs – Function Data Event Injection (Multiple Sources)
    • Other Injection and Remote Code Execution attacks against Serverless Apps
  • Broken Access Control
    • Hands-on: Attacking Stateless Authentication and Authorization (JSON Web Tokens)
      • Algorithm Confusion
      • Inherent JWT flaws – none signed token, etc
      • Attacks based on JWK and JWT Claims
    • Attacking Identity and Access Management through Serverless Implementations
      • Hands-on: View of IAM Sprawl and Permissions
      • Hands-on: Attacking with DynamoDB Injection + IAM Permissions creep
  • Other Serverless Attacks
    • Hands-on: Extracting Secrets from FaaS Implementations
    • Hands-on: Leveraging Vulnerabilities like ReDOS to perform Resource Exhaustion Attacks
    • Hands-on: Exploiting Function Execution Order for fun and profit!

Session 3
Securing Serverless applications

  • Securing Serverless applications
    • Identity and Access Management
    • Secret management
      • Hands-on Secrets Management with AWS Secret Manager + Rotation
    • Logging and Monitoring Functions
      • Hands-on: Security Practices for Logging Serverless Functions
      • Hands-on Using AWS X-Ray/Zipkin to leverage tracing for security
  • Hands-on: Serverless Vulnerability Assessment
    • Static Code Analysis[SCA]
    • Static Application Security Testing[SAST]
    • Dynamic Analysis Security Testing[DAST]
  • CI/CD for Serverless Functions – With Security specific pipeline

Capture The Flag

  • Attacking a Serverless Application – mini CTF Segment

Location: Training Rooms Date: July 20, 2020 Time: 9:00 am - 6:00 pm Nithin Jois Sharath Kumar