Unsecured Credentials: API Контейнер
Other sub-techniques of Unsecured Credentials (8)
Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API) An adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components.
Примеры процедур |
|
| Название | Описание |
|---|---|
| Peirates |
Peirates can query the Kubernetes API for secrets.(Citation: Peirates GitHub) |
Контрмеры |
|
| Контрмера | Описание |
|---|---|
| Privileged Account Management |
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
| Limit Access to Resource Over Network |
Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc. |
| Network Segmentation |
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. |
| User Account Management |
Manage the creation, modification, use, and permissions associated to user accounts. |
Обнаружение
Establish centralized logging for the activity of container and Kubernetes cluster components. Monitor logs for actions that could be taken to gather credentials to container and cloud infrastructure, including the use of discovery API calls by new or unexpected users and APIs that access Docker logs. It may be possible to detect adversary use of credentials they have obtained such as in Valid Accounts.
Ссылки
- The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved March 29, 2021.
- Docker. (n.d.). Docker Engine API v1.41 Reference. Retrieved March 31, 2021.
- Chen, J.. (2020, January 29). Attacker's Tactics and Techniques in Unsecured Docker Daemons Revealed. Retrieved March 31, 2021.
- Kubernetes. (2022, February 26). Configure Service Accounts for Pods. Retrieved April 1, 2022.
- InGuardians. (2022, January 5). Peirates GitHub. Retrieved February 8, 2022.
- The Kubernetes Authors. (n.d.). Controlling Access to The Kubernetes API. Retrieved March 29, 2021.
- Microsoft. (2023, February 27). AKS-managed Azure Active Directory integration. Retrieved March 8, 2023.
- Kubernetes. (n.d.). Overview of Cloud Native Security. Retrieved March 8, 2023.
- Docker. (n.d.). Protect the Docker Daemon Socket. Retrieved March 29, 2021.
- National Security Agency, Cybersecurity and Infrastructure Security Agency. (2022, March). Kubernetes Hardening Guide. Retrieved April 1, 2022.
- Kubernetes. (n.d.). Role Based Access Control Good Practices. Retrieved March 8, 2023.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.