Director of Research, Lacework Labs
Photo via Art into Science 2019
Last week we had the pleasure of attending and presenting at Art into Science: A Conference for Defense (ACoD) 2019. It was a blast listening to a variety of amazing talks, and speaking on Kubernetes security. In this post, we share background on the conference, discuss some of our favorite talks, and provide details on our presentation Practical Guide to Securing Kubernetes (slides available below).
Art into Science: A Conference for Defense (ACoD) 2019
Art into Science is a conference that aims to enable defenders. Security conferences tend to glorify attackers, but this conference is geared to put defenders on the pedestal. The conference aims to share knowledge with fellow defenders to enable them to improve their craft. The conference is small relative to other security conferences, which creates a very comfortable atmosphere to share ideas openly and meet fellow practitioners in the community. There were many great talks, here are a couple that I really enjoyed:
HASSH – a Profiling Method for SSH Clients and Servers & JA3/JA3S
As a former network defender working on threat detections methods, I found the talks given by John Althouse on fingerprinting TLS and SSH clients very fascinating. John gave a turbo talk on JA3, a method for fingerprinting TLS clients based on the unique ordering of variables in a TLS client hello packet. He described how this has been extended to the server as well (JA3S), giving a way to pair two fingerprints together (client and server) to identifying clients that do not have a unique fingerprint on their own, such as Empire and Metasploit. For those unfamiliar with JA3, fingerprinting TLS clients is an amazing way to catch malware and is more difficult to for attackers to evade than say changing infrastructure like domains and IPs. He also presented on behalf of Ben Reardon who developed HASSH, a method for fingerprinting SSH clients. HASSH was developed using the principles of JA3 to further improve network detection techniques and increase the cost for the attacker to circumvent them. If you haven’t heard of these projects I highly recommend checking them out and seeing how you can implement them into your own security strategy.
Phoenix Evolved – The Next Stage of Malware Analysis
Another great talk I really enjoyed was given by Greg Olmstead and Justin Borland. In this talk Greg and Justin discussed their publicly available project Phoenix. Phoenix is a malware analysis platform built on top of the Cuckoo sandbox. Phoenix adds a ton of functionality around the post-sandboxing of a sample for analysts to speed up the process of control implementation that comes following analysis. One of the things I particularly liked about Phoenix is the ability to compare indicators post-detonation across a number of sources (Yara, Snort, etc.) to quickly identify if you currently have coverage for the malware or if you need to develop new controls. Additionally, Phoenix comes with an “easy button” to help you get up and running quickly. If you are struggling with keeping Cuckoo running and need to speed up your post-sandboxing processes this is a great project to check out!
Practical Guide for Securing Kubernetes
Dan Hubbard and myself got the opportunity to present on Kubernetes security. In our talk, we give a brief overview of Kubernetes and the explosive growth the project is experiencing. We discussed risks and threats to Kubernetes deployments focusing on practical examples of misconfigurations and CVEs. We discuss both threats from anonymous users as well as threats post-compromise of a pod.
We wrapped up by providing some guidelines on how to mitigate the risks and threats described in the presentation.
Attendees of our presentation were bribed rewarded with Round Rock Donuts for asking great questions at the end of the talk.
The slides from our presentation are available here. Feel free to reach out with any questions!
If you get a chance to attend ACoD in the future we highly recommend going. The conference is great place to learn from others in the industry working on similar problems when it comes to cybersecurity defense. The conference is vendor-neutral and a FUD free zone. It is a great place to network and learn from industry leaders. We hope to see you there next year!