WS - 4
Container Security for Red and Blue Teams
Workshop Objective:
An organization using micro services, or any other distributed architecture rely heavily on containers and orchestration engines like Kubernetes and as such its infrastructure security is paramount to its business operations. This workshop will focus on how attackers can break into docker container and Kubernetes clusters to gain access, escalate privileges to infrastructure by using misconfigurations and application security vulnerabilities. Then as a blue team we will see how we can leverage the power of automation at multiple layers like Infrastructure Security, Supply chain Security and Run time Security to protect against the container security attacks. At the end of the workshop we will verify the security of the cloud native infrastructure by performing automated security scan with the help of CIS Benchmarks for both Docker and Kubernetes.
By the end of the workshop participants will able to identify and exploit vulnerabilities in applications running on containers inside Kubernetes clusters. The key take away for audience will be learning from these scenarios how they can assess their environments and fix them before attackers gain control over their infrastructure. Trainer will share examples of real world security issues found in penetration testing engagements to showcase mapping of the attack usually happens in the real world and how it can be mitigated as well
Course Content (ToC):
-
- Quick introduction to Docker, Kubernetes and Cloud Native Infrastructure
- Overview of attack surface for container infrastructure and ecosystem
- Real world vulnerabilities in cloud native infrastructure
- Application bug SSRF to Kubernetes cluster compromise
- Helm tiller default setup to gain complete cluster access
- Path traversal vulnerability to compromise container private registry
- Commonly found vulnerabilities in cloud native infrastructure
- Volume/Network Misconfigurations
- Exploiting Kubernetes API Server Vulnerability (CVE-2018-1002105)
- runc exploit to do privilege escalation
- Istio/Envoy proxy bypass access control (CVE-2019-9901)
- Vulnerable container images
- Extra privilege and capabilities for containers/pods
- Applying offensive knowledge to defend cloud native infrastructure
- Security Hardening of infrastructure
- Network/Pod Security policies using calico/cilium
- CIS Benchmarks for Docker and Kubernetes
- Deployment and supply chain security
- Logging and Monitoring
- Runtime security monitoring using sysdig falco
- Automated Defense in near real-time
- Tools of the trade - Commonly useful tools for both offense & defense
The below are the high level overview of what topics and how technical we will be covering
Pre-requisite
- A laptop with administrator privileges
- GCP free trail account (https://cloud.google.com/free/)
- At least 8GB of RAM, 10GB of Disk space free on the system
- Laptop should support hardware-based virtualization
- If your laptop can run a 64-bit virtual machine in Oracle VirtualBox it should work
- Other virtualization software might work but we will not be able to provide support for that
- USB Ports for copying data
Participants’ Requirements:
- Basic knowledge of using the Linux command line
- System administration basics like servers, applications configuration and deployment
- Familiarity with container environments like Docker would be useful
Who should attend:
- Penetration Testers, Security Engineers and Bug bounty hunters
- System administrators, DevOps and SecOps Teams
- Anyone interested in the container infrastructure security
What to expect:
- Complete hands-on training with a practical approach and real-world scenarios
- Ebooks of the training covering all hands-on in a step by step guide (HTML, PDF, EPub, Mobi)
- Git repository of all the custom source code, scripts, playbooks used during the training
- Resources and references for further learning and practice
What not to expect:
- A lot of hand holding about basic concepts already mentioned in the things you should be familiar with
- A lot of theory. This is meant to be a completely hands-on training
Speaker Profile:
Abhisek has over 10 years’ experience doing security research, security services delivery that includes penetration testing, source code review, training etc. He is currently working as the Head of Technology at Appsecco, where his core area of focus is building security automation platform using cloud native solutions.
He is credited with multiple vulnerability discovery across enterprise products with CVEs to his name such as CVE-2015-0085, CVE-2015-1650, CVE-2015-1682, CVE-2015-2376, CVE-2015-2555, CVE-2014-4117, CVE-2014-6113.
As an open source software contributor, he has developed or contributed to multiple projects including:
- Wireplay
- Penovox
- HiDump
- RbWinDBG