By Cynthia Brumfield
Earlier this week, the US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint document entitled Kubernetes Hardening Guidance. Kubernetes is an open-source orchestration system that relies on containers to automate the deployment, scaling and management of applications, usually in a cloud environment. According to the most recent State of Kubernetes Security report by RedHat, more than half the security professionals surveyed said they delayed deploying Kubernetes applications into production due to security.
[ Follow these 5 tips for better cloud security. | Get the latest from CSO by signing up for our newsletters. ]
In addition, almost all the security respondents said they had one security incident in their Kubernetes environment during the past year. Underscoring the depth of security concerns surrounding Kubernetes, 59% of respondents said they are most worried about unaddressed security and compliance needs or threats to containers.
The rapid shift to cloud environments, particularly since the advent of the pandemic, undoubtedly heightens these security concerns. It’s little surprise, then, that NSA and CISA felt the need to help organizations deal with security in a containerized environment, which is more complex than “traditional, monolithic software platforms.” Although the agencies tailored their guidance to system administrators of national security systems (systems containing classified or intelligence information) and critical infrastructure, they encourage administrators of federal and state, local, tribal, and territorial (SLTT) government networks to also implement the recommendations.
Within the Kubernetes architecture are clusters composed of control planes and one or more physical or virtual machines called worker nodes, which host pods that comprise one or more containers. The containers house software packages and all their dependencies.
The joint guidance says that while Kubernetes has always been a target for malicious actors to steal data, threat actors are increasingly drawn to Kubernetes systems to steal computation power, often for cryptocurrency mining.
The document spells out the following three most likely threats for a Kubernetes cluster:
The 59-page document spells out how Kubernetes is structured, from the smallest unit called pods, which consist of one or more containers, all the way through cluster networking. In addition, it contains hardening strategies to avoid common misconfigurations and guide system administrators and developers on how to deploy Kubernetes. The joint guidance also offers example configurations for the recommended hardening measures and mitigations.
The joint guidance recommends that administrators:
Dr. Trevor Morgan, product manager at German data protection and compliance company Comforte AG, tells CSO that the joint guidance document is “a very good report. It’s bringing something to the forefront: data security and its relationship to the cloud. That’s where Kubernetes ultimately comes into play.”
“We all think of the cloud as our OneDrive or our Dropbox or whatever. Businesses are pushing a lot of data either into their own private cloud, a public cloud, or Amazon, so a lot of information is going offsite. It is no longer within the quote-unquote protected environment of the organization,” says Morgan. “The real problem with that is for some reason, when we give something away, we just think, ‘Oh well, somebody else is going to take care of that.’ There’s almost this false sense of security as organizations leverage cloud-based services where security is concerned.”
It is this false sense of security that the Kubernetes guidance seeks to dismantle by offering detailed explanations of the various components of Kubernetes architecture and explain how security can be tightened with each component. “This report is really critical because they point to the fact that when data goes out into a cloud environment, often powered by Kubernetes containers, threat actors are after the data that you’re pushing out there,” Morgan says.
Regarding why the NSA and CISA might be releasing this report now, Morgan thinks they’re putting out helpful information in the wake of a string of high-profile and destructive cybersecurity incidents such as the ransomware attacks on Colonial Pipeline and Saudi Aramco. “This report is like a public service announcement. It’s a little bit of a forward-thinking education.”
The Kubernetes guidance also comes out almost a month after NSA, CISA and the FBI issued a joint advisory warning about Russian threat actor using Kubernetes clusters to launch attacks, although there is no clear connection between this event and the new guidance. According to this advisory, from at least mid-2019 to early 2021, Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165, otherwise known as APT28 or Fancy Bear, used a Kubernetes cluster to conduct “widespread, distributed, and anonymized brute force access attempts against hundreds of government and private-sector targets worldwide.” The agencies further warned that these attacks are likely ongoing.
The organizations targeted in the campaign cover a wide swath of government and political organizations, defense contractors, energy companies, logistics companies, think tanks, universities, law firms, and media companies. The brute-force capability allowed the Russian actors to access protected data, including email, and identify valid account credentials they s could use to gain initial access, persistence, privilege escalation, and defense evasion.
At the time of the advisory, the three agencies asked organizations to adopt a series of cyber hygiene measures such as two-factor authentication, strong passwords, and a zero trust security regime. The agencies also suggested organizations deny all inbound activity from known anonymization services, such as commercial virtual private networks and The Onion Router (TOR).
More on cloud security:
Copyright © 2021 IDG Communications, Inc.
Copyright © 2021 IDG Communications, Inc.
By Cynthia Brumfield