Feature: Changed vulnerability categories to support MITRE ATT&CK

[danielsagi]

Description

kube-hunter was one of the first projects that offered a Pentesting solution for kubernetes. This arose a lot of new problems as this field of "hacking" kubernetes was at it's really early stages, so we had room for innovative new ideas. We decided then to categorize kube-hunter's innovative techniques with a simple category system:

InformationDisclosure
DenialOfService
RemoteCodeExec
IdentityTheft
PrivilegeEscalation
AccessRisk
UnauthenticatedAccess

Time passed and new tools and blogs were published around the kuberentes security world. A new MITRE ATT&CK matrix was published for kubernetes environments. which did a pretty good job of covering the techniques (mostly already implemented in kube-hunter) used while hacking a kubernetes environment.

We know a good category system when we see it, So we decided to move for that system.

Code changes

• A bit of package architecture redesign of the core.types sub package
• Created a new module core.types.categories which defines new categories implemented for this change
• new class MITRECategory -> base class for all mitre categories
• new class CVECategory -> All cve vulnerabilities are not part of the new category system. so they will inherit from this base class

For every part of the threat matrix, we have a python class.

Example

CAP_NET_RAW is enabled inside a pod. The vulnerability object now looks like this:

class CapNetRawEnabled(Event, Vulnerability):
    def __init__(self):
        Vulnerability.__init__(
            self,
            KubernetesCluster,
            name="CAP_NET_RAW Enabled",
            category=ARPPoisoningTechnique,
        )

let's take a look at: ARPPoisoningTechnique it inherits from LateralMovementCategory which inherits from MITRECategory

Because of the class method implemented inside MITRECategory we can now do something like this:

>> ARPPoisoningTechnique.get_name()
"Lateral Movement // ARP poisoning and IP spoofing"
>> # Automatically discovers the MITRE father category, and returns a full representation of the technique cube in the matrix

BEFORE

+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| ID     | LOCATION             | CATEGORY             | VULNERABILITY        | DESCRIPTION          | EVIDENCE             |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| KHV030 | Local to Pod (kube-  | Identity Theft       | Possible DNS Spoof   | A malicious pod      | kube-dns at:         |
|        | hunter-2krcf)        |                      |                      | running on the       | 172.17.0.3           |
|        |                      |                      |                      | cluster could        |                      |
|        |                      |                      |                      | potentially run a    |                      |
|        |                      |                      |                      | DNS Spoof attack     |                      |
|        |                      |                      |                      |     and perform a    |                      |
|        |                      |                      |                      | MITM attack on       |                      |
|        |                      |                      |                      | applications running |                      |
|        |                      |                      |                      | in the cluster.      |                      |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+

AFTER

+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| ID     | LOCATION             | MITRE CATEGORY       | VULNERABILITY        | DESCRIPTION          | EVIDENCE             |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| KHV030 | Local to Pod (kube-  | Lateral Movement //  | Possible DNS Spoof   | A malicious pod      | kube-dns at:         |
|        | hunter-2krcf)        | CoreDNS poisoning    |                      | running on the       | 172.17.0.3           |
|        |                      |                      |                      | cluster could        |                      |
|        |                      |                      |                      | potentially run a    |                      |
|        |                      |                      |                      | DNS Spoof attack     |                      |
|        |                      |                      |                      |     and perform a    |                      |
|        |                      |                      |                      | MITM attack on       |                      |
|        |                      |                      |                      | applications running |                      |
|        |                      |                      |                      | in the cluster.      |                      |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+

Contribution checklist

• [x] I have read the Contributing Guidelines.
• [ ] The commits refer to an active issue in the repository.
• [x] I have added automated testing to cover this case.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}