Enhance Your Container Security with the MITRE ATT&CK Framework

Tricia Nagar
Thursday, Apr 27th, 2023

You are a self-professed cloud-native security warrior. You live to keep your containers and applications safe from the bad guys. Safe from the possibility of a cyberattack. Safe from a security breach. You are constantly evaluating the cloud threat landscape and devising security policies and controls to keep the bad actors at bay. You recognize that putting up guardrails means having to stay up-to-date with the latest threats and attack techniques.

By keeping up, you enhance your threat intelligence and detection capabilities, and can better assess your defenses for gaps in security coverage. In this blog post, we will talk about the widely adopted MITRE ATT&CK framework that helps you do exactly that.

A Quick Overview of the MITRE ATT&CK Framework

The MITRE (pronounced “Miter”) ATT&CK framework is a comprehensive and curated knowledge base of adversarial tactics and techniques (TTPs) that are used by attackers during different stages of a cyber attack. The freely available and globally accessible framework is maintained by the MITRE Corporation, a not-for-profit organization that operates federally funded research and development centers (FFRDCs).

The term “ATT&CK” is short for Adversarial Tactics, Techniques and Common Knowledge. The framework standardizes the categories and descriptions of cyber threats and serves as a guidance mechanism enabling organizations to improve their cyber defense strategies by identifying gaps in security controls.

The framework is organized into two main components - tactics and techniques – that are continuously updated as new ones are identified, making it an invaluable resource for security teams. Currently, there are 12 tactics in the entire framework and over 300 techniques, with each technique mapped to one or more tactics. The “tactics” describe the goals of an attack, while the “techniques” describe how attackers achieve those goals.

The Containers Sub Matrix in the MITRE ATT&CK Framework

There are three primary matrices in the ATT&CK framework: the Enterprise Matrix, the Mobile Matrix, and the ICS or Industrial Control Systems Matrix.

The Containers sub matrix is categorized under the MITRE ATT&CK Matrix for Enterprises. It consists of 9 tactics, each of which is associated with one or more techniques used by attackers to target containerized environments.

Container sub matrix from the MITRE ATT&CK Matrix for Enterprises

Here's a bit about each tactic in detail.

  • The Initial Access Tactic consists of techniques that use various entry vectors for attackers to gain an initial foothold into containerized environments. When an application is containerized, then exploiting it can lead to a compromise of the underlying container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access, or take advantage of weak identity and access management policies. Initial access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker or Kubernetes API server, kubelet, or the Kubernetes dashboard.

  • The Execution Tactic includes techniques used by attackers to execute code within containerized environments. For example, attackers may abuse a container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet to execute commands within a container. Additionally, attackers may deploy containers that are based on malicious images or images that execute malicious payloads at runtime.

  • The Persistence Tactic allows attackers to maintain their presence within containerized environments by planting backdoors or using persistence mechanisms within container images. Amazon Web Services (AWS), Google Cloud Platform (GCP) Images, Azure Images and popular container runtimes such as Docker can be vulnerable to backdoor attacks.

  • The Privilege Escalation Tactic is about getting higher-level permissions. Once attackers gain initial access into a containerized environment, they often need elevated permissions to follow through on their malicious objectives. Most commonly, attackers take advantage of misconfigurations and vulnerabilities to elevate their permission levels. For example, exploiting misconfigured Kubernetes roles and Common Exposure Vulnerabilities (CVEs) or using container escape exploits.

  • The Defense Evasion Tactic refers to attackers avoiding detection throughout their compromise of containerized environments. Image obfuscation is one such technique where attackers build a container image directly on a host to bypass defenses. They may also deploy a new container configured without rules to bypass existing defenses within the environment. Attackers also use techniques to escape out of a container to gain access to the underlying host to access other containerized resources. Lastly, they delete or modify any artifacts generated during compromise to remove evidence of their presence.

  • The Credential Access Tactic consists of techniques used for stealing credentials like user accounts and passwords. Brute force techniques, for example, credential stuffing and dictionary attacks are commonly used to gain access to user accounts when passwords are unknown. Another common technique is to steal application access tokens as a means of acquiring credentials to access resources in cloud and container-based applications. OAuth is one commonly implemented framework that issues access tokens to users. Attackers can leverage the OAuth authorization framework using a compromised user's OAuth token to gain unauthorized.

  • The Discovery Tactic: As part of discovery, attackers scan for open ports to discover container resources such as images, deployments, pods, nodes, and clusters. The resources can be queried via Docker and Kubernetes APIs or viewed from the Kubernetes dashboard. As an example, TeamTNT a threat group that primarily targets cloud and containerized environments, has checked for running containers with docker ps and for specific container names with docker inspect. It has also searched for Kubernetes pods running in a local network. Discovering container resources informs threat groups of charting out next actions towards orchestrating the attack.

  • The Lateral Movement Tactic: Here attackers use alternate authentication methods to move laterally within containerized environments and bypass normal access controls. Container lateral movements can be from container to host (including container escapes), from the host to the container, or from one container to another container. The goal of lateral movement is to gain access to sensitive data or to gain control of the container’s environment and resources, which can be used to further the attacker’s objectives such as data exfiltration and disruption.

  • The Impact Tactic: Impact consists of techniques that disrupt availability or compromise integrity by manipulating business and operational processes. Destroying or tampering with runtime data in the cluster, deleting or modifying container images or disrupting container orchestration are some examples.

    By mapping detected threats and suspicious activity to specific tactics and techniques within the framework, security teams can better assess the nature and severity of potential threats and take appropriate action to mitigate them.

Cisco Panoptica’s K8SHIELD MITRE ATT&CK Dashboard

Cisco Panoptica’s K8SHIELD dashboard provides a unique view of the threats in your Kubernetes clusters that run your containerized applications. The view is arranged according to the MITRE ATT&CK framework and follows the progression of attacks from the “Initial Access” tactic stage through to the “Lateral Movement” tactic stage and lastly, the “Impact” tactic stage. The innovative dashboard provides a cell-based view under each tactic to show relevant attack techniques, and indicates if your Kubernetes clusters are exposed to them with a warning symbol.

The Cisco Panoptica K8Shield Dashboard

By leveraging Cisco Panoptica’s K8SHIELD dashboard, you can uncover which vulnerabilities are creating security gaps that expose your Kubernetes clusters to the risk of attacks, and what remediation measures you can take to close those gaps.

Cisco Panoptica simplifies cloud-native application  security and makes it easy to embed into the software development lifecycle. To learn more, visit us here. You can try Panoptica for free for an unlimited time by signing up here.  

Popup Image