Center for Threat-Informed Defense teams up with Microsoft, partners to build the ATT&CK® for Containers matrix
The MITRE ATT&CK® for Containers matrix was published today, establishing an industry knowledge base of attack techniques associated with containerization and related technologies that are increasingly more ubiquitous in the current computing landscape. Microsoft is happy to have contributed and worked closely with the Center for Threat-Informed Defense and other partners to develop this framework for understanding and investigating this growing attack surface.
The ATT&CK for Containers builds on efforts including the threat matrix for Kubernetes developed by the Azure Security Center team for Azure Defender for Kubernetes. The Center for Threat-Informed Defense expanded on this initial framework by documenting real-world attacks, with Microsoft and other partners providing guidance and feedback throughout the process.
Building the ATT&CK for Containers matrix is helpful in understanding the risks associated with containers, including misconfigurations that are often the initial vector for attacks, as well as the specific implementation of attack techniques in the wild. This knowledge informs approaches for detecting threats, and thus helps in providing comprehensive protections, as more and more organizations adopt containers and container orchestration technologies like Kubernetes.
Organizations use containers to package software code, configuration files and libraries, and dependencies to enable fast software development and deployment. Containerization involves abstracting the OS and hardware. This abstraction creates scenarios where users are unaware that the base image of a container has exploitable vulnerabilities or where users may not pay close attention to what libraries and binaries are present on the images they’re using.
The convenience of platform-agnostic deployment of containers can benefit software developers, but it can also potentially benefit attackers aiming to run malware on multiple platforms. In addition, the ease in the deployment of containers can mean containers with vulnerabilities can be distributed across an organization as part of normal deployment operations.
Microsoft security coverage for threats and risks associated with containers
Microsoft delivers protection against container threats in two areas: on endpoints and on Kubernetes clusters.
Microsoft Defender for Endpoint detects threats on endpoints running container hosts, focusing on behavior commonly observed on endpoints, including stealing locally stored credentials for accessing the cloud, downloading and running malicious images, and privilege escalation from dockers to hosts. Below is a mapping of Microsoft Defender for Endpoint detections with the ATT&CK for Containers techniques.
ATT&CK for Containers technique | Microsoft Defender for Endpoint detection |
Valid Accounts |
|
Unsecured Credentials |
|
Build Image on Host |
|
Deploy Container |
|
User Execution: Malicious Image |
|
Resource Hijacking |
|
Container Resource Discovery |
|
Exploit Public-Facing Application |
|
Escape to Host |
|
Detections of malicious or suspicious behaviors associated with containers are reported as alerts in Microsoft 365 security center, enabling defenders to investigate and remediate the threat and hunt for related or similar behaviors. These detections enrich the telemetry that Microsoft Defender for Endpoint uses to build device timelines and cross-domain end-to-end attack chains:
Azure Defender offers a Kubernetes plan to protect Kubernetes clusters, both in the orchestration layer and in the node level. The orchestration layer protection monitors Kubernetes API operations to find suspicious and malicious activities in the Kubernetes control plane. The node-level protection, based on the Server plan of Azure Defender, inspects activity on the Kubernetes worker-node to detect suspicious activity that run by the containers on the nodes. Below is a mapping of Azure Defender detections with the ATT&CK for Containers techniques.
ATT&CK for Containers technique | Azure Defender detection |
Exploit Public-Facing Application | |
External Remote Services |
|
Valid accounts |
|
Container Administration Command |
|
Deploy Container |
|
Scheduled Task/Job |
|
User Execution |
|
Implant Internal Image | |
Escape to Host |
|
Exploitation for Privilege Escalation |
|
Build Image on Host |
|
Indicator Removal on Host |
|
Masquerading |
|
Brute Force |
|
Unsecured Credentials |
|
Resource Hijacking |
|
In addition, as was observed is several attacks like the one that targets Kubeflow workloads, many incidents start with a misconfiguration. Azure Defender can help detect misconfiguration, such as exposure of sensitive interfaces to the internet. In addition, Azure Defender can also help reduce the attack surface by detecting sensitive operations like creating high-privilege RBAC rules, auditing for Kubernetes best practices, and providing deployment gates.
The work to secure containers continues
The partnership between MITRE Engenuity’s Center for Threat-Informed Defense and Microsoft on investigating and understanding container threats doesn’t stop with the release of ATT&CK for Containers. We will continue to work with MITRE and the rest of the industry to share intelligence and insights from Microsoft’s products, sensors, and research. We will continue to look for innovative ways for surfacing telemetry, especially from within the container, not just on hosts, and for detecting behavior associated with both malicious activity and misconfigurations.
To learn more about how Microsoft can help you protect containers and relevant technologies today, read about Microsoft Defender for Endpoint and Azure Defender.
To learn more about the Center for Threat-Informed Defense, read about the Center’s collaborative approach to advancing threat-informed defense.
Microsoft 365 Defender Research Team
Azure Defender Team
READ MORE HERE