Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Container and Resource Discovery

Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster. These resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may leak information about the environment, such as the environment’s configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary’s next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution.

ID: T1613
Tactic(s): Discovery
Platforms: Containers
Permissions Required: User
Data Sources: Container: Container Enumeration, Pod: Pod Enumeration
Version: 1.0
Created: 31 Mar 2021
Last Modified: 12 Apr 2021

Procedure Examples

Name Description
Peirates

Peirates can enumerate Kubernetes pods in a given namespace.(Citation: Peirates GitHub)

TeamTNT

TeamTNT has checked for running containers with docker ps and for specific container names with docker inspect.(Citation: Trend Micro TeamTNT) TeamTNT has also searched for Kubernetes pods running in a local network.(Citation: Cisco Talos Intelligence Group)

Hildegard

Hildegard has used masscan to search for kubelets and the kubelet API for additional running containers.(Citation: Unit 42 Hildegard Malware)

Mitigations

Mitigation Description
Network Segmentation

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.

Limit Access to Resource Over Network

Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.

User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Detection

Establish centralized logging for the activity of container and Kubernetes cluster components. This can be done by deploying logging agents on Kubernetes nodes and retrieving logs from sidecar proxies for application pods to detect malicious activity at the cluster level. Monitor logs for actions that could be taken to gather information about container infrastructure, including the use of discovery API calls by new or unexpected users. Monitor account activity logs to see actions performed and activity associated with the Kubernetes dashboard and other web applications.

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.