Securing Containers: The NSA perspective
Earlier this month, the US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) published a Kubernetes Hardening Guidance document.
This very thorough guide is primarily aimed at national security systems and critical infrastructure, but the authors encourage other agencies to adopt their recommendations – and actually any organization adopting containers should consider implementing these best practices.
Attackers’ Goals – Variations on a Theme
According to the guide, data theft remains a primary motivation for attackers, although computational power theft (especially for crypto mining), as well as Denial of Service, are the goals of some campaigns targeting Kubernetes environments.
The top threats identified as likely to be a source of compromise are:
- Supply chain risk at the container, application or infrastructure level: A malicious container or application from a third party could provide cyber actors with a foothold in the cluster.
- Malicious threat actor: Someone might exploit vulnerabilities in APIs exposed by the architecture.
- Insider threat: Admins, privileged users, cloud or infrastructure providers, or any actor can get a hold of knowledge and/or privileges.
Kubernetes clusters can be complex to secure and are often compromised when bad actors exploit their misconfigurations.
NSA Recommendations for Hardening Kubernetes
The guide includes an overview of Kubernetes architecture, describes the challenges of securing containerized environments and, most importantly, provides a list of recommended hardening measures and mitigations, including sample configurations. At a high level, Kubernetes administrators should:
- Scan containers and pods for vulnerabilities or misconfigurations.
- Run containers and pods with the least privileges possible.
- Use network separation to control the amount of damage a compromise can cause.
- Use firewalls to limit unneeded network connectivity and encryption to protect confidentiality.
- Use strong authentication and authorization to limit user and administrator access, as well as limit the attack surface.
- Use log auditing, so that administrators can monitor activity and be alerted to potential threats.
- Periodically review all Kubernetes settings and use vulnerability scans to help ensure risks are appropriately accounted for and security patches applied.
These best practices should be an inherent part of the CI/CD process, but how easy are they to implement?
Complex Environments, Complex Mitigation
According to various Dev, DevOps and DevSecOps threads online discussing these recommendations, many are concerned about the ease (or lack thereof) with which they can implement NSA’s recommendations.
In particular, DevSecOps personnel raise concerns over security never coming first; agility and fast, flexible delivery are much higher on the priorities list.
One commentator described third-party containers and apps as a “complete tire fire” that’s ridden with vulnerabilities (if not flat-out rogue), and do not adhere to configuration best practices. In his opinion, you can either use them and take the risk or build it all yourself, which is, of course, much more time- and resource-intensive.
With respect to hygiene, it’s always a good idea to apply patches as soon as possible. However, “sometimes” is rarely “now” but more likely “after the busy season,” – especially with sensitive services. In other words, it may not happen until much later.–
Look Sharp, Layer Up, Lay a Trap
Being security-minded should be top priority for any business and any business unit – not just SecOps or DevSecOps. Dev and DevOps need to make secure coding and deploying second nature.
Forward-looking organizations are implementing Defense in Layers (or Defense in Depth/Breadth), which places encryption, segregation and hygiene as equal priorities. They’re also deploying containers-specific security controls, such as deception. Adding a deceptive pod to a node, or creating a “Mirror Maze” deceptive node to distract, divert and detect attackers is a smart addition to your security strategy.
Incorporating deception into your Kubernetes applicaitons to detect exploits, discovery and lateral movement in Kubernetes environments has never been easier – with DeceptionGrid 7.2. To learn more, visit https://info.trapx.com/lp/containers-solution-brief/resources.