DeTT&CT(ing) Kubernetes ATT&CK(s) with Audit Logs

This presentation aims to discuss the different ways blue teamers can use to detect attacks and malicious behaviours on Kubernetes (K8s) clusters by leveraging the K8s audit logs and the new MITRE ATT&CK for Containers (and K8s). By deep-diving into a real-world attack scenario of a compromised cluster from one of our K8s honeypots, to demonstrate different ways defenders and incident responders can use to detect any malicious activity happening on their clusters. We will show how to enable audit logs and highlight which events are the most important from a security perspective. As K8s clusters can be very noisy, it is crucial to know where to look when there is an incident, as time is of the essence. Finally, we will demonstrate how to create dashboards and alerts around those logs on the SIEM of preference (Splunk, ELK, Datadog) so that you can quickly and easily act upon any suspicious activity on a cluster.

#BlueTeamSummit #Kubernetes