Try in Splunk Security Cloud

Description

Kubernetes, a complex container orchestration system, is susceptible to a variety of security threats. This story delves into the different strategies and methods adversaries employ to exploit Kubernetes environments. These include attacks on the control plane, exploitation of misconfigurations, and breaches of containerized applications. Observability data, such as metrics, play a crucial role in identifying abnormal and potentially malicious behavior within these environments.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2024-01-08
  • Author: Matthew Moore, Patrick Bareiss, Splunk
  • ID: 7589023b-3d98-42b3-ab1c-bb498e68fc2d

Narrative

Kubernetes, a complex container orchestration system, is a prime target for adversaries due to its widespread use and inherent complexity. This story focuses on the abnormal behavior within Kubernetes environments that can be indicative of security threats. Key areas of concern include the control plane, worker nodes, and network communication, all of which can be exploited by attackers. Observability data, such as metrics, play a crucial role in identifying these abnormal behaviors. These behaviors could be a result of attacks on the control plane, exploitation of misconfigurations, or breaches of containerized applications. For instance, attackers may attempt to exploit vulnerabilities in the Kubernetes API, misconfigured containers, or insecure network policies. The control plane, which manages cluster operations, is a prime target and its compromise can give attackers control over the entire cluster. Worker nodes, which run the containerized applications, can also be targeted to disrupt services or to gain access to sensitive data.

Detections

Name Technique Type
Kubernetes Anomalous Inbound Network Activity from Process User Execution Anomaly
Kubernetes Anomalous Inbound Outbound Network IO User Execution Anomaly
Kubernetes Anomalous Inbound to Outbound Network IO Ratio User Execution Anomaly
Kubernetes Anomalous Outbound Network Activity from Process User Execution Anomaly
Kubernetes Anomalous Traffic on Network Edge User Execution Anomaly
Kubernetes Previously Unseen Container Image Name User Execution Anomaly
Kubernetes Process Running From New Path User Execution Anomaly
Kubernetes Process with Anomalous Resource Utilisation User Execution Anomaly
Kubernetes Process with Resource Ratio Anomalies User Execution Anomaly
Kubernetes Shell Running on Worker Node User Execution Anomaly
Kubernetes Shell Running on Worker Node with CPU Activity User Execution Anomaly
Kubernetes newly seen TCP edge User Execution Anomaly
Kubernetes newly seen UDP edge User Execution Anomaly

Reference

source | version: 1