Link Search Menu Expand Document

Azure Kubernetes Protect

Table of contents

Introduction

Modern applications often consist of containers. When you are running your containers in Azure Kubernetes Service (in the cloud by using the AKS resource provider, or on-premises by using Azure Arc) it is necessary to take measurements to strengthen the security of your Kubernetes Cluster.

With Azure Kubernetes Protect, Wortell uses security components that are available in Azure to protect Kubernetes clusters. Wortell MDR integrates with Azure Security Center and various Azure Defender products which help to protect the environment in which your application is hosted.

SKU’s

Feature Azure Kubernetes Protect
Protection against malicious calls to the Kubernetes API +
Protection against containers mounting sensitive volumes +
Protection against DNS poisoning the CoreDNS pod +
Protection against running crypto miners in the Kubernetes cluster +
Protection against unauthorized access of the Kubernetes API +
Protection again unauthorized access to the Kubernetes dashboard +
Protection against clearing the Kubernetes logevents +
Protection against malicious activities that could harm the Kubernetes host +
Protection against unwanted containers in the kube-system namespace +
Protection against high privilege misuse +
Scanning on malicious or vulnerable container images +
Compliant with NEN & ISO +
24/7 alert and incident follow-up +

*this product can not be enabled in combination with a Vidara Light SKU.

Features

Protection against malicious calls to the Kubernetes API

Wortell uses out-of-the-box Azure components (Azure Kubernetes Defender and Azure Sentinel) to detect malicious calls to the Kubernetes API and respond to them. The following types of calls are treated as malicious calls:

  • Calls from a known TOR IP address
  • Calls from malicious IP addresses have been observed by the Wortell Vidara Honey Network.

Protection against containers mounting sensitive volumes

Response on Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node.

Protection against DNS poisoning the CoreDNS pod

DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver’s cache, causing the name server to return an incorrect result record, e.g., an IP address. This results in traffic being diverted to the attacker’s computer (or any other computer). Wortell will detect malicious changes on the CoreDNS pod (which serves the internal Kubernetes DNS) and respond to them.

Protection against running crypto miners inside the Kubernetes cluster

Cryptojacking is the unauthorized use of someone else’s computer to mine cryptocurrency. The individual who infects your Kubernetes cluster with a cryptocurrency mining container is doing so only to make a buck. Strictly speaking, cryptojacking is not about accessing or sharing your private information.

But cryptojackers are using your Kubernetes resources without your knowledge or consent. A miner container can be so aggressive that it could affect the overall performance of the Kubernetes cluster and thus your application. Wortell can detect crypto miners running in your Kubernetes cluster and respond to them.

Protection against unauthorized access of the Kubernetes API

The Kubernetes API is the API that you can use to manipulate your Kubernetes cluster. Wortell protects the Kubernetes API by monitoring the following suspicious activities:

  • A new admission webhook configuration. Kubernetes has two built-in generic admission controllers: MutatingAdmissionWebhook and ValidatingAdmissionWebhook. The behavior of these admission controllers is determined by an admission webhook that the user deploys to the cluster. The usage of such admission controllers can be legitimate; however, attackers can use such webhooks for modifying the requests (in case of MutatingAdmissionWebhook) or inspecting the requests and gain sensitive information (in case of ValidatingAdmissionWebhook).
  • Machine logs indicate that a suspicious request was made to the Kubernetes API. The request was sent from a Kubernetes node, possibly from one of the containers running in the node. Although this behavior can be intentional, it might indicate that the node is running a compromised container.

Protection against unauthorized access of the Kubernetes Dashboard

Kubernetes includes a web dashboard that can be used for basic management operations. This dashboard shows basic health status information and metrics for the running applications. The dashboard also allows to create and deploy services and edit existing applications. Attackers with access to the Kubernetes dashboard could execute harmful activities on the application environment and use the displayed information for their attacks.

Wortell uses Azure Kubernetes Defender and Azure Sentinel to detect unauthorized access to the Kubernetes dashboard.

Protection against clearing the Kubernetes logevents

Kubernetes events are objects in Kubernetes which contain information about changes in the cluster. Attackers might delete those events for hiding their operations in the cluster.

Protection against activities that could harm the Kubernetes host

There are various operations possible which let a user or container access the container host/node.A privileged container could potentially access a node’s resources and break the isolation between containers. If compromised, an attacker can use the privileged container to gain access to the node. The following activities are seen as suspicious as they could access the host machine:

  • Privileged command runs in the container Machine logs indicate that a privileged command was run in a Docker container. A privileged command has extended privileges on the host machine.
  • Privileged Container Detected Machine logs indicate that a privileged Docker container is running. A privileged container has full access to the host’s resources. If compromised, an attacker can use the privileged container to gain access to the host machine.
  • Container with a sensitive volume mount detected The volume that was detected is a host Path type that mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node.

Protection against unwanted containers in the kube-system namespace

The kube-system namespaces should not contain user resources. Attackers can use this namespace for hiding malicious components.

Protection against high privilege misuse

Protection against activities that mallicous actitivies that require high privileges:

  • New high privileges role detected A binding to a role with high privileges gives the user\group high privileges in the cluster. Unnecessary privileges might cause privilege escalation in the cluster.
  • Role binding to the cluster-admin role detected A new binding to the cluster-admin role, which gives administrator privileges, can cause unnecessary administrator privileges, which can cause privilege escalation in the cluster.

Scanning on malicious or vulnerable container images

Azure Container Registry (ACR) is a managed, private Docker registry service that stores and manages your container images for Azure deployments in a central registry. It’s based on the open-source Docker Registry 2.0.

To protect the Azure Resource Manager based registries in your subscription, enable Azure Defender for container registries at the subscription level. Azure Defender will then scan all images when they’re pushed to the registry, imported into the registry, or pulled within the last 30 days.

Scan findings can be found in Azure Security Center under “Remediate Vulnerability” Recommendations. Since they are findings in images built by the customer, the customer needs to solve those findings. Wortell does not any support for this. We can help/advice with the implementation and configuration of Defender for ACR.

Compliant with NEN & ISO

ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS). Using it enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details, or information entrusted by third parties.

24/7 alert and incident follow-up

Cloud Services are important, and attacks are happening during the day and nighttime. Therefore, Wortell has a team of cybersecurity engineers available 24/7.

Wortell has organized the availability of the experts as follows:

  • Tier 1: Eyes on-screen during business hours and outside of business hours
  • Tier 2: Eyes on-screen during business hours, stand-by outside of business hours
  • Tier 3: Eyes on-screen during business hours, stand-by outside of business hours

Cost Calculation

The cost will be calculated based on the number of databases that are connected to Azure Security Center / Azure Defender.

License Requirements

The cost will be calculated based on the number of:

  • Kubernetes clusters that are connected to Azure Security Center / Azure Defender.
  • Container Registries that are connected to Azure Security Center / Azure Defender
  • Virtual machines that are connected to Azure Security Center / Azure Defender