Kubernetes MITRE ATT&CK Framework Explained

Estimated reading time: 5 Minutes

If you’ve been around the cloud native world in the last few months, you probably couldn’t escape from hearing the term MITRE ATT&CK. In this blog post I’ll give a simple introduction and explanation as to what MITRE ATT&CK is and it’s applications to Kubernetes specifically.

The MITRE Corporation

The MITRE Corporation is an American non-profit organization. It manages federally funded R&D centers supporting several U.S. government agencies.

Perhaps by now you’re wondering what does MITRE even mean? well, Wikipedia teaches us that it doesn’t actually mean anything:

The company attributes the name to James McCormack, a member of Mitre’s first Board of Trustees: “He wanted a name that was meaningless and without connotations, but with an attractive feel”


ATT&CK Background

A research group within MITRE centered it’s work on researching post-compromise detection. In other words they focused on an attacker’s behavior after he has gained access to a system.

The goal of MITRE’s research was to find a useful way to detect post-compromise actions. The research wanted to show that measuring endpoint telemetry could be used to detect attackers after they infiltrated a system. This research showed that using analytics based on host and network behaviors accomplished that goal.

As part of this research effort, starting in 2013, MITRE developed a process for modeling an attacker’s post-compromise behavior at a granular level. This model is named ATT&CK, and guess what? it actually does have a meaning: Adversarial Tactics, Techniques & Common Knowledge.

This is where things get interesting!

In order to validate their assumption on post-compromise operations, MITRE validated it’s research with a so-called “cyber game”. In this game two teams were involved – a Red Team and a Blue Team. The Red Team performed adversary emulation (as described in the ATT&CK model), whereas the Blue Team used analytics to detect the Red Team’s intrusion.

As a result of this, MITRE understood that ATT&CK actually serves as both the adversary playbook and as a method for discovering defense gaps inside a target network. The ATT&CK model was released to the general public in 2015.

What ATT&CK actually is?

ATT&CK isn’t an actual product – it’s more of a data set of adversarial techniques. It classifies and breaks down offensive actions that can be used against certain platforms. As time passed this knowledge base (which started out with Windows) was expanded to more platforms like: macOS, Linux, the Cloud and many more. It’s worth noting that the ATT&CK matrices are split into enterprises (Windows, Linux, macOS etc.) and mobile devices (Android and iOS).

The reason I’m explaining this, is because people tend to think that ATT&CK’s purpose is to classify the tools that adversaries use. But that’s not the case – it maps out the way adversaries can interact offensively with systems and platforms.

ATT&CK matrix layout

Now that we understand the purpose of the ATT&CK matrix, let’s talk about how it’s built and it’s content. In short – an ATT&CK matrix is built of the “why” and “how”/”what” of an adversary attack.

Tactics (“why”)

When an adversary performs an offensive action against some system he usually has a certain intention in mind, a certain objective – this is referred to as the tactic. In my view these terms align well with the fact that MITRE is working for government agencies – a tactic is actually a tactical objective (sounds like a military term).

Some good examples of tactics are: discovering information, privilege escalation, credential access, exfiltrate etc.

Techniques (“how”/”what”)

Once an adversary has decided on a tactic, he needs to understand how is he going to execute that tactic – this is the technique. Techniques may also represent what an adversary gains by performing an action.

There may be many techniques to achieve tactical objectives, so there are multiple techniques listed under each tactic column.

The Windows ATT&CK matrix – source: https://attack.mitre.org/matrices/

What is the ATT&CK matrix good for?

As you probably understand by now, the ATT&CK matrix can help security specialists on both sides of the spectrum. For most purposes, organizations can use the matrix to understand their attack surface and make sure they cover all their bases.

Now that we fully understand the MITRE ATT&CK matrix purpose and layout, let’s tie this down to the cloud native space.

The Kubernetes ATT&CK matrix

During April 2020, Microsoft Azure Security Center published an ATT&CK matrix based on the MITRE ATT&CK approach to help identify threats on the Kubernetes container orchestration platform. Azure Security Center translated and adapted the tactics and techniques found in the original MITRE ATT&CK framework to the challenges of Kubernetes:

For example, a translation of the first four tactics from OS to container clusters would look like 1. “initial access to the computer” becomes “initial access to the cluster”, 2. “malicious code on the computer” becomes “malicious activity on the containers”, 3. “maintain access to the computer” becomes “maintain access to the cluster”, and 4. “gain higher privileges on the computer” becomes “gain higher privileges in the cluster”.


The Kubernetes ATT&CK matrix

Azure’s matrix is a major milestone in capturing the difference between traditional IT security and cloud native security.

Some would argue that the Azure Kubernetes attack matrix doesn’t cover all bases of the Kubernetes platform. Be that as it may, Azure paved the way for upcoming companies and products that will use this research as a baseline.

That’s all for now – follow me on twitter for regular updates and, as usual, like and comment at will! see you on the next one.

You can find more posts covering different aspects of Kubernetes here.

Credits and further reading:

Leave a Reply