Center for Threat-Informed Defense teams up with Microsoft, partners to build the ATT&CK® for Containers matrix

The MITRE ATT&CK® for Containers matrix was published today, establishing an industry knowledge base of attack techniques associated with containerization and related technologies that are increasingly more ubiquitous in the current computing landscape. Microsoft is happy to have contributed and worked closely with the Center for Threat-Informed Defense and other partners to develop this framework for understanding and investigating this growing attack surface.

The ATT&CK for Container matrix

The ATT&CK for Containers builds on efforts including the threat matrix for Kubernetes developed by the Azure Security Center team for Azure Defender for Kubernetes. The Center for Threat-Informed Defense expanded on this initial framework by documenting real-world attacks, with Microsoft and other partners providing guidance and feedback throughout the process.

Building the ATT&CK for Containers matrix is helpful in understanding the risks associated with containers, including misconfigurations that are often the initial vector for attacks, as well as the specific implementation of attack techniques in the wild. This knowledge informs approaches for detecting threats, and thus helps in providing comprehensive protections, as more and more organizations adopt containers and container orchestration technologies like Kubernetes.

Organizations use containers to package software code, configuration files and libraries, and dependencies to enable fast software development and deployment. Containerization involves abstracting the OS and hardware. This abstraction creates scenarios where users are unaware that the base image of a container has exploitable vulnerabilities or where users may not pay close attention to what libraries and binaries are present on the images they’re using.

The convenience of platform-agnostic deployment of containers can benefit software developers, but it can also potentially benefit attackers aiming to run malware on multiple platforms. In addition, the ease in the deployment of containers can mean containers with vulnerabilities can be distributed across an organization as part of normal deployment operations.

Microsoft security coverage for threats and risks associated with containers

Microsoft delivers protection against container threats in two areas: on endpoints and on Kubernetes clusters.

Microsoft Defender for Endpoint detects threats on endpoints running container hosts, focusing on behavior commonly observed on endpoints, including stealing locally stored credentials for accessing the cloud, downloading and running malicious images, and privilege escalation from dockers to hosts. Below is a mapping of Microsoft Defender for Endpoint detections with the ATT&CK for Containers techniques.

ATT&CK for Containers technique Microsoft Defender for Endpoint detection
Valid Accounts
  • Suspicious cloud credential access
  • Unix credentials were illegitimately accessed
Unsecured Credentials
  • Suspicious cloud credential access
  • Unix credentials were illegitimately accessed
Build Image on Host
  • Malicious Docker image run
  • Suspicious network connection from Docker container
Deploy Container
  • Malicious Docker image run
  • Suspicious network connection from Docker container
User Execution: Malicious Image
  • Malicious Docker image run
  • Suspicious network connection from Docker container
Resource Hijacking
  • Malicious Docker image run
Container Resource Discovery
  • Suspicious kubectl exploratory command sequence
Exploit Public-Facing Application
  • Suspicious connection to unsecured Docker daemon
Escape to Host
  • Suspicious file opens by WSL

Detections of malicious or suspicious behaviors associated with containers are reported as alerts in Microsoft 365 security center, enabling defenders to investigate and remediate the threat and hunt for related or similar behaviors. These detections enrich the telemetry that Microsoft Defender for Endpoint uses to build device timelines and cross-domain end-to-end attack chains:

Screenshot of Microsoft Defender Security Center showing detection of malicious Docker image

Azure Defender offers a Kubernetes plan to protect Kubernetes clusters, both in the orchestration layer and in the node level. The orchestration layer protection monitors Kubernetes API operations to find suspicious and malicious activities in the Kubernetes control plane. The node-level protection, based on the Server plan of Azure Defender, inspects activity on the Kubernetes worker-node to detect suspicious activity that run by the containers on the nodes. Below is a mapping of Azure Defender detections with the ATT&CK for Containers techniques.

ATT&CK for Containers technique Azure Defender detection
Exploit Public-Facing Application
External Remote Services
  • Orchestration level alerts:
    • Exposed Kubeflow dashboard detected
    • Exposed Kubernetes dashboard detected
    • Exposed Kubernetes service detected
    • Exposed Redis service in AKS detected
  • Node level alerts:
    • Exposed Docker daemon detected (node level)
Valid accounts
  • Orchestration level alerts:
    • AKS API requests from proxy IP address detected
    • Node level alerts:
    • Successful SSH brute force attack (node level)
    • Suspicious incoming SSH network activity from multiple sources (node level)
    • Suspicious incoming SSH network activity (node level)
Container Administration Command
  • Orchestration level alerts:
    • Suspicious command executed in container
  • Node level alerts:
    • Privileged command run in container
    • Suspicious request to Kubernetes API
Deploy Container
  • Orchestration level alerts:
    • AKS API requests from proxy IP address detected
    • Digital currency mining container detected
  •  Node level alerts:
    • Suspicious request to Kubernetes API
Scheduled Task/Job
  • Kubernetes CronJob controller, such as other controllers, creates a pod resource. See “Deploy Container” technique for relevant detections.
User Execution
  • Digital currency mining container detected
Implant Internal Image
Escape to Host
  • Orchestration level alerts:
    • Container with a sensitive volume mount detected
    • Privileged container detected
Exploitation for Privilege Escalation
  • Orchestration level alerts:
    • Privileged container detected
Build Image on Host
  • Node level alerts:
    • Docker build operation detected on a Kubernetes node
Indicator Removal on Host
  • Orchestration level alerts:
    • Kubernetes events deleted
Masquerading
  • New container in the kube-system namespace detected
Brute Force
  • Successful SSH brute force attack (node level)
  • Suspicious incoming SSH network activity from multiple sources (node level)
  • Suspicious incoming SSH network activity (node level)
Unsecured Credentials
  • Suspicious request to Kubernetes API (node level)
Resource Hijacking
  • Digital currency mining container detected (Orchestration)
  • Suspicious command executed in container (Orchestration)
  • Process associated with digital currency mining detected (node level)
  • Possible Crypto coin miner download detected (node level)
  • Digital currency mining related behavior detected (node level)

In addition, as was observed is several attacks like the one that targets Kubeflow workloads, many incidents start with a misconfiguration. Azure Defender can help detect misconfiguration, such as exposure of sensitive interfaces to the internet. In addition, Azure Defender can also help reduce the attack surface by detecting sensitive operations like creating high-privilege RBAC rules, auditing for Kubernetes best practices, and providing deployment gates.

The work to secure containers continues

The partnership between MITRE Engenuity’s Center for Threat-Informed Defense and Microsoft on investigating and understanding container threats doesn’t stop with the release of ATT&CK for Containers. We will continue to work with MITRE and the rest of the industry to share intelligence and insights from Microsoft’s products, sensors, and research. We will continue to look for innovative ways for surfacing telemetry, especially from within the container, not just on  hosts, and for detecting behavior associated with both malicious activity and misconfigurations.

To learn more about how Microsoft can help you protect containers and relevant technologies today, read about Microsoft Defender for Endpoint and Azure Defender.

To learn more about the Center for Threat-Informed Defense, read about the Center’s collaborative approach to advancing threat-informed defense.

Microsoft 365 Defender Research Team

Azure Defender Team

READ MORE HERE