Shrinking Your Threat Surface as Kubernetes Adoption Skyrockets
June 12, 2024

James Maskelony
Expel

Kubernetes has become increasingly ubiquitous as organizations across the globe pivot to embrace a more container-based model for application development and code deployment. Today, 85% of organizations say they use Kubernetes, with nearly a third of those indicating they fully transitioned their applications to the system.

For developers and engineers, Kubernetes represents a significant — and welcome — shift. Rather than building larger and larger applications, Kubernetes allows them to scale horizontally, adding more versions of the application where necessary and simplifying the process of code distribution and deployment. This leaves developers free to focus on mission-critical tasks, rather than constantly fretting over administrative concerns like managing upkeep, adding additional servers, or monitoring for outages.

Unfortunately, Kubernetes also comes with drawbacks — mainly in the form of security vulnerabilities that most businesses have yet to fully wrap their minds around. The benefits of Kubernetes have led to something of a gold rush, but soaring Kubernetes adoption rates have eclipsed the ability of more organizations to secure their containers effectively. Using Kubernetes as a foothold, attackers are often able to spread across different systems and devices — and security analysts don't always have the tools they need to detect these incursions, let alone stop them. As the shift toward Kubernetes continues, organizations need to understand how to effectively protect their environments — or risk becoming the next major victim of a breach.

How Attackers Can Exploit Kubernetes Environments

One of the biggest problems when it comes to securing Kubernetes environments is the simple lack of expertise. Because Kubernetes is still (relatively) new, there are only so many security operators who understand the ins and outs of protecting the system — and those who do are in high demand.

Well-resourced organizations with strong in-house security resources may be able to attract and retain those experts, but this won't be an option for everyone. Small and mid-sized businesses (SMBs) in particular may not have the necessary resources to build and maintain that level of in-house expertise, forcing them to look to outside experts and partners to supplement their knowledge and capabilities.

There are multiple ways adversaries can attack Kubernetes environments, and they often involve exploiting this knowledge gap. Accidental misconfigurations are common, and a simple mistake like granting unnecessary permissions to an account or user can create an easy opening for attackers. Third-party attacks have also become increasingly common across all elements of security, and Kubernetes could be used to proliferate a compromised element throughout the organization. There are also attackers who target Kubernetes directly, manipulating applications to run malicious commands that grant them access to secure environments. Currently, our observation of these attacks is limited to more sophisticated threat actors (or skilled red teamers), but this is likely to change as attackers become increasingly familiar with the Kubernetes landscape.

As with any cyberattack, attacks targeting Kubernetes can be devastating to an organization. While there are damaging activities an attacker might perform within Kubernetes environments themselves, gaining access via Kubernetes often serves as a stepping-stone to the broader network. The danger isn't always what attackers can do with Kubernetes — it's where they might go from there.

Initial Steps to Lock Down Kubernetes Environments

The first — and arguably most important — step an organization can take is to make use of existing security guidelines and information sharing opportunities. Security teams across the globe are strapped for resources, but helpful security guidelines and threat intelligence data are surprisingly easy to come by.

Established advisory bodies like MITRE publish free security frameworks, and there are tools that can help organizations map those recommendations directly onto their Kubernetes environments. That makes it much easier for businesses to understand the potential attack paths adversaries might take when accessing their cloud environments, helping security teams not only track attackers but also anticipate the movements they are most likely to make and the tactics they are most likely to use. It's also a good idea to make sure developers and security teams have a close working relationship so that security professionals understand what "normal" looks like. This can help them avoid falsely flagging "suspicious" behavior that is actually just benign developer activity.

A lot of ink has been spilled on the idea of "shifting left," and for good reason: embracing a "shift left" mentality is a critical way to ensure that necessary security measures are introduced earlier in the application development lifecycle. Rather than attempting to shoehorn security measures into an application after the fact, organizations should be seeking to identify potential vulnerabilities during the development process and implementing appropriate mitigation measures as a matter of course. Identifying vulnerabilities early helps reduce the burden on developers — not to mention reducing the potential for costly mistakes.

Finally, preventing malicious initial access is one of the most important and effective ways to protect Kubernetes environments. This requires organizations to stitch together the authentication logs from its cloud identity and access management (IAM) service or other authentication provider along with the API activity logs from the Kubernetes system. Authentication flows happen outside the Kubernetes cluster and won't be logged there — but once authenticated, security teams should be able to identify authorization decisions and follow up on activities recorded in the Kubernetes audit logs. If suspicious activity or unauthorized access attempts are detected in one or both of these areas, security teams should have a good idea where to look for attackers and where additional protections may be needed in the future.

Taking the First Steps Toward Kubernetes Security

The emergence of Kubernetes as a developer-friendly system for application development has been a significant boon for many businesses, but failure to implement appropriate security capabilities has rendered these environments — and the organizations that use them — vulnerable to attack. While Kubernetes expertise is not always easy to come by for businesses, there are simple and immediate steps that most can take to begin protecting their Kubernetes environments more effectively. By making use of publicly available resources, embracing a shift-left mentality, and implementing stronger authentication capabilities, today's organizations can avoid making their Kubernetes environments an easy target for attackers.

James Maskelony is Senior Detection & Response Engineer at Expel
Share this

Industry News

July 25, 2024

Backslash Security introduced its Fix Simulation and AI-powered Attack Path Remediation capabilities.

July 25, 2024

Check Point® Software Technologies Ltd. announced the appointment of Nadav Zafrir as Check Point Chief Executive Officer.

July 25, 2024

Sonatype announced that Sonatype SBOM Manager, its Enterprise-Class Software Bill of Materials (SBOM) solution, and its artifact repository manager, Nexus Repository, are now available in AWS Marketplace, a digital catalog with thousands of software listings from independent software vendors that make it easy to find, test, buy, and deploy software that runs on Amazon Web Services (AWS).

July 24, 2024

Broadcom unveiled the latest updates to VMware Cloud Foundation (VCF), the company’s flagship private cloud platform.

July 24, 2024

CAST launched CAST SBOM Manager, a new freemium product designed for product owners, release managers, and compliance specialists.

July 24, 2024

Zesty announced the launch of its Insights and Automation Platform.

July 23, 2024

Progress announced the availability of Progress® MarkLogic® FastTrack™, a UI toolkit for building data- and search-driven applications to visually explore complex connected data stored in Progress® MarkLogic® platform.

July 23, 2024

Snowflake will host the Llama 3.1 collection of multilingual open source large language models (LLMs) in Snowflake Cortex AI for enterprises to easily harness and build powerful AI applications at scale.

July 23, 2024

Secure Code Warrior announced the availability of SCW Trust Agent – a solution that assesses the specific security competencies of developers for every code commit.

July 23, 2024

GFT launched AI Impact, a new solution that leverages artificial intelligence to eliminate technical debt, increase developer efficiency and automate critical software development processes.

July 23, 2024

Code Metal announced a $13M seed, led by Shield Capital.

July 22, 2024

Atlassian Corporation has achieved Federal Risk and Authorization Management Program (FedRAMP) “In Process” status and is now listed on the FedRAMP marketplace.

July 18, 2024

Mission Cloud announced the launch of Mission Cloud Engagements - DevOps, a platform designed to transform how businesses manage and execute their AWS DevOps projects.

July 18, 2024

Accelario announces the release of its free TDM solution, including database virtualization and data anonymization.