DeTT&CT(ing) Kubernetes ATT&CK(s) with Audit Logs

DeTT&CT(ing) Kubernetes ATT&CK(s) with Audit Logs

Channel:
United States SANS Cyber Defense
Subscribers:
23,600
Published on ● Video Link: https://www.youtube.com/watch?v=RwKbf8wqzpI


Category:
Vlog
Duration: 35:37
1,403 views
57

This presentation aims to discuss the different ways blue teamers can use to detect attacks and malicious behaviours on Kubernetes (K8s) clusters by leveraging the K8s audit logs and the new MITRE ATT&CK for Containers (and K8s). By deep-diving into a real-world attack scenario of a compromised cluster from one of our K8s honeypots, to demonstrate different ways defenders and incident responders can use to detect any malicious activity happening on their clusters. We will show how to enable audit logs and highlight which events are the most important from a security perspective. As K8s clusters can be very noisy, it is crucial to know where to look when there is an incident, as time is of the essence. Finally, we will demonstrate how to create dashboards and alerts around those logs on the SIEM of preference (Splunk, ELK, Datadog) so that you can quickly and easily act upon any suspicious activity on a cluster.

Magno Logan, Information Security Specialist, Trend Micro - twitter.com/magnologan

View upcoming Summits: http://www.sans.org/u/DuS
Download the presentation slides (SANS account required) at https://www.sans.org/u/1iaE
#BlueTeamSummit #Kubernetes



Other Videos By SANS Cyber Defense


2022-02-18Visualizing TensorFlow Models: Part I
2022-02-04Visualizing TensorFlow Models: Part 1
2022-01-21Visualizing How CNNs See Images
2022-01-21PowerShell 2022: State of the Art / Hack / Infection
2022-01-14All-Around Defenders: New Year, New Start
2022-01-07Applying DS/ML to Forensics and Incident Response: An Interview with Jess Garcia
2021-12-13What do you need to know about the log4j (Log4Shell) vulnerability?
2021-11-22Get to Know SANS Instructor and SEC586 Course Author Josh Johnson
2021-11-22Bringing the Sexy Back to Blue Team, with Eric Conrad and Seth Misener
2021-11-17Modern Authentication for the Security Admin
2021-11-15DeTT&CT(ing) Kubernetes ATT&CK(s) with Audit Logs
2021-11-13Ransomware Preparation, Containment and Recovery Strategies
2021-11-12Building on the Foundations of OSINT with SEC587: Advanced Open-Source Intelligence
2021-11-12AI & ML in the Modern SOC
2021-11-11YARA for Mere Mortals
2021-11-09Threat Sightings: The Power of Observation for Driving Cyber Threat Detection Improvements
2021-11-07Blue-Team-as-Code: Lessons From Real-world Red Team Detection Automation Using Logs
2021-11-05Measuring Detection Engineering Teams
2021-11-02Monitoring and Incident Response in Azure AD
2021-11-01Threats & Challenges 2021: What Cyber Defenders Need to Know – and Do
2021-10-30Knocking on Clouds Door: Threat Hunting Powered by Azure AD Reports and Azula


Tags:
sans institute
blue team
blue team operations
sans blue team summit
blue team summit
sans institute blue team summit
Magno Logan
Kubernetes
MITRE ATT&CK
Kubernetes tutorial
Kubernetes cluster
MITRE ATT&CK for containers
K8s
K8s audit logs