Honeypods: Applying a Traditional Blue Team Technique to Kubernetes

The use of honeypots in an IT network is a well-known technique to detect bad actors within your network and gain insight into what they are doing. By exposing simulated or intentionally vulnerable applications in your network and monitoring for access, they act as a canary to notify the blue team of the intrusion and stall the attacker’s progress from reaching actual sensitive applications and data. Once the blue team is aware of the situation, the attack can be traced back to the initial vector. The attack can then be contained and removed from the network.

Applying this technique into a Kubernetes environment works exceedingly well because of the declarative nature of applying manifests to deploy workloads. Whether the cluster is standalone or part of a complex pipeline, workload communications are defined by the application’s code. Any communication that’s not defined can be deemed suspicious at minimum and indicate that the source resource may have been compromised. By introducing fake workloads and services around production workloads, when a workload is compromised, the attacker cannot differentiate between other real and fake workloads. The asymmetric knowledge between the attacker and the cluster operator makes it easy to detect lateral movements from compromised workloads.

Honeypods in Calico Cloud and Calico Enterprise make use of this concept to provide a supplementary detection method when strict network policies or monitoring are not feasible. Honeypods work by deploying canary workloads and services in sensitive namespaces and monitoring them for access. By leveraging the monitoring and alerting capabilities in Calico Cloud and Calico Enterprise, any connections made to these canary workloads will generate an alert and can be traced back to the source. Canary traffic can also be inspected using a DPI engine to provide signature-based detection that delivers high-fidelity alerts and significantly reduces false positives.

Honeypods can be used to detect attacks including:

  • Data exfiltration
  • Resources enumeration
  • Privilege escalation
  • Denial of service (DoS)
  • Vulnerability exploitation attempts

Tigera provides a set of sample honeypods, and instructions on how to deploy them into your cluster. Learn more: https://docs.tigera.io/threat/honeypod/honeypods

Honeypods can also be monitored to detect and confirm known threats by leveraging the dynamic packet capture feature included with Calico Cloud and Calico enterprise, as well as with Intrusion Detection System (Snort) signatures: Learn more: https://docs.tigera.io/threat/honeypod/honeypod-controller

Want to learn more? Get started with a free Calico Cloud trial.


Join our mailing list

Get updates on blog posts, workshops, certification programs, new releases, and more!