Threat detection with Azure Defender for Kubernetes
Azure Defender for Kubernetes and Azure Defender for Web Apps are available solutions within the Azure Security Center. Today we will focus on Kubernetes. First, we will explain how you can reach a complete on-premises and multicloud threat protection on your Kubernetes cluster. Then we dive a bit deeper and demonstrate how you can connect Azure Defender and Azure Security Center to enable detection mode and auto alerts.
Threat detection even on-premises and on other clouds
Azure defender for Kubernetes is an add-on on Azure Security Center. It provides cluster-level threat protection for your Kubernetes cluster managed by Azure (AKS). Moreover, you can extend this protection for even on-premises or other clouds by using the Azure Arc extension for Kubernetes.
Azure defender for Kubernetes is one of the three other container-based add-ons that Azure Security Center provides. Azure Defender for Kubernetes, Azure Defender for Servers, Azure Defender for Registries and Azure Policy add-on for Kubernetes combined, covers most of your security and compliancy requirements. Each of these solutions are agentless (except for Azure Policy for Kubernetes) and generate alerts when suspicious activities are found. You can use these alerts to quickly remediate current security issues and to improve the security of your containerized ecosystem.
Against which threats does the Azure Defender for Kubernetes add-on defend?
- Exploitation for Privilege Escalation
- Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.
- Container with a sensitive volume mount detected
- Privileged container detected
- New high privilege’s role detected
- Indicator Removal on Host
- Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.
- Kubernetes events deleted
- Exploitation of Public-Facing Application
- Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability.
- Kubernetes penetration testing tool detected
- Digital currency mining container detected
- K8S API requests from proxy IP address detected
- Implantation of Container Image
- Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.
- Container with a sensitive volume mount detected
- CoreDNS modification in Kubernetes detected
Additional protection with Azure Defender for servers and container registries
How to set up detection mode and auto alerts in Azure Defender for Kubernetes?
After you have enabled the Azure Defender plans on your subscription, Security Center starts to analyze and combine logs from multiple sources:
- Kubernetes API audit logs from the master nodes abstracted by Azure, which is used by Azure Defender for Kubernetes
- Log analytics security event logs from the nodes running Kubernetes, which is used by Azure Defender for Servers
- Kubernetes workload configuration scraped by the Azure Policy for Kubernetes add-on (in the backend it is based on OPA gatekeeper) to detect misconfiguration of objects in your Kubernetes cluster, which is used by Azure Defender for Kubernetes
Now, that Azure Defender is enabled, you can verify the connection between the logs sources and Security Center. First, log in to the Kubernetes cluster of your subscription. Then execute the following CLI command which should trigger an example security alert:
kubectl get pods -–namespace=asc-alerttest-662jfi039n
Create workflows that auto remediates alerts
Now we only touched the detection mode of Azure Security Center which is creating security alerts. However, it is also possible to create workflows that auto remediates alerts. This can be done with the combination of 2 Azure resources – Azure Logic Apps en Azure Functions Apps.
You need to configure the Azure Logic App to have an Azure Security Center alert set as trigger. That pulls the right data out of the alert – which cluster, namespace and pod the alert is for. Then it sends the data as arguments to the Azure Function. That can log in on the right cluster and execute the necessary commands to remediate the alert. For instance, killing the pod that is detected as a miner image.
If you need support with that, do not hesitate to reach out to us – cloud native solutions and Kubernetes are our dada. We earned a Microsoft Advanced Specialization in Kubernetes on Azure. But besides the theory, we have quite some happy customers and years of field experience earned through those real-life projects.