Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.
These resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may leak information about the environment, such as the environment’s configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary’s next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1613 | Container and Resource Discovery |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.
References
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1613 | Container and Resource Discovery |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network segmentation to deny direct remote access to internal systems externally provides protection against adversaries attempting to discover resources in container environments.
References
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1613 | Container and Resource Discovery |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to limit communications with container services can prevent adversaries from discovering resources in container environments.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1613 | Container and Resource Discovery |
Comments
This diagnostic statement protects against Container and Resource Discovery through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1613 | Container and Resource Discovery |
Comments
This diagnostic statement protects against Container and Resource Discovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1613 | Container and Resource Discovery |
Comments
This diagnostic statement protects against Container and Resource Discovery through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-02 | Account Management | mitigates | T1613 | Container and Resource Discovery | |
| CM-06 | Configuration Settings | mitigates | T1613 | Container and Resource Discovery | |
| AC-17 | Remote Access | mitigates | T1613 | Container and Resource Discovery | |
| SC-43 | Usage Restrictions | mitigates | T1613 | Container and Resource Discovery | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1613 | Container and Resource Discovery | |
| CM-07 | Least Functionality | mitigates | T1613 | Container and Resource Discovery | |
| SI-04 | System Monitoring | mitigates | T1613 | Container and Resource Discovery | |
| AC-03 | Access Enforcement | mitigates | T1613 | Container and Resource Discovery | |
| AC-06 | Least Privilege | mitigates | T1613 | Container and Resource Discovery | |
| SC-07 | Boundary Protection | mitigates | T1613 | Container and Resource Discovery |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Scan network | Enumerating the state of the network | related-to | T1613 | Container and Resource Discovery |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| defender_for_containers | Microsoft Defender for Containers | technique_scores | T1613 | Container and Resource Discovery |
Comments
This capability can detect container discovery.
References
|
| defender_for_containers | Microsoft Defender for Containers | technique_scores | T1613 | Container and Resource Discovery |
Comments
This capability can protect against container discovery.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| gke_enterprise | GKE Enterprise | technique_scores | T1613 | Container and Resource Discovery |
Comments
Adversaries may attempt to discover containers and other resources that are available within a containers environment. GKE Enterprise incorporates the Anthos Config Management "Network Policies" rule to control the network traffic inside clusters, denying direct remote access to internal systems through the use of network proxies, gateways, and firewalls
References
|
| google_kubernetes_engine | Google Kubernetes Engine | technique_scores | T1613 | Container and Resource Discovery |
Comments
By default, GKE nodes use Google's Container-Optimized OS to enhance the security of GKE clusters, including: Locked down firewall, read-only filesystem, limited user accounts, and disabled root login.
References
|
| identity_and_access_management | Identity and Access Management | technique_scores | T1613 | Container and Resource Discovery |
Comments
GCP Identity and Access Management allows admins to control access to Container Registry hosts with Cloud Storage permissions. Specific accounts can be assigned roles and Container Registry uses Cloud Storage buckets as the underlying storage for container images. This control can help mitigate against adversaries that may attempt to discover resources including images and containers by controlling access to images by granting permissions to the bucket for a registry.
References
|
| resource_manager | Resource Manager | technique_scores | T1613 | Container and Resource Discovery |
Comments
Google Cloud Platform provides resource containers such as organizations, folders, and projects that allow one to group and hierarchically organize other GCP resources. This control may mitigate by denying direct remote access to internal systems through the use of network proxies, gateways, and firewalls from adversaries that may attempt to discover containers and other resources that are available within a containers environment.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_config | AWS Config | technique_scores | T1613 | Container and Resource Discovery |
Comments
The "eks-endpoint-no-public-access" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to discover containers and other resources. It is run periodically and only provides partial coverage because it is specific to public access, resulting in an overall score of Partial.
References
|