Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
awesome-kubernetes-threat-detection
A curated list of resources about detecting threats and defending Kubernetes systems.
https://github.com/jatrost/awesome-kubernetes-threat-detection
Last synced: 3 days ago
JSON representation
-
Books
- Ch 30. Hacking on Kubernetes
- Hacking Kubernetes - plane.io/hackingkubernetes/)] [[amazon](https://amzn.to/3msjXDH)]
- Kubernetes Security and Observability
- Security Observability with eBPF
- [amazon
- Ch 29. Hacking on Containers
- Ch 30. Hacking on Kubernetes
- Kubernetes Patterns, 2nd Edition, Part 5: Security Patterns
- Container Security Book
- [amazon
- [amazon
-
Talks and videos
-
Detection
- Keynote: Detecting Threats in GitHub with Falco
- Threat Hunting at Scale: Auditing Thousands of Clusters With Falco
- Security Kill Chain Stages in a 100k+ Daily Container Environment with Falco
- Falco to Pluginfinity and Beyond
- Uncovering a Sophisticated Kubernetes Attack in Real Time Part II.
- Keeping your cluster safe from attacks with eBPF
- Threat Modeling Kubernetes: A Lightspeed Introduction
- Threat Hunting at Scale: Auditing Thousands of Clusters With Falco
- Falco to Pluginfinity and Beyond
- Threat Modeling Kubernetes: A Lightspeed Introduction
- Purple Teaming Like Sky’s the Limit – Adversary Emulation in the Cloud
-
Hardening
- Securing Kubernetes Applications by Crafting Custom Seccomp Profiles
- The Hitchhiker's Guide to Pod Security
- You and Your Security Profiles; Generating Security Policies with the Help of eBPF
- Using the EBPF Superpowers To Generate Kubernetes Security Policies
- Komrade: an Open-Source Security Chaos Engineering (SCE) Tool for
- Securing Kubernetes Applications by Crafting Custom Seccomp Profiles
- The Hitchhiker's Guide to Pod Security
- Using the EBPF Superpowers To Generate Kubernetes Security Policies
- Komrade: an Open-Source Security Chaos Engineering (SCE) Tool for
-
Attacks
- Advanced Persistence Threats: The Future of Kubernetes Attacks
- Bypassing Falco: How to Compromise a Cluster without Tripping the SOC
- A Treasure Map of Hacking (and Defending) Kubernetes
- How Attackers Use Exposed Prometheus Server to Exploit
- Trampoline Pods: Node to Admin PrivEsc Built Into Popular K8s Plat
- Three Surprising K8s Networking “Features” and How to Defend Against Them
- A Compendium of Container Escapes
- The Path Less Traveled: Abusing Kubernetes Defaults
- Bypassing Falco: How to Compromise a Cluster without Tripping the SOC
- A Treasure Map of Hacking (and Defending) Kubernetes
- How Attackers Use Exposed Prometheus Server to Exploit
- Trampoline Pods: Node to Admin PrivEsc Built Into Popular K8s Plat
- Three Surprising K8s Networking “Features” and How to Defend Against Them
- The Path Less Traveled: Abusing Kubernetes Defaults
- Advanced Persistence Threats: The Future of Kubernetes Attacks
-
Supply Chain
-
Networking
- Kubernetes Networking 101 (1h26m)
- A Guided Tour of Cilium Service Mesh
- Cilium: Welcome, Vision and Updates
- Cloud-Native Building Blocks: An Interactive Envoy Proxy Workshop (1h25m)
- Kubernetes Networking 101 (1h26m)
- A Guided Tour of Cilium Service Mesh
- Cilium: Welcome, Vision and Updates
- Cloud-Native Building Blocks: An Interactive Envoy Proxy Workshop (1h25m)
-
Conferences
- [2022 - 2021.html)] [[2020](https://ebpf.io/summit-2020.html)]
- CloudNative SecurityCon
-
Blogs and Articles
-
Detection
- Detecting a Container Escape with Cilium and eBPF
- Detecting and Blocking log4shell with Isovalent Cilium Enterprise
- Threat Hunting with Kubernetes Audit Logs
- Threat Hunting with Kubernetes Audit Logs - Part 2
- Dive into BPF: a list of reading material
- Deep Dive into Real-World Kubernetes Threats
- Understanding Docker container escapes
- K8 Audit Logs
- Kubernetes Hunting & Visibility
- SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft
- Detecting Cryptomining Attacks in the wild
- Threat Alert: Kinsing Malware Attacks Targeting Container Environments
- TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations
- TeamTNT Targeting AWS, Alibaba
- Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes
- Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments
- CrowdStrike Discovers First-Ever Dero Cryptojacking Campaign Targeting Kubernetes
- Lateral movement risks in the cloud and how to prevent them – Part 2: from compromised container to cloud takeover
- Lateral movement risks in the cloud and how to prevent them – Part 3: from compromised cloud resource to Kubernetes cluster takeover
- Consider All Microservices Vulnerable — And Monitor Their Behavior
-
Hardening
-
Attacks
- Attacker persistence in Kubernetes using the TokenRequest API: Overview, detection, and prevention
- Tetragone: A Lesson in Security Fundamentals
- How I Hacked Play-with-Docker and Remotely Ran Code on the Host
- The Route to Root: Container Escape Using Kernel Exploitation
- (twitter thread)Quick and dirty way to get out of a privileged k8s pod or docker container by using cgroups release_agent feature.
- Bad Pods: Kubernetes Pod Privilege Escalation
- Kernel privilege escalation: how Kubernetes container isolation impacts privilege escalation attacks
- GKE Kubelet TLS Bootstrap Privilege Escalation
-
-
TTPs / Attack Matrices
-
Tools
-
Hardening
- seccomp - "can be used to sandbox the privileges of a process, restricting the calls it is able to make from userspace into the kernel."
- AppArmor - "AppArmor is a Linux kernel security module that supplements the standard Linux user and group based permissions to confine programs to a limited set of resources. AppArmor can be configured for any application to reduce its potential attack surface and provide greater in-depth defense."
- Kubernetes Network Policy Recipes
- OPA Gatekeeper - "A customizable cloud native policy controller that helps enforce policies and strengthen governance"
-
Simulation / Experimentation
- Kubernetes Attacks
- Sock Shop: A Microservices Demo Application
- Stratus Red Team - Stratus Red Team is "Atomic Red Team™" for the cloud, allowing to emulate offensive attack techniques in a granular and self-contained manner.
- falcosecurity/event-generator
- minikube - minikube implements a local Kubernetes cluster on macOS, Linux, and Windows. minikube's primary goals are to be the best tool for local Kubernetes application development and to support all Kubernetes features that fit.
- controlplaneio/simulator
- kubernetes-goat
-
Attack
-
Platforms
- anchore - "Software Composition Analysis from Code to Cloud: Enables security teams to find every piece of software in cloud native applications. Block and fix security issues in minutes rather than days."
- Prisma Cloud Compute Edition (formerly Twistlock) - "Prisma Cloud secures applications from code to cloud, enabling security and DevOps teams to effectively collaborate to accelerate secure cloud-native application development and deployment."
- sysdig - "Sysdig is a universal system visibility tool with native support for containers"
- Aqua Security - "Unified Cloud Security: Accelerate secure innovation and protect your entire development lifecycle from code to cloud and back."
- m9sweeper - "m9sweeper is a free and easy kubernetes security platform. It integrates industry-standard open source utilities into a one-stop-shop kubernetes security tool that can walk most kubernetes adminstrators through securing a kubernetes cluster as well as the apps running on the cluster."
-
Detection
-
Misc
-
-
Detection Rules and Analytics
-
Misc
- Panther Labs gcp_k8s_rules
- Sigma cloud/azure/kube*.yml
- Sigma cloud/gcp/kube*.yml
- Splunk Analytic Story: Kubernetes Scanning Activity
- Splunk Analytic Story: Kubernetes Sensitive Object Access Activity
- Tracee Signatures
- technologies/kubernetes
- exposed-panels/kube*.yaml
- misconfiguration/kubernetes
- exposures/configs/kube*.yaml
- Panther Labs gcp_k8s_rules
- Falco Rules
- Elastic kubernetes detection rules
-
-
People
-
Misc
- awesome-k8-threat-detect
- @_fel1x
- @Antonlovesdnb
- @bibryam
- @bradgeesaman
- @christophetd
- @g3rzi
- @htejeda
- @iancoldwater
- @jrfastab
- @LachlanEvenson
- @lizrice
- @mhausenblas
- @mosesrenegade
- @nataliaivanko
- @raesene
- @ramesh-ramani
- @randyabernethy
- @saschagrunert
- @sethsec
- @shaul-ben-hai
- @sshaybbc
- @Steph3nSims
- @sublimino
- @sussurro
- @sys_call
- @tgraf__
- @tixxdz
- @tpapagian
- @willfindlay
- @yuvalavra
- @jimmesta
- @ramesh-ramani
- @shaul-ben-hai
-
Programming Languages
Categories
Sub Categories
Keywords
kubernetes
15
security
12
containers
5
ebpf
4
golang
4
docker
4
kubernetes-security
4
cncf
3
go
3
falco
3
bpf
3
devsecops
2
redteam
2
networking
2
security-tools
2
kube-bench
2
container-security
2
cloud-security
2
runtime-security
2
cncf-project
2
cloud-native
2
vulnerability-scanners
1
vulnerability-detection
1
admission
1
gatekeeper
1
mutation
1
opa
1
policy
1
policy-engine
1
validation
1
adversary-emulation
1
aws
1
aws-security
1
azure-security
1
cis-benchmark
1
cis-kubernetes-benchmark
1
cis-security
1
openshift
1
kernel
1
linux
1
bpf-programs
1
ebpf-programs
1
inspektor-gadget
1
kinvolk
1
prometheus-exporter
1
prometheus-metrics
1
iac
1
infrastructure-as-code
1
misconfiguration
1
vulnerability
1