<img src="https://ws.zoominfo.com/pixel/JHVDdRXH2uangmUMQBZd" width="1" height="1" style="display: none;">
weaveworks_logo_headerstrip
magalix_logo_headerstrip

Weaveworks 2022.03 release featuring Magalix PaC | Learn more

MITRE ATT&CK Matrix for Kubernetes

These pages cover what Magalix is, how to get started using it, and reference materials for its features and supported cloud providers.

Get started quickly, and get all your questions answered now!

Talk to an Expert

    Initial Access

    MITRE ATTACK - Initial Access

    Overview

    Initial Access refers to tactics an attacker may use to gain access to a Kubernetes cluster. They may do this either by compromising various resources deployed on the cluster or directly by compromising a component within the Kubernetes control plane that handles cluster management.

    1- Using Cloud Credentials

    If the Kubernetes cluster is deployed in a public cloud and if a cloud credential is compromised, attackers may get access to the cluster’s management layer.  A compromised credential may lead to a compromise of the entire cluster, and may also lead to a cluster takeover.

    2- Compromised Images in Registry

    A compromised, untrusted or unsafe image running in a cluster can lead to its compromise. It may be downloaded from a public image registry (e.g. Docker Hub), built from untrusted base images, or added to a private registry by an attacker and pulled by a user. It may contain malicious code that allows an attacker to access a cluster.

    image-approved-registry

    3- Kubeconfig File

    The kubeconfig file, used by kubectl, contains the location and credentials of clusters. A compromised client could issue cloud commands to download this file if the cluster is hosted as a cloud service. If a bad actor gets access to this file, they can use it to access the clusters.

    4- Application Vulnerability

    Containerized, public-facing applications with vulnerabilities leave an organization susceptible to exploits by threat actors. If they run in a cluster, the threat actor may gain initial access to the cluster. They may also exploit the vulnerability to reach other applications, access sensitive data, or launch a Denial of Service (DoS) attack.

    MITRE ATTACK - Initial AccessMITRE ATTACK - Initial AccessMITRE ATTACK - Initial Access

    5- Exposed Sensitive Interfaces

    When a sensitive interface is exposed to the Internet, it creates a security risk. Frameworks that don’t require authentication by default are particularly vulnerable. Exposing such frameworks allows malicious actors to gain unauthenticated access to a sensitive interface and run code or deploy containers in the cluster. One such interface that has been exploited previously is the Kubernetes dashboard.

     

    arrow