Center for Threat-Informed Defense teams up with Microsoft, partners to build the ATT&CK® for Containers matrix

The MITRE ATT&CK® for Containers matrix was published today, establishing an industry knowledge base of attack techniques associated with containerization and related technologies that are increasingly more ubiquitous in the current computing landscape. Microsoft is happy to have contributed and worked closely with the Center for Threat-Informed Defense and other partners to develop this framework for understanding and investigating this growing attack surface.

The ATT&CK for Containers builds on efforts including the threat matrix for Kubernetes developed by the Azure Security Center team for Azure Defender for Kubernetes. The Center for Threat-Informed Defense expanded on this initial framework by documenting real-world attacks, with Microsoft and other partners providing guidance and feedback throughout the process.

Building the ATT&CK for Containers matrix is helpful in understanding the risks associated with containers, including misconfigurations that are often the initial vector for attacks, as well as the specific implementation of attack techniques in the wild. This knowledge informs approaches for detecting threats, and thus helps in providing comprehensive protections, as more and more organizations adopt containers and container orchestration technologies like Kubernetes.

Organizations use containers to package software code, configuration files and libraries, and dependencies to enable fast software development and deployment. Containerization involves abstracting the OS and hardware. This abstraction creates scenarios where users are unaware that the base image of a container has exploitable vulnerabilities or where users may not pay close attention to what libraries and binaries are present on the images they’re using.

The convenience of platform-agnostic deployment of containers can benefit software developers, but it can also potentially benefit attackers aiming to run malware on multiple platforms. In addition, the ease in the deployment of containers can mean containers with vulnerabilities can be distributed across an organization as part of normal deployment operations.

Microsoft security coverage for threats and risks associated with containers

Microsoft delivers protection against container threats in two areas: on endpoints and on Kubernetes clusters.

Microsoft Defender for Endpoint detects threats on endpoints running container hosts, focusing on behavior commonly observed on endpoints, including stealing locally stored credentials for accessing the cloud, downloading and running malicious images, and privilege escalation from dockers to hosts. Below is a mapping of Microsoft Defender for Endpoint detections with the ATT&CK for Containers techniques.

ATT&CK for Containers technique	Microsoft Defender for Endpoint detection
Valid Accounts	Suspicious cloud credential access Unix credentials were illegitimately accessed
Unsecured Credentials	Suspicious cloud credential access Unix credentials were illegitimately accessed
Build Image on Host	Malicious Docker image run Suspicious network connection from Docker container
Deploy Container	Malicious Docker image run Suspicious network connection from Docker container
User Execution: Malicious Image	Malicious Docker image run Suspicious network connection from Docker container
Resource Hijacking	Malicious Docker image run
Container Resource Discovery	Suspicious kubectl exploratory command sequence
Exploit Public-Facing Application	Suspicious connection to unsecured Docker daemon
Escape to Host	Suspicious file opens by WSL

Detections of malicious or suspicious behaviors associated with containers are reported as alerts in Microsoft 365 security center, enabling defenders to investigate and remediate the threat and hunt for related or similar behaviors. These detections enrich the telemetry that Microsoft Defender for Endpoint uses to build device timelines and cross-domain end-to-end attack chains:

Azure Defender offers a Kubernetes plan to protect Kubernetes clusters, both in the orchestration layer and in the node level. The orchestration layer protection monitors Kubernetes API operations to find suspicious and malicious activities in the Kubernetes control plane. The node-level protection, based on the Server plan of Azure Defender, inspects activity on the Kubernetes worker-node to detect suspicious activity that run by the containers on the nodes. Below is a mapping of Azure Defender detections with the ATT&CK for Containers techniques.

ATT&CK for Containers technique	Azure Defender detection
Exploit Public-Facing Application
External Remote Services	Orchestration level alerts: Exposed Kubeflow dashboard detected Exposed Kubernetes dashboard detected Exposed Kubernetes service detected Exposed Redis service in AKS detected Node level alerts: Exposed Docker daemon detected (node level)
Valid accounts	Orchestration level alerts: AKS API requests from proxy IP address detected Node level alerts: Successful SSH brute force attack (node level) Suspicious incoming SSH network activity from multiple sources (node level) Suspicious incoming SSH network activity (node level)
Container Administration Command	Orchestration level alerts: Suspicious command executed in container Node level alerts: Privileged command run in container Suspicious request to Kubernetes API
Deploy Container	Orchestration level alerts: AKS API requests from proxy IP address detected Digital currency mining container detected  Node level alerts: Suspicious request to Kubernetes API
Scheduled Task/Job	Kubernetes CronJob controller, such as other controllers, creates a pod resource. See “Deploy Container” technique for relevant detections.
User Execution	Digital currency mining container detected
Implant Internal Image
Escape to Host	Orchestration level alerts: Container with a sensitive volume mount detected Privileged container detected
Exploitation for Privilege Escalation	Orchestration level alerts: Privileged container detected
Build Image on Host	Node level alerts: Docker build operation detected on a Kubernetes node
Indicator Removal on Host	Orchestration level alerts: Kubernetes events deleted
Masquerading	New container in the kube-system namespace detected
Brute Force	Successful SSH brute force attack (node level) Suspicious incoming SSH network activity from multiple sources (node level) Suspicious incoming SSH network activity (node level)
Unsecured Credentials	Suspicious request to Kubernetes API (node level)
Resource Hijacking	Digital currency mining container detected (Orchestration) Suspicious command executed in container (Orchestration) Process associated with digital currency mining detected (node level) Possible Crypto coin miner download detected (node level) Digital currency mining related behavior detected (node level)

In addition, as was observed is several attacks like the one that targets Kubeflow workloads, many incidents start with a misconfiguration. Azure Defender can help detect misconfiguration, such as exposure of sensitive interfaces to the internet. In addition, Azure Defender can also help reduce the attack surface by detecting sensitive operations like creating high-privilege RBAC rules, auditing for Kubernetes best practices, and providing deployment gates.

The work to secure containers continues

The partnership between MITRE Engenuity’s Center for Threat-Informed Defense and Microsoft on investigating and understanding container threats doesn’t stop with the release of ATT&CK for Containers. We will continue to work with MITRE and the rest of the industry to share intelligence and insights from Microsoft’s products, sensors, and research. We will continue to look for innovative ways for surfacing telemetry, especially from within the container, not just on  hosts, and for detecting behavior associated with both malicious activity and misconfigurations.

To learn more about how Microsoft can help you protect containers and relevant technologies today, read about Microsoft Defender for Endpoint and Azure Defender.

To learn more about the Center for Threat-Informed Defense, read about the Center’s collaborative approach to advancing threat-informed defense.

Microsoft 365 Defender Research Team

Azure Defender Team

READ MORE HERE