What is MITRE TTPs
MITRE TTP is a well-known comprehensive knowledge base that analyzes all the Tactics, Techniques, and Procedures (TTPs) that advanced threat actors could possibly use in their attacks. Rather than a compliance standard, it is a framework that serves as a foundation for threat models and methodologies.
In any case, by using the MITRE ATT&CK framework model used to infiltrate and attack Kubernetes Clusters, An attacker normally strategizes how to penetrate a cluster and perform damage by following the stages that require an attack lifecycle. The attacker must progress through each of these stages for the attack to be successful.
How to Use the MITRE ATT&CK matrix for Kubernetes?
The MITRE Engenuity ATT&CK framework has 10 steps:
- Initial access
- Privilege Escalation
- Defense Evasion
- Credential access
- Lateral Movement
- Collection and Exfiltration
- Command and Control
From initial access to command and control, these are the 10 tactics, which individually consist of techniques and sub-techniques.
Protect and Detect Typical TTPs in the MITRE ATT&CK framework with KubeArmor
Organizations currently have a vast amount of unsecured workloads and no efficient or unified way to protect them. Often, they are managing multiple, single-purpose security solutions to secure these workload stacks, which can create operational burdens and security gaps,
” Today's new capabilities further our commitment to deliver comprehensive cloud workload protection across hybrid and multi-cloud environments. DevOps teams can now efficiently build and deploy their workloads and applications rapidly while helping security teams deliver protection.
KubeArmor, is open-source software that enables you to protect your cloud workload at run-time.
- Let take an example, Exaramel for Linux backdoor Malware which is written in go Language. Which is mapped to different TTPs,
Techniques used for Exaramel for Linux
MITRE ATT&CK Navigator for Exaramel for Linux
Installation of KubeArmor
To Install kubeArmor follow the Karmor CLI steps here (KubeArmor installation guide)
Enforcing the KubeArmor policy
Let's enforce the policy for TTP ID: T1548.001 which is Abuse Elevation Control Mechanism: Setuid and Setgid and Exaramel for Linux can execute commands with high privileges via a specific binary with setuid functionality.
Command to enforce the policy:
KubeArmor Policy Template:
Deploy an Ubuntu workload to test the kubearmor policy
sample deployment file:
Now enter into the Ubuntu pod to test the policy
When kubearmor is in action, it restricted the s-bit process
Audit logs for S-bit
To check how to do it, kindly go through our help section
Audit log created by kubearmor
like this, we can protect every typical TTP in the MITRE ATT&CK framework.
The MITRE ATT&CK Framework comes up with the required knowledge on how such attacks will happen in the real world. The framework will help to harden the Kubernetes cluster with kubearmor.
To know more, connect with us using the social links given below.
KubeArmor website: https://kubearmor.com/
KubeArmor Slack: Join the KubeArmor community on Slack!
Now you can protect your workloads in minutes using AccuKnox, it is available to protect your Kubernetes and other cloud workloads using Kernel Native Primitives such as AppArmor, SELinux, and eBPF.
Let us know if you are seeking additional guidance in planning your cloud security program.
Read more blogs from Cloud Security Category here.