Why choose Panoptica?
Four reasons you need the industry’s leading cloud-native security solution.
Panoptica created a public repository with common use cases to simulate unusual/malicious activities within the Kubernetes cluster. The malicious activities include attempts to container escapes, reconnaissance actions, and cryptocurrency mining. All presented use cases are detected by the Panoptica Kubernetes Runtime Protection solution that triggers alerts with full information regarding suspicious activity. You can stream the alerts to an S3 bucket by configuring an “AWS S3” integration in Panoptica 's platform. In this post, we will guide you through the full process – from configuring an S3 bucket integration, to running a live simulation inside a Kubernetes cluster, to loading the alerts from the S3 bucket to an Amazon Athena table and querying the results.
You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. This cluster should also be connected to the Panoptica platform, and the "Runtime Protection" option should be enabled. In addition, you need to connect an AWS account to the Panoptica platform and ensure you have access to Amazon Athena and S3 within this account.
Disclaimer: Please note that working through this document will incur charges against your AWS account related to usage in Amazon Athena service and AWS S3 storage.
If the AWS account is not already configured with an AWS S3 integration, follow the steps below to create one. You can create a new S3 bucket or use an existing one for the target S3 bucket.
Congratulations! You have an S3 bucket integration in Panoptica ’s platform.
Now, when we have set the S3 bucket integration, alerts from the Kubernetes runtime protection are streamed into the Panoptica /k8s_runtime_events folder within the bucket. We will run simulations from Panoptica-k8s-attack-simlutions repository to trigger those events inside the Kubernetes cluster. In this repository you can find the instructions to install and use this tool. We suggest you execute some simulations to create more than one event in the S3 bucket.
In the example below, you can see the execution of the cryptocurrency mining simulation inside the cluster.
The triggered alerts’ events are added to the S3 bucket soon after the execution.
Amazon Athena provides a convenient and quick way to query data from S3 using SQL queries. With Athena you can query large datasets, get results in seconds, and pay only for the queries you run. In the following section, we will create a table in Athena that will contain the runtime events from S3.
CREATE EXTERNAL TABLE IF NOT EXISTS runtime_events ( `container.id` string, `evt.time` string, `k8s.ns.name` string, `k8s.pod.name` string, `proc.cmdline` string, `proc.pid` int, `cluster_id` string, `rule_name` string, `description` string, `severity` string, `related_cves` string ) ROW FORMAT SERDE 'org.openx.data.jsonserde.JsonSerDe' LOCATION 's3://BUCKET-NAME/lightspin/k8s_runtime_events/'
The image below shows the query in the Athena editor:
The columns in the runtime_events table are defined as follows:
Execute the command below to get a couple of rows to see what the data looks like:
SELECT * FROM runtime_events limit 10;
The image below shows an example output of the data in the runtime_events table:
After we have created the runtime_events table, we can query the data and search for high priority alerts or additional insights. Let’s have a look at some examples for interesting queries.
Query 1: Find which rules are triggered the most
SELECT rule_name, severity, COUNT(rule_name) as count_rules FROM runtime_events GROUP BY rule_name, severity ORDER BY count_rules;
Query 2: Search for High severity alerts’ events that occurred within the cluster
SELECT rule_name, "proc.cmdline", "evt.time" FROM runtime_events WHERE severity='High' ORDER BY "evt.time" DESC limit 8;
Query 3: Looking for a specific rule
SELECT * FROM runtime_events WHERE rule_name='Detect Outbound Connections To Common Miner Pool Ports';
According to Cloud Native Computing Foundation’s respondents in a 2021 study, 96% of organizations are either using or evaluating Kubernetes – a record high since their surveys began in 2016. Kubernetes has rapidly become one of the most widely used services for managing organizations’ containerized workloads and services. As such, it is essential that organizations improve their ability to secure and protect their environments. In this post, we presented how to run an active test that simulates attacks/malicious activity within the Kubernetes cluster. Then, we followed the steps for creating an S3 bucket integration to stream and store the runtime alert’s events from Panoptica platform. Finally, we used Amazon Athena to create a table that loads the data from the S3 bucket and analyzed the results with SQL queries. As Kubernetes usage across regions and organizations continues to increase, it is vital that organizations can put in place best practices and approaches to ensure advanced protection.