Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.
These resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may leak information about the environment, such as the environment’s configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary’s next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_kubernetes_engine | Google Kubernetes Engine | technique_scores | T1613 | Container and Resource Discovery |
Comments
By default, GKE nodes use Google's Container-Optimized OS to enhance the security of GKE clusters, including: Locked down firewall, read-only filesystem, limited user accounts, and disabled root login.
References
|
| resourcemanager | ResourceManager | technique_scores | T1613 | Container and Resource Discovery |
Comments
Google Cloud Platform provides resource containers such as organizations, folders, and projects that allow one to group and hierarchically organize other GCP resources. This control may mitigate by denying direct remote access to internal systems through the use of network proxies, gateways, and firewalls from adversaries that may attempt to discover containers and other resources that are available within a containers environment.
References
|
| anthosconfigmanagement | AnthosConfigManagement | technique_scores | T1613 | Container and Resource Discovery |
Comments
Adversaries may attempt to discover containers and other resources that are available within a containers environment. The "Network Policies" rule controls the network traffic inside clusters, denying direct remote access to internal systems through the use of network proxies, gateways, and firewalls
References
|
| identity_and_access_management | Identity and Access Management | technique_scores | T1613 | Container and Resource Discovery |
Comments
GCP Identity and Access Management allows admins to control access to Container Registry hosts with Cloud Storage permissions. Specific accounts can be assigned roles and Container Registry uses Cloud Storage buckets as the underlying storage for container images. This control can help mitigate against adversaries that may attempt to discover resources including images and containers by controlling access to images by granting permissions to the bucket for a registry.
References
|