What is MITRE TTPs

MITRE TTP is a well-known comprehensive knowledge base that analyzes all the Tactics, Techniques, and Procedures (TTPs) that advanced threat actors could possibly use in their attacks. Rather than a compliance standard, it is a framework that serves as a foundation for threat models and methodologies.

In any case, by using the MITRE ATT&CK framework model use to infiltrate and attack Kubernetes Clusters, An attacker normally strategizes how to penetrate a cluster and perform damage by following the stages that require an attack lifecycle. The attacker must progress through each of these stages for the attack to be successful.

How to Use the MITRE ATT&CK matrix for Kubernetes?

The MITRE Engenuity ATT&CK framework has 10 steps:

  1. Initial access
  2. Execution
  3. Persistence
  4. Privilege Escalation
  5. Defense Evasion
  6. Credential access
  7. Discovery
  8. Lateral Movement
  9. Collection and Exfiltration
  10. Command and Control

From initial access to command and control, these are the 10 tactics, which individually consist of techniques and sub-techniques.

Protect and Detect Typical TTPs in the MITRE ATT&CK framework with KubeArmor

Organizations currently have a vast amount of unsecured workloads and no efficient or unified way to protect them. Often, they are managing multiple, single-purpose security solutions to secure these workload stacks, which can create operational burdens and security gaps,

” Today's new capabilities further our commitment to deliver comprehensive cloud workload protection across hybrid and multi-cloud environments. DevOps teams can now efficiently build and deploy their workloads and applications rapidly while helping security teams deliver protection.

KubeArmor, an open source software that enables you to protect your cloud workload at run-time.

  • Let take an example, Exaramel for Linux backdoor Malware which is written in go Language. Which is mapped to different TTPs,

Techniques used for Exaramel for Linux

TTP ID

Name

Use

KubeArmor Policy

T1548.001

Abuse Elevation Control MechanismSetuid and Setgid

Exaramel for Linux can execute commands with high privileges via a specific binary with setuid functionality.

policy-templates/hsp-mitre-host-block-s-bit.yaml at eff498e8cdf5e2d8417ae9f1baa081ce553b82d1 · kubearmor/policy-templates

T1059.004

Command and Scripting InterpreterUnix Shell

Exaramel for Linux has a command to execute a shell command on the system.

policy-templates/ksp-mitre-t1059.yaml at 97749c62a43db11f0670a24d0a5d5c5adeed9726 · kubearmor/policy-templates

T1543.002

Systemd Service

Exaramel for Linux has a hardcoded location under systemd that it uses to achieve persistence if it is running as root.

policy-templates/hsp-mitre-t1543-002.yaml at e2c735085c96568ce8692c375dd43dba902c2560 · kubearmor/policy-templates

T1140

Deobfuscate/Decode Files or Information

Exaramel for Linux can decrypt its configuration file.

policy-templates/hsp-mitre-tactic-defense-evasion.yaml at c98900a7164c78356adb73a4a8958d6c265f487f · kubearmor/policy-templates

T1053.003

Scheduled Task/JobCron

Exaramel for Linux uses crontab for persistence if it does not have root privileges.

policy-templates/hsp-mitre-crontab-audit.yaml at 7b37b2427bde66ee7e46d0359cdacb2bd18b36eb · kubearmor/policy-templates

T1033

System Owner/User Discovery

Exaramel for Linux can run whoami to identify the system owner.

policy-templates/ksp-mitre-system-owner-user-discovery.yaml at 6e0870773df9df5c132cd96abd0ef7b7086365bf · kubearmor/policy-templates

MITRE ATT&CK Navigator for Exaramel for Linux

Kubernetes Cluster

Installation of KubeArmor

To Install kubeArmor follow the Karmor CLI steps here (KubeArmor installation guide)

Enforcing the KubeArmor policy

Let's enforce the policy for  TTP ID: T1548.001 which is Abuse Elevation Control Mechanism: Setuid and Setgid and Exaramel for Linux can execute commands with high privileges via a specific binary with setuid functionality.

Command to enforce the policy:

You can simply take advantage of our open-source GitHub inventory, and apply policy directly from there:

kubectl apply -f https://raw.githubusercontent.com/kubearmor/policy-templates/04b6669bf68ec9577ce9333352e268ef7f75402a/mitre/system/ksp-mitre-block-s-bit.yaml

KubeArmor Policy Template:

# KubeArmor is an open source software that enables you to protect your cloud workload at run-time.
# To learn more about KubeArmor visit: 
# https://www.accuknox.com/kubearmor/ 

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: ksp-mitre-t1548-001-setuid-setgid
  namespace: testns # Change your namespace
spec:
  message: "Blocked the setuid or setgid flag"
  tags : ["MITRE","T1548.001","Privilege Escalation","S-Bit"]
  selector:
    matchLabels:
        container: ubuntu-1  # use your own label here
  process:
    matchPaths: 
    - path: /usr/sbin/groupdel
    - path: /usr/sbin/userdel
    - path: /usr/sbin/chgpasswd
    - path: /usr/sbin/groupmod0o
    - path: /usr/sbin/groupadd
    - path: /usr/sbin/newusers
    - path: /usr/sbin/chpasswd
    - path: /usr/sbin/usermod    
    severity: 2 # Higher severity for processes 
    action: Block

Deploy an Ubuntu workload to test the kubearmor policy

sample deployment file:

apiVersion: v1
kind: Namespace
metadata:
  name: testns

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ubuntu-test
  namespace: testns
  labels:
    deployment: ubuntu-1
spec:
  replicas: 1
  selector:
    matchLabels:
      container: ubuntu-1
  template:
    metadata:
      labels:
        container: ubuntu-1
    spec:
      containers:
      - name: ubuntu-1-container
        image: 0x010/ubuntu-w-utils:latest

Now enter into the Ubuntu  pod to test the policy

kubectl -n testns exec -it <ubuntu pod name> -- bash

When kubearmor in action, it restricted the s-bit process

Audit logs for S-bit

To check how to do it, kindly go through our help section

Audit log created by kubearmor

like this, we can protect every typical TTP in the MITRE ATT&CK framework.

Conclusion

The MITRE ATT&CK Framework come up with the required knowledge on how such attacks will happen in the real world. The framework will help to harden the Kubernetes cluster with kubearmor.

To know more, connect with us using the social links given below.

KubeArmor website: https://kubearmor.com/

KubeArmor GitHub: GitHub - kubearmor/KubeArmor: Cloud-native Runtime Security Enforcement System

KubeArmor Slack: Join the KubeArmor community on Slack!