Two of the largest government security agencies are laying out the key cyberthreats to Kubernetes, the popular platform for orchestrating and managing containers, and ways to harden the open-source tool against attacks.
In a 52-page report released this week, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) noted the advantages to enterprises using Kubernetes to automate the deployment, scaling and managing of containers and running it in the cloud, citing both the flexibility and security benefits when compared to other monolithic software platforms.
“However, securely managing everything from microservices to the underlying infrastructure introduces other complexities,” the report’s authors wrote. “Kubernetes clusters can be complex to secure and are often abused in compromises that exploit their misconfigurations.”
Containers, Kubernetes Take Over
Since Docker hit the scene in 2013, containers have become a primary way for developers to create and deploy applications in an increasingly distributed IT world of on-premises data centers, public and private clouds, and the edge. Kubernetes was developed by engineers at Google as a way to run applications in the cloud, which it then contributed to the open-source community in 2014.
Established tech companies – including Red Hat (now owned by IBM) with OpenShift, VMware with Tanzu and Canonical, as well as top cloud providers like Amazon Web Services (AWS), Microsoft Azure and Google Cloud – have since embraced Kubernetes as a key part of their larger hybrid cloud strategies. Gartner has predicted that by next year, 75 percent of organizations will be running containerized applications in production.
The report from the NSA and CISA noted the rising popularity of Kubernetes for managing everything from microservices and pods (a group of containers with shared storage and networking) up through clusters (a set of node machines for running containerized applications). It also has become a target for cybercriminals, according to the report.
“Kubernetes can be a valuable target for data and/or compute power theft,” the authors wrote. “While data theft is traditionally the primary motivation, cyber actors seeking computational power (often for cryptocurrency mining) are also drawn to Kubernetes to harness the underlying infrastructure. In addition to resource theft, cyber actors may also target Kubernetes to cause a denial of service.”
Further reading: Top Container Security Solutions
Three Threat Areas
The threat comes from three primary areas, they wrote: Supply chain risks (an attack vector that became a high-profile threat after the SolarWinds attack), malicious threat actors and insider threats.
“Supply chain risks are often challenging to mitigate and can arise in the container build cycle or infrastructure acquisition,” the authors wrote. “Malicious threat actors can exploit vulnerabilities and misconfigurations in components of the Kubernetes architecture, such as the control plane, worker nodes, or containerized applications. Insider threats can be administrators, users, or cloud service providers. Insiders with special access to an organization’s Kubernetes infrastructure may be able to abuse these privileges.”
Hardening Kubernetes Environments
The NSA and CISA report dives into detail on ways organizations can harden their Kubernetes environments, which boil down to seven key areas. They include scanning containers and pods for vulnerabilities or misconfigurations, running them with the least privileges possible, and using network separation to control the amount of damage if a compromise occurs.
The agencies also suggest using firewalls to limit the amount of unnecessary network connectivity, encryption to protect confidentiality, and strong authentication and authorization to reduce user and administrator access as well as the attack surface. They also can use log auditing to enable administrators to monitor activity and be alerted to potential malicious activity and periodically review Kubernetes settings and run vulnerability scans to ensure risks are accounted for and security patches applied.
Further reading: Container & Kubernetes Security Best Practices
Kubernetes a ‘Growing Problem’
Trevor Morgan, product manager with data security specialist comforte AG, told eSecurity Planet that the government’s report “points to a growing problem in the cybersecurity space, namely the risks associated with data processed or housed within Kubernetes environments. The report rightfully acknowledges that sensitive data is the primary target in these environments, something that threat actors are desperate to obtain and subsequently leverage.”
The agencies do a good job laying out the need for a robust, varied and comprehensive cybersecurity strategy, rather than one that relies on only one or two methods to protect information, Morgan said. Encryption is a key tool, although “enterprises need to be aware of the fact that encryption comes with its own issues, including sometimes complex key management and the fact that encrypting data doesn’t necessarily preserve data format,” he said.
Other data-centric methods include things like tokens, which both preserves the original format and makes data meaningless to anyone trying to leverage it, Morgan said.
Kubernetes in the Crosshairs
Kubernetes security has come a few times in recent weeks. Most recently, officials with security firm Qualys said this week that the company is working with Red Hat to better secure not only the OpenShift platform but also the underlying host operating system, Red Hat Enterprise Linux CoreOS. Qualys is providing a containerized cloud agent build on the Qualys Cloud Platform that integrates with users’ vulnerability management workflows. It helps reduce risks through deep visibility into the host operating system and OpenShift and reports back metrics to reduce risk.
In June, Microsoft reported about attackers using misconfigured dashboards to plant malicious TensorFlow pods for cryptomining in Kubernetes clusters running Kubeflow instances.
Late last month, cybersecurity solutions vendor Intezer reported that bad actors were exploiting misconfigured instances of Argo Workflow – an open-source and cloud-native workflow engine that helps enterprises run parallel tasks on Kubernetes – to push cryptomining malware into the cloud. The vulnerability allowed attackers to run their own malicious code via the Argo dashboard.
They could use the misconfiguration not only to run the cryptomining malware but also to steal data, the researchers wrote in a blog post.
Andrew Barratt, managing principal for solutions and investigations at cybersecurity consultancy Coalfire, said the Argo vulnerability shows “how the growing complexity of orchestrated, containerized cloud solutions can quickly get out of control if not managed well. Misconfiguration is probably one of the largest causes of vulnerabilities across the board. When you add in containerized products such as Argo that specialize in compute-intensive solutions, you’ve a real sweet spot to look for vulnerabilities to drop highly intensive malware such as cryptominers in a way that means they might go unnoticed until a larger-than-expected compute bill arrives from your cloud provider.”
‘Sophisticated Attack Platform’
Orchestration platforms are an interesting attack surface because of the various ways bad actors can use them, including in sophisticated lateral attacks, Barratt told eSecurity Planet. That doesn’t mean organizations should stop using them, but “it’s really important to see them as a sophisticated attack platform, with a lot of capabilities and typically elevated privileges as well as often the ability to build and deploy resources with an immediate cost associated,” he said.
Yaniv Bar-Dayan, co-founder and CEO of risk remediation firm Vulcan Cyber, told eSecurity Planet that the complexity and scale of enterprise cloud deployments mean there will be breaches due to human error and misconfiguration is one of several risk-inducing vulnerabilities.
“IT security teams need a consolidated view of risk across cloud application environments as well as traditional IT infrastructure,” Bar-Dayan said. “Then they need a plan to prioritize and mitigate this risk. No easy task, but it is possible through procedural and organization discipline. If security teams can understand and prioritize risk created by cloud misconfigurations alongside IT infrastructure and application vulnerabilities. they have a shot at reducing risk and improving the security posture of business.”