Earlier this week, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint document entitled Kubernetes Hardening Guidance. Kubernetes is an open-source orchestration system that relies on containers to automate the deployment, scaling and management of applications, usually in a cloud environment.
According to the most recent State of Kubernetes Security report by RedHat, more than half the security professionals surveyed said they delayed deploying Kubernetes applications into production due to security.
In addition, almost all the security respondents said they had one security incident in their Kubernetes environment during the past year. Underscoring the depth of security concerns surrounding Kubernetes, 59% of respondents said they are most worried about unaddressed security and compliance needs or threats to containers.
The rapid shift to cloud environments, particularly since the advent of the pandemic, undoubtedly heightens these security concerns. It’s little surprise, then, that NSA and CISA felt the need to help organisations deal with security in a containerised environment, which is more complex than “traditional, monolithic software platforms."
Although the agencies tailored their guidance to system administrators of national security systems (systems containing classified or intelligence information) and critical infrastructure, they encourage administrators of federal and state, local, tribal, and territorial (SLTT) government networks to also implement the recommendations.
Within the Kubernetes architecture are clusters composed of control planes and one or more physical or virtual machines called worker nodes, which host pods that comprise one or more containers. The containers house software packages and all their dependencies.
The joint guidance says that while Kubernetes has always been a target for malicious actors to steal data, threat actors are increasingly drawn to Kubernetes systems to steal computation power, often for cryptocurrency mining.
Three main threats pose dangers for Kubernetes
The document spells out the following three most likely threats for a Kubernetes cluster:
- Supply chain risk, which poses dangers at multiple levels, including at the container or application level and the underlying infrastructure
- Malicious threat actors who can exploit several APIs exposed by the architecture, including the control plane, worker nodes, and containerised applications
- Insider threats from actors that have elevated privileges or special knowledge, including administrators, users, and cloud service or infrastructure providers
The 59-page document spells out how Kubernetes is structured, from the smallest unit called pods, which consist of one or more containers, all the way through cluster networking.
In addition, it contains hardening strategies to avoid common misconfigurations and guide system administrators and developers on how to deploy Kubernetes. The joint guidance also offers example configurations for the recommended hardening measures and mitigations.
Seven broad Kubernetes hardening recommendations
The joint guidance recommends that administrators:
- Scan containers and pods for vulnerabilities or misconfigurations
- Run containers and pods with the least privileges possible
- Use network separation to control the amount of damage a compromise can cause
- Use firewalls to limit unneeded network connectivity and encryption to protect confidentiality
- Use strong authentication and authorisation to limit user and administrator access and limit the attack surface
- Use log auditing so that administrators can monitor activity and be alerted to potential malicious activity
- Periodically review all Kubernetes settings and use vulnerability scans to help ensure risks are appropriately accounted for, and security patches are applied
Dr. Trevor Morgan, product manager at German data protection and compliance company Comforte AG, tells CSO that the joint guidance document is “a very good report. It’s bringing something to the forefront: data security and its relationship to the cloud. That’s where Kubernetes ultimately comes into play.”
Cloud provides false sense of security
“We all think of the cloud as our OneDrive or our Dropbox or whatever. Businesses are pushing a lot of data either into their own private cloud, a public cloud, or Amazon, so a lot of information is going offsite. It is no longer within the quote-unquote protected environment of the organisation,” says Morgan.
“The real problem with that is for some reason, when we give something away, we just think, ‘Oh well, somebody else is going to take care of that.’ There’s almost this false sense of security as organisations leverage cloud-based services where security is concerned.”
It is this false sense of security that the Kubernetes guidance seeks to dismantle by offering detailed explanations of the various components of Kubernetes architecture and explain how security can be tightened with each component. “This report is really critical because they point to the fact that when data goes out into a cloud environment, often powered by Kubernetes containers, threat actors are after the data that you’re pushing out there,” Morgan says.
NSA-CISA guidance follows warning of Fancy Bear’s exploitation of Kubernetes clusters
Regarding why the NSA and CISA might be releasing this report now, Morgan thinks they’re putting out helpful information in the wake of a string of high-profile and destructive cyber security incidents such as the ransomware attacks on Colonial Pipeline and Saudi Aramco. “This report is like a public service announcement. It’s a little bit of a forward-thinking education.”
However, it’s likely no coincidence that the Kubernetes guidance came out almost a month after NSA, CISA and the FBI issued a joint advisory warning about Russian threat actor intrusions into Kubernetes clusters.
According to this advisory, from at least mid-2019 to early 2021, Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165, otherwise known as APT28 or Fancy Bear, used a Kubernetes cluster to conduct “widespread, distributed, and anonymised brute force access attempts against hundreds of government and private-sector targets worldwide.” The agencies further warned that these attacks are likely ongoing.
The organisations targeted in the campaign cover a wide swath of government and political organisations, defence contractors, energy companies, logistics companies, think tanks, universities, law firms, and media companies.
The brute-force capability allowed the Russian actors to access protected data, including email, and identify valid account credentials they s could use to gain initial access, persistence, privilege escalation, and defence evasion.
At the time of the advisory, the three agencies asked organisations to adopt a series of cyber hygiene measures such as two-factor authentication, strong passwords, and a zero trust security regime. The agencies also suggested organisations deny all inbound activity from known anonymisation services, such as commercial virtual private networks and The Onion Router (TOR).