T1552.007 Container API

This diagnostic statement protects against Container API through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Container API through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.

This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing secure network configuration, defense-in-depth, and access isolation principles provides protection against adversaries attempting to obtain credentials via APIs within a containers environment.

This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.

This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Employing restrictions that limit network access and communications with services can prevent adversaries from finding stored credentials.

This diagnostic statement protects against Container API through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.

This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.

This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.

This diagnostic statement protects against Container API through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Container API through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.

This capability can protect against unsecured Container API credentials by ensuring credential security is part of the DevOps process.

This capability can be integrated with others to secure credentials.

This capability can detect anomalous usage of APIs.

This capability can support configuration of APIs to protect against access to unsecured credentials.

Confidential VM main memory encryption is performed using dedicated hardware within the memory controllers. Confidential VM can be used with Google Kubernetes Engine Nodes to encrypt data in-use for these workloads.

Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs. GKE Enterprise incorporates the Anthos Config Management feature to manage configuration for any Kubernetes API, including policies for the Istio service mesh, resource quotas, and access control policies.

To control access to resources, GCP requires that accounts making API requests have appropriate IAM roles. IAM roles include permissions that allow users to perform specific actions on Google Cloud resources. This control may mitigate adversaries that gather credentials via APIs within a containers environment. Since this covers only one of the sub-techniques, it is given a Minimal scoring.

VPC security perimeters can segment private resources to provide access based on user identity or organizational ingress/egress policies (e.g., instance, subnet).

The "eks-endpoint-no-public-access" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to gather credentials via the API. The "eks-secrets-encrypted" managed rule can identify configuration problems that should be fixed in order to ensure that Kubernetes secrets (including those containing credentials) are encrypted to prevent malicious access. Both controls are run periodically and only provide partial coverage because they are specific to public access and adversaries without the ability to decrypt secrets, respectively, resulting in an overall score of Partial.