Effective Detection in Kubernetes Clusters
Shay Berkovich, Oren Ofer
BSidesSF 2024 · Day 1
This presentation, delivered by Shay Berkovich and Oren Ofer at BSidesSF 2024, delves into the complexities of detecting sophisticated attacks within Kubernetes and cloud-native environments. The speakers, both seasoned security professionals with backgrounds in threat research and detection engineering, highlight the evolving landscape of Kubernetes attacks, which increasingly incorporate cloud components, leverage new initial access vectors, and adapt older techniques for modern contexts. The core thesis of their talk is that effective detection in this intricate ecosystem necessitates a **multi-dimensional approach**, combining visibility across various abstraction levels—from the kernel and container runtime interface (CRI) to Kubernetes API and cloud contexts—and tracing the temporal progression of an attack chain.
AI review
This talk provides a highly practical and well-structured approach to effective detection in Kubernetes and cloud-native environments. The speakers meticulously break down various detection sources—Kubernetes audit logs, admission webhooks, cloud logs, and runtime sensors—highlighting their strengths, blind spots, and optimal use cases. The live demo of a multi-stage attack, including an EKS Pod Identity pivot, effectively illustrates the necessity of combining these diverse data sources for comprehensive threat visibility and response.