Kubernetes has become a de facto way of running containerized workloads from startups to enterprises and governments, however like most modern technology, it’s not mature, especially in regards to security. Given its nature of being immutable and things happening in a matter of seconds, it’s super hard to perform security detection and incident response.
In this talk we will be focusing on the MITRE ATT&CK matrix for Kubernetes with showcasing what things can go wrong in different phases of the running container workloads, then we map back to what we should observe, collect, analyze, monitor, alert, and respond. We will showcase all the possible mappings of the matrix to the detection engineering. We will also cover some interesting real-world examples of hacks, known vulnerabilities, and misconfiguration. We will also showcase how we simulate these attacks in a controlled environment using the Kubernetes Goat project.