{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/amazon-elastic-kubernetes-service-eks/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Kubernetes","Amazon Elastic Kubernetes Service (EKS)"],"_cs_severities":["high"],"_cs_tags":["kubernetes","unauthorized_access","cloud"],"_cs_type":"advisory","_cs_vendors":["Kubernetes","AWS"],"content_html":"\u003cp\u003eThis detection identifies unauthorized access attempts to Kubernetes environments by scrutinizing Kubernetes audit logs. The analysis focuses on identifying anomalies in access patterns, specifically examining the source IPs of requests and their corresponding response statuses. Given the critical role of Kubernetes in orchestrating containerized applications, unauthorized access attempts are a significant security concern, potentially indicating an attacker's attempt to infiltrate the cluster. Successful infiltration could lead to unauthorized control over Kubernetes resources, potentially compromising sensitive systems or data within the cluster. This detection leverages Kubernetes audit logs and requires proper configuration of audit policies and log collection mechanisms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker attempts to access the Kubernetes API server without proper authentication.\u003c/li\u003e\n\u003cli\u003eThe Kubernetes API server evaluates the request based on configured RBAC policies.\u003c/li\u003e\n\u003cli\u003eDue to insufficient permissions or misconfiguration, the API server returns a \u0026quot;Forbidden\u0026quot; (403) response code.\u003c/li\u003e\n\u003cli\u003eThe Kubernetes audit logging system records the unauthorized attempt, including the source IP, username, and requested resource.\u003c/li\u003e\n\u003cli\u003eThe security monitoring system ingests the Kubernetes audit logs.\u003c/li\u003e\n\u003cli\u003eThe detection logic analyzes the logs for \u0026quot;Forbidden\u0026quot; response statuses related to resource creation attempts (verb=create).\u003c/li\u003e\n\u003cli\u003eStatistical analysis identifies anomalies in access patterns.\u003c/li\u003e\n\u003cli\u003eIf the number of \u0026quot;Forbidden\u0026quot; events from a specific source IP or user exceeds a threshold, an alert is triggered, indicating a potential unauthorized access attempt.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful unauthorized access to a Kubernetes cluster can have severe consequences. An attacker can gain control over cluster resources, potentially leading to the deployment of malicious containers, data exfiltration, or denial-of-service attacks. The impact could range from compromised applications and data to complete cluster takeover, affecting all workloads running within the environment. Kubernetes clusters often manage sensitive data and critical applications, making them prime targets for attackers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Kubernetes audit logging to capture API server requests and responses as described in the \u0026quot;how_to_implement\u0026quot; section of the source material.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eKubernetes Unauthorized Access\u003c/code\u003e to your SIEM and tune the threshold based on your environment's baseline activity to reduce false positives.\u003c/li\u003e\n\u003cli\u003eConfigure the Splunk OpenTelemetry Collector for Kubernetes to collect audit logs, as detailed in the \u0026quot;how_to_implement\u0026quot; section of the source.\u003c/li\u003e\n\u003cli\u003eInvestigate triggered alerts by examining the source IP, username, and requested resource from the \u003ccode\u003ekube_audit\u003c/code\u003e logs to determine the nature and intent of the unauthorized access attempt.\u003c/li\u003e\n\u003cli\u003eEnrich alerts with context from other security tools and threat intelligence feeds to identify known malicious actors or infrastructure.\u003c/li\u003e\n\u003cli\u003eImplement and regularly review RBAC policies to ensure least privilege access and prevent unauthorized resource creation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-kubernetes-unauth-access/","summary":"This analytic detects unauthorized access attempts to Kubernetes by analyzing Kubernetes audit logs, identifying anomalies in access patterns based on request source and response statuses, potentially leading to unauthorized control over Kubernetes resources.","title":"Kubernetes Unauthorized Access Attempt Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-kubernetes-unauth-access/"}],"language":"en","title":"CraftedSignal Threat Feed - Amazon Elastic Kubernetes Service (EKS)","version":"https://jsonfeed.org/version/1.1"}