Cloud-Native Security Features Topics 

CyberArk Unveils Open Source Pen Testing Tool for Kubernetes

, , ,
by Mike Vizard

CyberArk today launched an open source penetration testing framework, dubbed Kubesploit, for testing Kubernetes environments.

Eviatar Gerzi, a cybersecurity researcher at CyberArk Labs, says that as more instances of Kubernetes clusters are deployed in production environments, it’s clear that cybersecurity teams lack the tools required to mimic real-world attack clusters against Kubernetes environments.

Kubesploit makes it possible for so-called red teams to stress-test cybersecurity against a platform that legacy penetration tools don’t support, Gerzi adds.

Written in Golang, Kubesploit is based on the Merlin project, a cross-platform post-exploitation HTTP/2 Command and Control server and agent tool that is designed to be dynamically extensible. Rather than simply scanning for vulnerabilities in container images, it’s now possible for cybersecurity teams to more fully vet a Kubernetes environment, Gerzi says. Modules that address, for example, specific attack vectors, such as breakout from a container to the host, or that involve scanning for known vulnerabilities, are already included.

CyberArk has included a Go Interpreter, named Yaegi, in Kubesploit that makes it possible to write new Golang modules on the fly and run them while the agent is still running. The goal is to make it easier for an open source community to contribute new modules. The fact that Kubernetes is written in Golang makes integrating the modules easier, adds Gerzi.

A set of YARA rules to catch Kubesploit binaries will make it possible to discover if cybercriminals have decided to employ the framework to launch a real attack against a Kubernetes environment. There’s also indicators of compromise embedded within Kubesploit code that records activity. Any instructions sent by the server are saved locally, to assist in investigations.

Most attacks against Kubernetes environments are still largely confined to hijacking infrastructure resources to mine for cryptocurrencies. However, Gerzi says it’s clear cybercriminals have discovered how to further compromise Kubernetes platforms. It’s now only a matter of time before more lethal malware payloads are aimed at mission-critical applications being deployed on Kubernetes clusters, Gerzi adds.

Of course, one of the primary drivers of Kubernetes adoption is the need to deploy cloud-native applications that dynamically scale up and down as required. Many of those cloud-native applications are now at the core of strategic digital business transformation initiatives that have been accelerated in the wake of the economic downturn brought on by the COVID-19 pandemic.

As a provider of tools for managing privileged access, CyberArk has significantly increased its Kubernetes security research and development efforts in the last year. Most recently, the company illustrated how weaknesses in the Container Network Interface (CNI) employed to connect Kubernetes Pods might be exploited by cybercriminals.

Not surprisingly, many cybersecurity teams are now finding themselves playing catch-up with rollouts of Kubernetes clusters. Developers are deploying a large number of cloud-native applications that cybersecurity teams are often unable to vet, because they lack the tools and expertise required. In theory, adoption of DevSecOps best practices is supposed to close that gap as responsibility for cybersecurity shifts further left toward developers. In practice, adoption of DevSecOps best practices within most organizations remains relatively nascent.

In the meantime, Gerzi notes cybercriminals are getting more adept at scanning for Kubernetes misconfigurations using bots. Cybercriminals realize that developers – who now routinely provision infrastructure-as-code – generally lack cybersecurity expertise. Given the inherent complexity of Kubernetes, it’s relatively easy for a developer to make a configuration mistake.

It’s unclear how long it might take DevOps and cybersecurity teams to find a way to secure Kubernetes environments without significantly slowing down the rate at which cloud-native applications are being deployed. In the meantime, cybersecurity teams will be tasked with testing Kubernetes platforms, before and after deployment, as much as possible. The challenge now is not just finding a way to conduct those penetration tests, but also creating a DevOps workflow loop that makes sure whatever vulnerabilities are discovered get remediated in a timely fashion.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1737 posts and counting. See all posts by Mike Vizard