Ransomware Prevention for Kubernetes Clusters
Start wWhat Is Kubernetes?
Kubernetes is an open source container orchestration platform developed by Google for managing microservices or containerized applications on a cluster of distributed nodes. The main purpose of Kubernetes is to hide the complexity of managing a fleet of containers. It can run on bare metal or on public or private cloud platforms such as AWS, Azure, Google Cloud, and OpenShift.
Kubernetes is highly resilient and supports zero downtime, rollback, automated scaling, container self-healing. Kubernetes also automates storage provisioning, making it a direct target for ransomware attackers.
Why Is Kubernetes Ransomware Protection Different?
Kubernetes applications have some unique characteristics that make ransomware prevention more difficult than in traditional environments.
Complex microservices architectures
Traditional hypervisor-based applications are self-contained and have distinct applications, operating systems, and configuration files. In cloud-native applications, there are many different nodes with a shared control plane. The application is decomposed into multiple microservices, and microservices are constantly rescheduled between different nodes.
Cloud-native applications include not only microservices, but also Kubernetes objects that contain configurations (such as ConfigMaps or secrets). This means the number of objects to be protected in a Kubernetes environment is exponentially higher than in traditional environments.
This new ecosystem and the vast scale of microservices deployed in production requires not only technological changes, but also operational changes and the ability to implement appropriate protection strategies without slowing down development cycles.
Open source considerations
Kubernetes application development often involves open source components. Poorly coded, misconfigured, or vulnerable components can be exploited during installation or execution, allowing criminals to take control of an entire cluster or application.
Also, Kubernetes itself can contain vulnerabilities. The software is updated frequently, and Kubernetes updates can be complex to achieve, creating a risk of exposure to new vulnerabilities at the platform level.
Isolation between applications
A Kubernetes cluster is a set of nodes running containerized applications. Kubernetes clusters provide a complete ecosystem including DNS services, load balancing, networking, autoscaling, and other features supporting deployed applications. Kubernetes clusters can host multiple applications with isolation between them, but they do not restrict communication between namespaces or containers by default.
In these environments, communication between namespaces, pods, and containers is enabled by default, even if it is not required for normal operation. Attackers can use this to perform lateral movement and spread ransomware after an initial infection.
In addition, attacks on containers have become more sophisticated, and attackers increasingly use evasion and obfuscation techniques such as payload packets, rootkits, and in-memory malware execution. All these factors make it more challenging to protect Kubernetes clusters.
Protecting Kubernetes from Ransomware Threats
Use the following guidelines to prepare your Kubernetes clusters for ransomware threats, as part of your overall Kubernetes security strategy.
Harden Backups
Backups are becoming increasingly important for ransomware protection. To be effective against ransomware threats, you must ensure backups:
- Are immutable
- Have minimal permissions
- Have separate permissions from production object storage buckets
- Create a unique code path
Here are a few important considerations for backup in an Kubernetes environment:
- Application state and configuration data—these are very important in Kubernetes environments, but less relevant to legacy systems. Snapshots can also lead to data loss, making recovery and long-term data retention unreliable in Kubernetes.
- Application portability—cloud-native environments offer the best portability options, and organizations need to be able to leverage them across clusters, geographies, and heterogeneous infrastructure to ensure efficient recovery.
- Dynamic autoscaling—Kubernetes-based applications often perform dynamic auto scaling of clusters and applications, with constructs like ConfigMaps, secrets, and persistent volumes. All these must be taken into account in an automated backup solution.
Shift to a Proactive Cybersecurity Approach
The Cybersecurity and Infrastructure Security Agency (CISA) highlighted ransomware as a serious risk to Kubernetes deployments.
Key threat vectors identified by CISA are:
- Attackers can penetrate Kubernetes environments via supply chain attacks.
- Attackers can exploit vulnerabilities and misconfiguration of Kubernetes architecture components
- Malicious insiders with special access to your organization's clusters could exploit these privileges to conduct an attack.
To mitigate attacks from these threat vectors, CISA recommends several preventive and hardened security measures, including:
- Regularly scanning containers and pods for vulnerabilities
- Running containers and pods with least privileges
- Using network isolation to control the level of damage a breach can cause
Restricting unwanted network connections via a firewall - Protecting confidentiality with encryption
- Reviewing Kubernetes settings regularly
- Using vulnerability scans to ensure that risks are properly considered
- Applying security patches in a timely manner
However, these are only some of the precautions organizations should take. In a production environment, CISA also urges organizations to put in place the following security controls:
- Enforce strong authentication and authorization to restrict user and administrator access
- Harden nodes and containers to limit the attack surface
- Set up log auditing
- Monitor activity for potential malicious intent
- Set up alerts for important security events
Educate Staff on Ransomware Risks
Organizations should spend time educating developers, IT staff, and other employees about threats to critical systems and business data, and the precautions to take to avoid attempted breaches.
At the time of this writing, foreign adversaries are waging organized attacks against US government agencies and private sector organizations. Multiple mega-scale attacks in the recent past were supported by hostile nation states. These attacks often prey on cloud and local network identity systems, weak email and file security. They use these weaknesses to gain access to cloud accounts and perform lateral movement.
To prevent ransomware from affecting Kubernetes clusters, organizations must increase their resilience and ensure everyone does their part to protect Kubernetes. For example, developers working in Kubernetes CI/CD pipelines must be aware of supply chain attacks and the danger of insecure CI servers or unsafe third party components. Cloud infrastructure teams must understand the importance of setting up appropriate IAM roles and ensure hosts and networks hosting Kubernetes clusters are highly secure.
Conclusion
In this article I explained why Kubernetes workloads are at greater risk of ransomware, and provided a few best practices for securing them:
- Harden Kubernetes backups
- Shift to proactive approach and address CISA ransomware threat vectors
- Educate Kubernetes operators on ransomware risks
I hope this will be useful as you improve the security posture of your Kubernetes clusters.
