10-23, 10:45–11:15 (Europe/Luxembourg), Europe - Main Room
In this talk, we'll dive into KubeHound, a Tool for building Kubernetes attack paths. We will present the genesis of the project and what answers regarding your Kubernetes cluster security it might bring to you. We will cover how KubeHound bring you offensive mindset on a silver platter because we think the best defense is a good offense. Live demos of KubeHound from the defender’s and attacker’s point of view will be performed during the talk.
There’s no two ways about it: Kubernetes is a confusing and complex collection of intertwined systems. Understanding interdependencies in a Kubernetes cluster, in particular gaps left open by seemingly innocent configuration changes, is beyond human capability. But all misconfigurations are not equal, some are not a big deal, but some can lead to the full take of an entire Kubernetes cluster. This illustrates the well-known adage: "Defenders think in lists, attackers think in graphs; as long as this is true, attackers win".
In this talk we will introduce how KubeHound, an opinionated, scalable, offensive-minded Kubernetes attack graph tool used by security teams across Datadog, can help you pinpoint the most critical attack within your Kubernetes cluster:
From a defender’s point of view, it means how to prioritize which security initiative is more important built on concrete Security KPI.
From an attacker’s point of view, it means finding the lowest effort attack path that will lead to his goal, usually full take over of the entire cluster. Having a treasure map saves a ton of time for the attacker.
In short, single point security findings have little traction either for an attacker or defender. So we will demonstrate how KubeHound being a queryable, graph database of attack paths makes reasoning about security problems via data-driven testing of hypotheses extremely efficient.
At the end of the talk, we will leave you with an open-source version of KubeHound designed to be run from a laptop to evaluate the attack paths within a single cluster from an attacker or defender point of view. Finally, we will discuss the approach and challenges of implementing a distributed, large-scale version of the tool at Datadog and how you might implement a similar solution in your own environment.
Julien Terriac a French senior security researcher with a strong background of pentesting with a special taste for Windows authentication, Active Directory inner working and reverse engineering. He developed several offensive tools to automate such as ProtonPack (custom mimikatz), Lycos (share hunter), ExploitPack (privilege escalation framework), IAMBuster (AD auditing framework).
He led the R&D department at XMCO for 5 years before joining Datadog as the Team Lead for Adversary Simulation Engineering (ASE) where his team aims at building offensive tools and frameworks that will automate the simulation of real life attacks against Datadog.