What You Will Learn
Cloud native infrastructure and service providers are enabling organizations to build and deliver modern systems faster than ever. The end-to-end toolchain supporting the systems includes managed services to create cloud infrastructure, store source code, build containers, and manage clusters. For information security professionals, the attack surface created by these modern systems can be difficult to defend and monitor. SEC584 explores Docker and Kubernetes, key components of the cloud native infrastructure stack, providing in-depth analysis of the attack surface, misconfigurations, attack patterns, and hardening steps. Students will gain hands-on experience building, exploring, and securing real-world modern systems.
SEC584 starts by painting a portrait of the modern cloud-native infrastructure hosted in Google Cloud. After deploying cloud resources, students examine methods of compromise, walk through attack scenarios, and then shift their focus to defending and remediating infrastructure services. This includes hardening Kubernetes orchestrator and workload configuration, deploying security testing and monitoring software in pipelines and clusters, cryptographically signing images and build pipelines, and applying AppArmor and Seccomp profiles to containerized workloads.
The course then shifts its focus to defending a live Kubernetes deployment. After students identify several Kubernetes weaknesses, hands-on exercises attacking and remediating security and network policies and admission controllers will help them lock down the lab environment. Attacks and controls are threat-modeled to ensure they are applied correctly, tested out-of-band to ensure their efficacy, and applied at multiple stages throughout the pipeline to enhance engineers' productivity and feedback loops.
THIS COURSE WILL PREPARE YOU TO:
- Understand why many cloud native services have evolved quickly and without security as a top consideration
- Secure containerized applications and defend orchestration workloads
- Leverage automated testing tools to perform security testing and harden your deployments
YOU WILL BE ABLE TO:
- Use real-world exploits to target key application deployment components
- Understand the risks involved in running cloud native infrastructure
- Explore vulnerabilities to cloud native deployments through authentication, pipeline, and supply chain exploits
- Exploit and then secure application deployments via Docker and Kubernetes
- Determine how vulnerabilities are exploited and how defenses are designed
WHAT YOU WILL RECEIVE:
- Electronic courseware
- Course virtual machine with all class labs
Syllabus (18 CPEs)
Section 1 covers the cloud native security model, threat model, and associated infrastructure security practices. This includes deploying and rooting Jenkins to gain remote code execution on a Google Cloud virtual machine to illustrate security considerations of container workloads, as well as a corresponding discussion of defending containerized workloads.
- Cloud Account Setup
- Create Google Cloud Platform (GCP) Project
- Deploy Lab Infrastructure with Terraform
- Deploy and Root Jenkins
- Deploy Jenkins in a GCE Virtual Machine
- Exploit Remote Code Execution in Jenkins
- Steal Secrets from Docker
- Break Out of the Jenkins Container
- Root the GCE virtual Machine
- Container Security
- Build Container Images
- Prioritize Resources with cgroups
- Isolate Using Namespaces
- Defending Containerized Workloads
- Investigate Filesystem Layers of a Container
- Harden Applications with AppArmor Profiles
- Block System Calls with seccomp
- What is Cloud Native Security
- Introduction to Cloud Native Security
- The Cloud Native Security Model
- Modern Infrastructure Security Practices
- Pipeline-Driven Security
- Cloud Native Threat Model
- Container Security
- DevSecOps and Containers
- Attacking Containerized Workloads
- Vulnerability Scanning
Section 2 covers concepts related to the containerization of applications, including the risks and benefits of deploying applications in containers. This day will focus specifically on Docker containers, examining how they are created and deployed, reviewing the risks associated with deploying applications in Docker containers, and exploring ways that Docker containers can be hardened and secured.
- Container Security
- Configure Docker, Kubernetes, GitHub, and Jenkins
- Use "distro-less" Container Base Images
- Lint Dockerfiles to Enforce Policy
- Container Security Testing
- Base Images and Goss
- Security Test Harness with Docker Compose
- kubesec, kubetest, and pod Security Policies
- Image Delivery and Registries
- Docker Trust Sandbox
- Enabling Notary with Docker
- Harbor and Notary
- Container Image Security
- Building Docker Images Safely
- Base Images and Patching
- Container Security Testing
"Unit Testing" Containers
- inspec, serverspec, goss, kubesec
"Integration Testing" Containers and Pods
- Docker-compose, Minikube
- Network Scanning
- Securing the CI Pipeline
- Container Image Signing
- Artifact Repository Security Considerations
Section 3 covers the use of orchestration tools to manage the deployment of containerized applications. This day will focus on the Kubernetes platform. We will look at the potential risks and vulnerabilities associated with Kubernetes as well as how we can secure it through automated scans, proper policy definitions, and continuous intrusion detection.
- Kubernetes 101
- Installing Kubernetes
- Installing a Sample Application
- Attacking Kubernetes
- Port Scanning and Banner Detection
- Rooting the Host from a Privileged Container
- Pivoting with Disabled Node Authentication
- etcd Exfiltration
- Hardening Kubernetes
- Webhook Admission Controllers
- Pod Security Policies
- Harden Security Contexts
- Remove Hard-Coded Secrets
- Introduction to Kubernetes
- Kubernetes 101
- Kubernetes Attack Surface and Vulnerabilities
- Kubernetes Attack Surface
- Hardening Kubernetes
- CIS Benchmarks
- Security Policies, Application Delivery, and Secrets Management
- Container Native Intrusion Detection
- Automated Security Testing and DevSecOps Workflows
- Policy and Controls
- Cluster Compliance
- Security Testing Kubernetes from Jenkins
SEC584 performs a deep dive into defending containerized workloads (Docker) and orchestrators (Kubernetes). Courses or equivalent experiences should include:
- SEC540 Cloud Security and DevOps Automation (familiarization with DevOps automation, CI/CD tools and processes, and how containers are used to package software)
- Experience with Linux command shell
- Experience with Docker and Kubernetes
- Familiarity with Google Cloud Platform (GCP)
For those looking to prepare ahead of time, check out the following resources:
Docker QuickStart: https://docs.docker.com/get-started/
Kubernetes Basics: https://kubernetes.io/docs/tutorials/kubernetes-basics/
Terraform Getting Started Guide: https://learn.hashicorp.com/terraform/getting-started/install
Important! Bring your own system configured according to these instructions!
We ask that you do 5 things to prepare prior to class start. This early preparation will allow you to get the most out of your training. One of those five steps is ensuring that you bring a properly configured system to class. This document details the required system hardware and software configuration for your class. You can also watch a series of short videos on these topics at the following web link https://sansurl.com/sans-setup-videos.
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
Mandatory: Students must bring their own GCP account to complete the exercises. Please ensure that you have done the following before class starts:
Google Cloud Platform
- Create a Google account.
- Sign up for a GCP free trial.
BRING YOUR OWN LAPTOP CONFIGURED USING THE FOLLOWING DIRECTIONS:
A properly configured system is required for each student participating in this course. Before starting the course, carefully read and follow these instructions exactly:
- Download and install VMware Workstation or VMware Fusion on your system prior to the start of the class.
- If you own a licensed copy of VMware, make sure it is at least VMware Workstation Pro 15+, VMware Fusion 11+.
- If you do not own a licensed copy of VMware, download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.
Mandatory Host Hardware Requirements
- CPU: 64-bit 2.5+ GHz multi-core processor or higher
- BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
- Hard Disk: Solid-State Drive (SSD) is MANDATORY with 50GB of free disk space minimum
- Memory: 16GB of RAM or higher is mandatory for this class (IMPORTANT! 16GB of RAM is MANDATORY)
- Working USB 2.0 or higher port
- Wireless Ethernet 802.11 B/G/N/AC
- Local Administrator Access within your host operating system
Mandatory Host Operating System Requirements
You must use a 64-bit laptop with one of the following operating systems that have been verified to be compatible with course VMware image:
- Windows (8 or 10)
- Mac OS X (Catalina, Mojave)
Mandatory Software Requirements
Prior to class, ensure that the following software is installed on the host operating system:
- VMware Workstation Pro 15+, VMware Fusion 11+
- Zip File Utility (7Zip or the built-in operating system zip utility)
In summary, before beginning the course you should:
- Have a laptop with a solid-state drive (SSD), 16GB of RAM, and a 64-bit operating system
- Install VMware (Workstation or Fusion)
- Windows Only: Verify that the BIOS settings have the Intel VT virtualization extensions enabled
- Register a NEW GCP free-tier account prior to the start of class at https://console.cloud.google.com/freetrial
If you have additional questions about the laptop specifications, please contactÂ email@example.com.
"The proliferation of containers and the growth of Kubernetes and its supporting ecosystem offer a new opportunity for organizations looking to adopt modern development, deployment, and security practices. Containers share their host's kernel and so are more efficient and lightweight than VMs, but they provide a different set of security guarantees. And as cloud providers have built out their managed offerings, the shared responsibility model puts the ultimate responsibility for the security of users' infrastructure on their shoulders.
Highly scalable and resilient distributed systems bring additional complexity, and DevSecOps security can only be achieved with a solid DevOps engineering foundation on which to build. Once this is established, automated security verification can prove the absence of known regressions and reduce the likelihood of unknown vulnerabilities.
Attackers have exploited misconfigured Docker and Kubernetes instances, container and application supply chains, and the cloud infrastructure with which they integrate. This course examines all of these attacks in detail, shows attendees how to undertaken them, and provides detailed remediation and testing steps to ensure cloud native infrastructure is locked down, while still providing value to the business."