Attacking and Defending Kubernetes Cluster with KubeHound Attack Graph Model

There’s no two ways about it: Kubernetes is a confusing and complex collection of intertwined systems. Finding attack paths in Kubernetes by hand is a frustrating, slow, and tedious process. Defending Kubernetes against those same attack paths is almost impossible without any third party tooling.

In this talk we will present KubeHound - an opinionated, scalable, offensive-minded Kubernetes attack graph tool used by security teams across Datadog. We will cover the concepts of graph theory underlying the tool, so you have everything needed to empower KubeHound. We will demonstrate some of the more interesting and common attack primitives you may find, and I’ll show how defenders can use the free and open source version of KubeHound to find and eliminate the most dangerous attack paths.

Understanding interdependencies in a Kubernetes cluster, in particular gaps left open by seemingly innocent configuration changes, is beyond human capability. But all misconfigurations are not equal, some are not a big deal, but some can lead to the full take of an entire Kubernetes cluster. This illustrates the well-known adage: “Defenders think in lists, attackers think in graphs; as long as this is true, attackers win”.

In this talk we will introduce how KubeHound, an opinionated, scalable, offensive-minded Kubernetes attack graph tool used by security teams across Datadog, can help you pinpoint the most critical attack within your Kubernetes cluster.

From a defender’s point of view, it means how to prioritize which security initiative is more important. To cover it, you need to:

• Provide quantitative evaluation of risk with a Kubernetes environment. For example, calculate the % of high risk assets with a path to a critical asset.
• Prioritize remediations. For example, calculate and rank the % change in the above metric from an application of a given remediation.
• Prioritize threat detection efforts. For example, identify most common edges (aka attacks) in paths to critical assets and focus detection efforts on these.

From an attacker’s point of view, it means finding the lowest effort attack path that will lead to his goal, usually full take over of the entire cluster. Having a treasure map saves a ton of time for the attacker.

In short, single point security findings have little traction either for an attacker or defender. So we will demonstrate how KubeHound being a queryable, graph database of attack paths makes reasoning about security problems via data-driven testing of hypotheses extremely efficient.

At the end of the talk, we will leave you with an open-source version of KubeHound designed to be run from a laptop to evaluate the attack paths within a single cluster. Finally, we will discuss the approach and challenges of implementing a distributed, large-scale version of the tool at Datadog and how you might implement a similar solution in your own environment.