Kubernetes Security: Lateral Movement Detection and Defense

What is Lateral Movement?

Lateral movement refers to the techniques that a cyber-attacker uses, after gaining initial access, to move deeper into a network in search of sensitive data and other high-value assets. Lateral movement techniques are widely used in sophisticated cyber-attacks such as advanced persistent threats (APTs). An adversary uses these techniques to access other hosts from a compromised system and get access to sensitive resources, such as mail systems, shared folders, and legitimate credentials, ultimately gaining access to the identified target. Lateral movement techniques enable a threat actor to avoid detection and retain access over an extended dwell time of weeks, or even months, after the initial breach.

What are the Stages of Lateral Movement?

There are three primary stages of lateral movement: reconnaissance, credential/privilege gathering, and gaining access to other resources in the network.

How Does an Adversary Gain Unauthorized Access to a Kubernetes Cluster?

In a Kubernetes cluster, an attacker will gain initial access by compromising a pod. Once the pod is compromised, there are three main areas where the attacker can begin reconnaissance and move through the lateral movement stages to learn more about the cluster: the cloud provider metadata service, the pod networking and filesystem, and the Kubernetes API service.

  1. The cloud provider metadata service is used by DevOps to manage and scale instances running in the cloud, and provides the attacker with access to hostname, network IP, custom attributes and IAM role credentials. The IAM credentials, in turn, enable access to other resources like S3 buckets, which the attacker can then probe.
  2. Breaching the pod networking and filesystem provides an attacker with access to IP, subnet, hostname, applications, capabilities and secrets. The attacker’s methodology is to gain as many permissions as possible within the pod.
  3. Lastly, the attacker can probe the Kubernetes API service, which can be found in the pod’s environment variable. Kubernetes APIs with Custom Resource Definitions (CRDs) are prime targets because they can enable an attacker to leverage other Kubernetes features like the CLI, API services, RBAC, etc.

Once an attacker secures administrative privileges and gains deeper access into a network, malicious lateral movement can be very difficult to detect because it can appear to be “normal” network traffic. Left undetected, an attacker using lateral movement techniques can cause significant disruption. So it’s essential to find and remove these intruders as quickly as possible to avoid costly losses.

Detecting and Defending Against Lateral Movement

Fortunately there are effective ways to detect lateral movement in a Kubernetes cluster. Global Alerts, a unique feature in Calico Enterprise, provides advanced threat and lateral movement detection capabilities for Kubernetes workloads in the private and public cloud. With Calico Enterprise Global Alerts, you can quickly identify malicious behavior and significantly reduce dwell time by uncovering this activity in its early stages.

Want to learn more?

Watch this on-demand webinar, Detecting Lateral Movement and Defending Against Attackers, presented by Tigera security threat researcher Garwood Pang.

Join our mailing list

Get updates on blog posts, workshops, certification programs, new releases, and more!