How to stop K8s credential attacks earlier (with less work)

I like to compare cybersecurity to tug of war. Two opposing sides trying to claim victory over the other in a show of strength. However, in cybersecurity, the fight is not of brute force but of technical and intellectual superiority. There are no ropes here — only keyboards, minds, and wills. And, of course, the stakes are much, much higher.

Tug of war and cybersecurity are all about gaining leverage, and in modern cybersecurity, the advantage often goes to the side that finds the best ways to automate. Any security team understands that automation is key to success, especially as they are trying to accomplish more with fewer resources.

About a year ago, Lacework introduced Composite Alerts — a truly innovative capability that conducts security investigations for you, automatically tying together multiple low-severity events (six to eight security events, on average) that happen in succession to point to a larger problem in an environment. To date, Composite Alerts have detected early signs of compromised credentials, cloud ransomware, cloud cryptomining, compromised hosts, and more.

Automated investigations? No more manual querying and correlation? That’s real leverage.

Composite Alerts expand to Kubernetes

Lacework now automates Composite Alerts on the Kubernetes (K8s) control plane, specifically to detect early signs of potential K8s user and service account credential compromises.

When my team took on this project, we knew that extending Composite Alerts functionality to K8s was critical for our customers for a couple of reasons. First, it’s extremely common for K8s clusters to have internet exposure, which presents a level of risk. In fact, nearly 40% of the thousands of K8s clusters monitored by our platform are exposed to the internet. 

Second, K8s environments are just as susceptible to credential compromise as any other environment. According to the Verizon 2023 Data Breach Investigations Report, 86% of data breaches involving web apps and platforms involved the use of stolen credentials. Attackers steal credentials through various means like phishing attacks and data breaches or by exploiting security vulnerabilities. Then they use these credentials to break into your environment and steal your goods. 

K8s environments are no exception; they are simply the same song to a slightly different tune. K8s credential compromise happens — and happens often. In fact, during our backtest, we detected a handful of hits about successful K8s APIs triggered from known malicious IPs, which indicated the corresponding K8s user credentials had been compromised.

So what happens if an attacker acquires a leaked K8s credential and breaches an internet-exposed cluster? Cloud cryptomining. Deployment of malicious workloads. Data breach. Pivots to the cloud control plane. Full cluster takeover. The sky is truly the limit, which makes early detection of compromised credentials all the more important.

How does it work?

By correlating multiple related signals, Lacework has the capability to identify a wide range of complex threats. An example of a simple detection would include when a K8s API is triggered from a malicious IP address, which strongly suggests a credential compromise. A more complex example could include multiple anomalous events.

Our platform currently detects the following use cases:

• Successful K8s API requests from malicious IP addresses
• Poor K8s security practices, like excessive permissions for service accounts or unauthorized actions by unauthenticated K8s users
• Unusual administrative activities, indicating the potential compromise of privileged K8s credentials
• An unusually high number of unauthorized API requests on sensitive K8s resources

This new Composite Alert leverages signals coming from multiple sources, including K8s anomalous events, detections based on K8s Lacework Query Language (LQL) queries, threat intelligence information, and raw K8s audit logs. 

Each use case above leverages different sources to accomplish the detection. For example, a poor security practice could be detected via a simple rules-based detection on K8s audit logs. However, for more complex attacks involving privileged credentials (which rarely lead to forbidden requests), the platform would rely on anomalous K8s events to accomplish the detection.

What’s next for K8s Composite Alerts?

This first K8s Composite Alert is just the tip of the iceberg in terms of building out this functionality within Lacework. Current platform detections primarily target K8s APIs triggered from public IP addresses; however, we are aware that a significant portion of these API calls originate from private IPs. These types of calls would include potential insider threats or stolen credentials being used within clusters. These detections are more challenging due to the larger data volume and the need to avoid false positives, yet we continue to refine our capability to produce high-fidelity alerts around these activities.

We also plan to expand our scope to encompass additional use cases around lateral movement. This will involve integrating signals from various data sources, including K8s audit logs, syscall events, and cloud audit logs. Such an approach will enhance our capability to identify complex attack patterns, particularly those where an attacker pivots to exploit cloud resources after compromising a K8s environment (or vice versa).

Gain a foothold against threat actors

Since Composite Alerts launched a year ago, the technology has brought real value to security teams, and we’re excited to extend this benefit to Kubernetes environments. This feature offers real automation to security teams, winning back the hours and days that would have been spent manually piecing together data points across multiple security tools. 

For security professionals like me, that means even more time to spend on the high value work of finding even more ways to use automation to our advantage. 

Tug of war, indeed.

For an interactive, click-through demo of Composite Alerts, visit our demos page.