Abstract
Organizations are rapidly moving towards microservice style architectures for their applications which has led to container and serverless technology being implemented and taking over at a rapid rate with a few organizations even leapfrogging containers by implementing serverless technology for scalability. Containers have risen in popularity and has been widely used because they help package and deploy consistent-state applications across multiple environments, and are also extremely scalable especially when they’re complemented with orchestration technologies.
Serverless on the other hand, seems to be taking over at a rapid rate with increased usage of micro-services and polyglot development of applications and services across organizations. Leading container technologies like Docker have risen in popularity and have been widely used because they have helped package and deploy consistent-state applications across multiple environments. Serverless and container orchestration technologies like Kubernetes help these deployments massively scale which can potentially increase the overall attack-surface to a massive extent, if security is not given the attention required. Security continues to remain a key challenge that both Organizations and security practitioners face with containerized and serverless deployments.
While containers continue to be vulnerable to security threats that plague any typical application deployment, they also face specific security threats related to the containerization daemon, the shared kernel and other shared resources like network, process and the filesystem. Serverless deployments face risks such as insecure deployment configurations, inadequate monitoring and logging of functions, broken authentication, function event data injection, insecure secret storage, and many more. Attacking applications leveraging container and serverless technology requires specific skill set and a deep understanding of their underlying architecture. This 2-day training is a practical approach with both Offensive and Defensive flavours making it ideal for security engineers, red-teammers, devops engineers and developers with a plethora of hands-on exercises that have been designed from real-world attacks and the security-specific challenges that we faced while implementing these technologies, helping them test and implement security in a scalable manner.
The training consists of, but not limited to the following focus areas in Container Security and
Serverless Deployment:
● Introduction to Container Technology
● Containerized Deployments and Container Orchestration Technologies
● Container Threat-Model
● Attacking Containers and Security deep-dive
● Introduction to Kubernetes
● Threat-Model of Orchestration technologies
● Attacking Kubernetes
● Kubernetes Defense-in-Depth
● Logging & Monitoring Orchestrated deployments
● Introduction to Serverless
● Deploying Application to AWS Lambda
● Serverless Threat-Model
● Attacking a Serverless Stack
● Serverless Security Deep-dive
Course Outline
Evolution to Container Technology and Container Tech Deep-Dive:
● Introduction to Container Technology: Namespace, Cgroups, Mount
● Setting up a Minimal Container with nothing but Namespaces and CGroups
Introduction to Containerized Deployments - Understanding and getting comfortable
using Docker.
● An Introduction to containers: LXC and Linux Containers
● Introducing Docker Images and Containers
● Hands-on: Deep-dive into Docker - Docker commands, Dockerfile, Images
Introduction to Basic Container Orchestration with Docker-Compose
● Docker Compose
● Hands-on: Application Deployment Using docker
Threat Landscape-An Introduction to possible threats and attack surface when using
Containers for Deployments.
● Threat Model for Containerized Deployments: Daemon-related,Network related, OS and
Kernel Threats, Threats with Application Libraries and Threats from Containerized
Applications
● Traditional Threat-Modelling for Containers with STRIDE
Attacking Containers and Containerized Deployments
● Hands-on: Attacking Containers and Containerized Deployments - Container Breakout,
Exploiting Insecure Docker Configurations, OS and Kernel level exploits, Trojanized
Docker images
Securing Containers and Container Deployments
● Hands-on: Container Security Deep-Dive - AppArmor/SecComp, Restricting Capabilities,
Analysing Docker images
● Hands-on: Katacontainers
● Container Security Mitigations
● Hands-on: Container Vulnerability Assessment - Clair, Dagda, Anchore, Docker-bench
Introduction to Scalable Container Orchestrators
● Introduction to Container Orchestrators
● Hands-on: Getting started with Kubernetes - Exploring Kubernetes Cluster, Deploying
application to Kubernetes
Attacking Kubernetes Cluster
● Threat Model and Attack Surface for a Kubernetes Cluster
● Hands-on: Attacking application deployed on Kubernetes, Exploiting a Vulnerable
Kubernetes cluster, Maintaining Persistent Access and Pivoting in the K8s Cluster
● Dissecting the K8s Attack and identifying Security Missteps
● Attacking a kubelet and gaining access to all configurations and secrets on the cluster
Kubernetes Security Deep-Dive
● K8s Threat Model and its counterpoint in Security Practices
● Hands-on: Ideal Kubernetes Security Journey - Pod Security, Access Control, Secret
Management
● Hands-on: Kubernetes Vulnerability Assessment - Kube-sec, Kube-hunter, Kube-bench
● Hands-on: Logging and Monitoring - Identifying security anomalies in a K8s Cluster
● Hands-on: Kubernetes Network Security Implementation - Network Security Policy, Service Mesh - Istio/Envoy
Serverless Introduction
● Understanding Serverless and FAAS(Function-As-A-Service)
● Quick tour of FAAS(Function-As-A-Service) and BAAS(Backend-As-A-Service)
● Introduction to AWS Lambda, S3, Open-FAAS and other Serverless options
Serverless Deep-Dive
● Introduction to the Architecture of Serverless Deployments
● Hands-on: Deploying a Serverless application
Attacking Serverless applications
● Serverless Architectures Security Top 10 - A Project similar to OWASP Top 10 for
Serverless Apps
● Hands-on: Function Data Event Injection Attacks against FaaS Implementations:
● Hands-on: Remote Code Execution attacks against Serverless Apps
● Broken Access Control
● Hands-on: Attacking Stateless Authentication and Authorization (JSON Web Tokens) -
Algorithm Confusion, Inherent JWT flaws - none signed token, etc, Attacks based on JWK and JWT Claims
● Hands-on: Attacking Identity and Access Management through Serverless
Implementations - View of IAM Sprawl and Permissions, Attacking with DynamoDB
Injection + IAM Permissions creep
● Hands-on: Extracting Secrets from FaaS Implementations
● Hands-on: Leveraging Vulnerabilities like ReDOS to perform Resource Exhaustion
Attacks
● Hands-on: Exploiting Function Execution Order for fun and profit!
Securing Serverless applications
● Securing Serverless applications - Identity and Access Management, Secret
management
● Hands-on :Secrets Management with AWS Secret Manager + Rotation
● Hands-on: Logging and Monitoring Functions - Using AWS X-Ray/Zipkin to leverage
tracing for security
● Hands-on: Serverless Vulnerability Assessment - Static Code Analysis[SCA], Static
Application Security Testing[SAST], Dynamic Analysis Security Testing[DAST]
Upon Completion of this training, attendees will know
This training has been created with the objective of understanding both offensive and defensive security for container orchestrated and serverless deployments. It will be a 2 day program that will detail through specific theory elements with extensive hands-on exercises that are similar to real-world threat scenarios that the attendees will understand and take part in and will also understand
