Defence Evasion in the Kubernetes Cluster

Kubernetes-ATT&CK-Matrix
5. Defence Evasion – ATT&CK® Matrix
MITRE’s ATT&CK®
Clear Kubernetes Logs
Attackers may erase the application or OS logs on a compromised container to prevent detection of their activity.
Delete K8S Events
A Kubernetes event is a Kubernetes object that logs state changes and failures of the resources in the cluster.
Example events are a container creation, an image pull, or a pod scheduling on a node.
Kubernetes events can be beneficial for recognising changes that happen in the cluster. Therefore, critics may want to delete these events (e.g., by using: “kubectl delete events–all”) in an attempt to evade detection of their action in the cluster.
Pod or Container Name Similarity
Pods that are created by controllers such as Deployment or DaemonSet have a random suffix in their names. Attackers can use this fact and name their backdoor pods as the existing controllers created them. For example, an intruder could create a malicious pod named coredns-{random suffix} which would look related to the CoreDNS Deployment.
Also, attackers can deploy their containers in the kube-system namespace where the administrative containers reside.
Connect from Proxy Server
Intruders may use proxy servers to conceal their origin IP. Concretely, adversaries often use anonymous networks such as TOR for their pursuit. It is beneficial for interacting with the applications themselves or with the API server.

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.