NSA and CISA Report Outlines Risks and Mitigation Measures for Kubernetes
Two of the largest government security agencies expose key cyber threats to Kubernetes, the popular platform for orchestrating and managing containers, and ways to bolster the open source tool against attacks.
In a 52-page report released this week, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) highlighted the benefits for organizations that use Kubernetes to automate deployment, scale, and delivery. container management and running in the cloud, citing both flexibility and security advantages over other monolithic software platforms.
“However, managing everything from microservices to the underlying infrastructure securely, introduces other complexities,” the report’s authors wrote. “Kubernetes clusters can be complex to secure and are often abused in compromises that exploit their poor configurations. “
Containers, Kubernetes takes over
Since Docker first appeared in 2013, containers have become a preferred way for developers to build and deploy applications in an increasingly distributed computing world of on-premises data centers, public and private clouds, and periphery. Kubernetes was developed by engineers at Google as a way to run applications in the cloud, which they then contributed to the open source community in 2014.
Established tech companies – including Red Hat (now owned by IBM) with OpenShift, VMware with Tanzu and Canonical, as well as major cloud providers like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud – have since embraced Kubernetes as a component. key. of their largest hybrid cloud strategies. Gartner has predicted that by next year, 75% of organizations will be running containerized applications in production.
The NSA and CISA report noted the growing popularity of Kubernetes for managing everything from microservices and pods (a group of containers with shared storage and networking) to clusters (a collection of node machines to run networks). containerized applications). He has also become a target for cybercriminals, according to the report.
“Kubernetes can be a valuable target for data and / or computing power theft,” the authors wrote. “While data theft has traditionally been the primary motivation, cyber actors looking for computational power (often for cryptocurrency mining) are also drawn to Kubernetes to exploit the underlying infrastructure. In addition to stealing resources, cyberactors can also target Kubernetes to trigger a denial of service. “
Further Reading: Best Container Security Solutions For 2021
Three threat zones
The threat stems from three main areas, they wrote: supply chain risks (an attack vector that became a high profile threat after the SolarWinds attack), malicious actors, and insider threats.
“Supply chain risks are often difficult to mitigate and can arise during the container construction cycle or the acquisition of infrastructure,” the authors wrote. “Malicious actors can exploit vulnerabilities and configuration errors in components of the Kubernetes architecture, such as the control plane, worker nodes, or containerized applications. Insider threats can be administrators, users, or cloud service providers. Insiders with special access to an organization’s Kubernetes infrastructure may be able to abuse these privileges.
Hardening Kubernetes environments
The NSA and CISA report details how organizations can harden their Kubernetes environments, which boil down to seven key areas. They include scanning containers and pods for vulnerabilities or misconfigurations, running them with the least amount of privilege possible, and using network separation to monitor the extent of damage in the event of a compromise.
Agencies also suggest using firewalls to limit the amount of unnecessary network connectivity, encryption to protect privacy, and strong authentication and authorization to reduce user and administrator access as well as the attack surface. . They can also use log auditing to allow administrators to monitor activity and be alerted to potential malicious activity and periodically review Kubernetes settings and run vulnerability scans to ensure risks are. taken into account and that the security patches are applied.
Further Reading: Container and Kubernetes Security Best Practices
Kubernetes, a “growing problem”
Trevor Morgan, Product Manager at comforte AG, Data Security Specialist, said ESecurity planet that the government report “points to a growing problem in the cybersecurity space, namely the risks associated with data processed or hosted in Kubernetes environments. The report rightly acknowledges that sensitive data is the primary target in these environments, something threat actors are desperate to obtain and eventually exploit. “
Agencies do a good job of emphasizing the need for a robust, diverse and comprehensive cybersecurity strategy, rather than one that relies on just one or two methods to protect information, Morgan said. Encryption is a key tool, although “businesses should be aware that encryption has its own issues, including sometimes complex key management and the fact that data encryption does not necessarily preserve the data format”, did he declare.
Other data-centric methods include things like tokens, which both preserve the original format and render the data meaningless to anyone trying to mine it, Morgan said.
Kubernetes in the crosshairs
Kubernetes security has come up several times in recent weeks. More recently, officials at security firm Qualys said this week that the company is working with Red Hat to better secure not only the OpenShift platform, but also the underlying host operating system, Red Hat Enterprise Linux CoreOS. . Qualys provides a containerized cloud agent built on the Qualys cloud platform that integrates with user vulnerability management workflows. It helps reduce risk with deep visibility into the host operating system and OpenShift and reports metrics to reduce risk.
In June, Microsoft reported that attackers were using misconfigured dashboards to install malicious TensorFlow pods for cryptomining in Kubernetes clusters running Kubeflow instances.
At the end of last month, cybersecurity solutions provider Intezer reported that malicious actors were exploiting misconfigured instances of Argo Workflow – an open source, cloud-native workflow engine that helps businesses run parallel tasks on Kubernetes – to push cryptomining malware into the cloud. The vulnerability allowed attackers to execute their own malicious code through the Argo dashboard.
They could use the wrong configuration not only to run the cryptomining malware, but also to steal data, the researchers wrote in a blog post.
Andrew Barratt, senior director of solutions and investigations at cybersecurity consultancy Coalfire, said the Argo vulnerability shows “how the growing complexity of orchestrated and containerized cloud solutions can quickly spiral out of control if not well managed.” Misconfiguration is probably one of the main causes of vulnerabilities at all levels. When you add containerized products like Argo that specialize in compute-intensive solutions, you have a real great place to look for vulnerabilities to remove very intensive malware like cryptominers in a way. which means they can go unnoticed until a – the expected compute invoice arrives from your cloud provider.
“Sophisticated attack platform”
Orchestration platforms are an interesting attack surface because of the different ways bad actors can use them, including in sophisticated side attacks, Barratt said. ESecurity planet. This doesn’t mean that companies should stop using them, but “it’s really important to think of them as a sophisticated attack platform, with a lot of capabilities and generally high privileges, as well as often the ability to create and to deploy resources with an immediate associated cost, “he said.
Yaniv Bar-Dayan, co-founder and CEO of risk remediation firm Vulcan Cyber, said ESecurity planet that the complexity and scale of enterprise cloud deployments means that there will be breaches due to human error and that misconfiguration is one of many risk-creating vulnerabilities.
“IT security teams need a consolidated view of risk in cloud application environments as well as traditional IT infrastructure,” said Bar-Dayan. “Then they need a plan to prioritize and mitigate that risk. It is not an easy task, but it is possible thanks to procedural and organizational discipline. So security teams can understand and prioritize risks created by misconfigurations of the cloud, as well as vulnerabilities in IT infrastructure and applications. they have a chance to reduce risk and improve business security.