February 26, 2021

Part 9 - Mapping the MITRE ATT&CK framework to your Kubernetes cluster: Impact on the Cluster

This is the ninth and the last part of a series on the MITRE ATT&CK framework for Kubernetes, covering the Impact tactic with examples.

Table of Contents

Introduction

Impact

     Data Destruction

     Resource Hijacking

     Denial of Service

Conclusion

References

Introduction

(This is the last of a 9 part blog series that explains the Kubernetes MITRE ATT&CK like Threat Matrix created by Microsoft from an attacker perspective and attempts to provide how real world attackers use the techniques covered in the framework to gain access, execute, persist and explore Kubernetes cluster environments.)

Use this index to navigate to and read the rest of the posts in this series

(This blog post discusses the last tactic described in the MITRE ATT&CK framework for Kubernetes - Impact)

In the last post, we saw the techniques in the Lateral Movement tactic of the MITRE ATT&CK framework for Kubernetes. Let's look at the next tactic, Impact and the techniques that attackers use within this tactic. For reference, here's the framework that Microsoft created as a visual cue to the overall tactics and techniques that attackers use when attacking a Kubernetes cluster.

Kubernetes ATT&CK matrix

Impact

The Impact tactic simply describes techniques that are used by attackers to destroy data, abuse access or change the cluster environment in a way to cause a Denial of Service for legitimate users. The techniques that the Impact tactic describes are more consequences of malicious actions that an attacker takes rather than being actual ways of executing the actions that lead the described outcomes.

Data destruction

An attacker, with full cluster control, can scale down deployments, delete storage volumes, terminate running pods, drain nodes or delete any data that is accessible via running services etc.

For example, an attacker could use the credentials obtained from configuration files or the Kubernetes secrets store to connect to a MySQL server and issue DROP DATABASE commands.

Resource Hijacking

This is one of the most common consequences of a cluster compromise, especially for managed instances on the cloud. Attackers gain control of compromised resources and use them to run attacker chosen tasks, like cryptocurrency mining for example.

Denial of service

A Denial of Service would occur when legitimate users of applications running within the cluster are unable to access them. That would additionally be true of any resource object within the cluster. An attacker simply makes the resource unavailable to users by removing the resources, altering its configuration so that it no longer becomes accessible or by updating the resource in a way that it changes the meaning of the resource entirely.

Conclusion

With the Impact tactic, an attacker attempts to prevent the cluster from serving its primary purpose of servicing the users of the cluster. Attackers can destroy data, alter the state of data and resources, make them inaccessible to cause a denial of service or simply hijack the resources to perform malicious pre-orchestrated tasks like cryptocurrency mining and malware hosting.

The MITRE ATT&CK threat matrix serves as a guide to defenders as well as authorized security testers that can be used to understand how an attack could occur on a cluster going all the way from obtaining Initial Access to performing destructive actions via the Impact tactic.

References

***

This article is brought to you by Kloudle Academy, a free e-resource compilation, created and curated by Kloudle. Kloudle is a cloud security management platform that uses the power of automation and simplifies human requirements in cloud security. If you wish to give your feedback on this article, you can write to us here.

Written by:
Riyaz Walikar

Riyaz Walikar

Chief Hacker

Riyaz is a security evangelist, offensive security expert and researcher with over a decade of experience in the cyber security industry. His passion to break into some of the most well defended networks and systems in his career spanning 15 years has earned him a lot respect within the security industry. He has led Security Assessment and Penetration Testing teams at Pricewaterhouse Coopers (PwC) and Appsecco, and the Product Security Team at Citrix before co-founding Kloudle. Riyaz now specializes in cloud native, container and cloud security in general, helping build an easy to use security management platform to help companies enhance their visibility in the cloud, identify security misconfigurations and automate remediation for security gaps enabling compliance and operational security in multi-cloud environments. He is also an avid speaker and trainer and presents his research and findings at security conferences and community meetups around the world including BlackHat USA, BH Europe, BH Asia, nullcon and OWASP AppsecUSA.Specialties: Cloud (AWS, GCP, Azure, IBM, Others) Security, Cloud-Native Security, Kubernetes, Container Security, Web Application Security, Network and System Penetration Testing, Wireless Network Security, Malware Analysis and Reverse Engineering, Threat Modelling, Windows Forensics, Security Code Review, Vulnerability Research, Exploit Development and Reverse Engineering. Certifications: CKA, CKAD, OSCP

Read more