This tactic consists of four techniques that attackers may use to conceal their activities and avoid detection. To mitigate the threats engendered by such defense evasion techniques, it’s essential to monitor all Kubernetes pods, including those not created by using a Kubernetes controller.
Clear Container Logs
Logs on the container runtime or operating system capture an attacker’s activity within compromised containers. The attacker may delete these logs to prevent their activities from being detected.
Delete K8s (Kubernetes) Events
Kubernetes audit logs provide a chronological record of any state changes, failures, and security-relevant activities/changes occurring on the resources in a cluster. This log is a Kubernetes object or “event.” Examples of Kubernetes events include pod scheduling on a node, container creation, and image pull. Attackers may delete these audit logs to avoid detection of their activities in the cluster.
Pod/Container Name Similarity
Pods created by controllers such as Deployments or DaemonSets may have a random suffix in their names. Attackers can leverage this possibility to create an unauthorized “backdoor” pod within the cluster and name it with a random suffix. In effect, they obfuscate the presence of this unauthorized pod that can be used to run malicious code or gain access to cluster resources. They may also deploy their containers in the kube-system namespace where the administrative containers reside.
Connect From Proxy Server
Attackers may use proxy servers or anonymous networks to hide their IP addresses and conceal their network origin. Often, they use anonymous networks like TOR (The Onion Router) to communicate with applications or the API server.