Part 9 - Mapping the MITRE ATT&CK framework to your Kubernetes cluster: Impact on the Cluster
Insights

Part 9 - Mapping the MITRE ATT&CK framework to your Kubernetes cluster: Impact on the Cluster

This is the ninth and the last part of a series on the MITRE ATT&CK framework for Kubernetes, covering the Impact tactic with examples.

Riyaz Walikar
September 7, 2021

(This is the last of a 9 part blog series that explains the Kubernetes MITRE ATT&CK like Threat Matrix created by Microsoft from an attacker perspective and attempts to provide how real world attackers use the techniques covered in the framework to gain access, execute, persist and explore Kubernetes cluster environments.)

Use this index to navigate to and read the rest of the posts in this series

(This blog post discusses the last tactic described in the MITRE ATT&CK framework for Kubernetes - Impact)

In the last post, we saw the techniques in the Lateral Movement tactic of the MITRE ATT&CK framework for Kubernetes. Let's look at the next tactic, Impact and the techniques that attackers use within this tactic. For reference, here's the framework that Microsoft created as a visual cue to the overall tactics and techniques that attackers use when attacking a Kubernetes cluster.

Kubernetes ATT&CK matrix

Impact

The Impact tactic simply describes techniques that are used by attackers to destroy data, abuse access or change the cluster environment in a way to cause a Denial of Service for legitimate users. The techniques that the Impact tactic describes are more consequences of malicious actions that an attacker takes rather than being actual ways of executing the actions that lead the described outcomes.

Data destruction

An attacker, with full cluster control, can scale down deployments, delete storage volumes, terminate running pods, drain nodes or delete any data that is accessible via running services etc.

For example, an attacker could use the credentials obtained from configuration files or the Kubernetes secrets store to connect to a MySQL server and issue DROP DATABASE commands.

Resource Hijacking

This is one of the most common consequences of a cluster compromise, especially for managed instances on the cloud. Attackers gain control of compromised resources and use them to run attacker chosen tasks, like cryptocurrency mining for example.

Denial of service

A Denial of Service would occur when legitimate users of applications running within the cluster are unable to access them. That would additionally be true of any resource object within the cluster. An attacker simply makes the resource unavailable to users by removing the resources, altering its configuration so that it no longer becomes accessible or by updating the resource in a way that it changes the meaning of the resource entirely.

Conclusion

With the Impact tactic, an attacker attempts to prevent the cluster from serving its primary purpose of servicing the users of the cluster. Attackers can destroy data, alter the state of data and resources, make them inaccessible to cause a denial of service or simply hijack the resources to perform malicious pre-orchestrated tasks like cryptocurrency mining and malware hosting.

The MITRE ATT&CK threat matrix serves as a guide to defenders as well as authorized security testers that can be used to understand how an attack could occur on a cluster going all the way from obtaining Initial Access to performing destructive actions via the Impact tactic.

References

ABOUT THE AUTHOR
Riyaz Walikar

Enjoyed this read?

Subscribe to our newsletter and stay ahead with more great insights and resources on cloud security!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.