Living off the Land Techniques in Managed Kubernetes Clusters

Explore Living off the Land (LotL) techniques in managed Kubernetes clusters through this informative conference talk. Delve into the compromises and security challenges introduced by managed Kubernetes services, focusing on CSP-specific cluster middleware that expands the attack surface. Learn about a series of LotL techniques that exploit middleware functionality to elevate RBAC privileges, move laterally, bypass security controls, and evade detection. Discover examples such as abusing fluent-bit for PI exfiltration, achieving cluster admin via obscure system node-problem-detector host services, and leveraging webhooks for persistency. Gain insights into the taxonomy of these techniques, their relation to CISA guidance, and their mapping onto the Kubernetes threat matrix. Understand the implications for security teams and the difficulties in distinguishing between legitimate component behavior and malicious activities in managed Kubernetes environments.

Living off the Land Techniques in Managed Kubernetes Clusters - Ronen Shustin & Shay Berkovich