Director of Research, Lacework Labs
Last week thousands of security professionals descended upon Las Vegas for Hacker Summer Camp (despite warnings of swarming locusts!). Lacework Labs was there to take in all the sights and sounds. It was exciting to see such an emphasis on cloud and container security. There was much discussion on Kubernetes, containers, DevSecOps, and cloud provider account security, and herewith is our breakdown of the best talks and tools:
One of my favorite talks at Black Hat was The Path Less Traveled: Abusing Kubernetes Defaults, delivered by Ian Coldwater (@IanColdwater) and Duffie Cooley (@mauilion). They gave a great overview of Kubernetes and the defaults kubeadm sets up. The speakers demonstrated multiple attacks that illustrated the dangers of certain configurations and practices (such as running Docker in Docker). Resources for the attack demos can be found here.
As all good security presentations should, the talk ended with a great round-up of mitigation tips. In particular, the speakers placed emphasis on using Kubernetes’ Admission Controller for policy enforcement. This typically is done via Pod Security Policies, but developers can also extend this on their own.
DevSecOps: What, Why, and How
Another great talk, and very applicable to anyone operating in the cloud, was DevSecOps: What, Why and How by Anant Shrivastava (@anantshri). In it, Anant walked us, in great detail, through each step in the CI/CD pipeline from a security perspective. He discussed everything from static code analysis, to container image scanning, to runtime monitoring, and alerting. One of the most helpful parts of this talk was the extensive listing of free tools applicable to the various stages of the pipeline. You can check out the slides here to learn more.
A Compendium of Container Escapes
Another amazing talk was A Compendium of Container Escapes by Brandon Edwards and Nick Freeman. This was a technical discussion where the presenters walked through the main components of containers. Next a number of important vulnerabilities were discussed, such as Dirty Cow (CVE-2016-5195), and runc CVE-2019-5736. Following this the presenters walked through some various container escape scenarios, both involving and not involving kernel modules. Be sure to check out the slides here for a deeper understanding on container escapes.
barq: The AWS Post-Exploitation Tool
One of the tools in the arsenal that caught my attention was barq: The AWS Post-Exploitation Tool from Mohammed Aldoub (@voulnet). This tool assumes pre-compromise of AWS credentials. From there the operator can conduct reconnaissance, escalate privileges, and run code on EC2 instances (via SSM). This tool looks like a great addition to the AWS pentester’s toolkit.
CSF: Container Security Framework
Another interesting tool in the arsenal was CSF: Container Security Framework by Vaibhav Gupta (@ArmourBird). This platform is designed to check running Docker containers against CIS benchmarks. The platform reports back all containers in violation so the team can remediate. This tool may come in handy for DevSecOps teams looking to maintain Docker best practices.
Cloud Security Suite: One-Stop Tool for AWS/GCP/Azure Security Audit
Last but not least in the Arsenal was Cloud Security Suite: One-Stop Tool for AWS/GCP/Azure Security Audit by Jayesh Chauhan. This tool is designed to audit configuration and compliance of the three major cloud providers, AWS, GCP, and Azure. With many organizations adopting a multi-cloud approach, being able to audit from the same place is key. If you are early in your cloud journey and need to wrangle some accounts, be sure to give this tool a look.
Black Hat has come and gone once again. This year there was a lot of talk about cloud security, especially securing containers and Kubernetes. If you are looking to secure your cloud infrastructure, whether it by account compliance and configuration, server security, or container and Kubernetes security be sure to sign up for a Free Trial of Lacework.
Photo by James Walsh on Unsplash.