Attacking and Defending Containerized Apps and Serverless Tech

Course Description

With Organisations rapidly moving towards micro-service style architecture for their applications, container and serverless technology seem to be taking over at a rapid rate. Leading container technologies like Docker have risen in popularity and have been widely used because they have helped package and deploy consistent-state applications. Serverless and Orchestration technologies like Kubernetes help scale such deployments to a massive scale which can potentially increase the overall attack-surface to a massive extent, if security is not given the attention required.

Security continues to remain a key challenge that both Organizations and Security practitioners face with containerized and, serverless deployments. While container orchestrated deployments may be vulnerable to security threats that plague any typical application deployments, they face specific security threats related to the containerization daemon, shared kernel, shared resources, secret management, insecure configurations, role management issues and many more!

Serverless deployments on the other hand, face risks such as insecure serverless deployment configurations, Inadequate function monitoring and logging, Broken authentication, Function event data injection & Insecure application secrets storage.
Attacking an infrastructure or Applications leveraging containers and serverless technology requires specific skill-set and a deep understanding of the underlying architecture.

This training has been created with the objective of understanding both offensive and defensive security for container orchestrated and serverless deployments. It will be a 3 day program that will detail through specific theory elements with extensive hands-on exercises that are similar to real-world threat scenarios that the attendees will understand and take part in and, will also understand ways in which containerized and serverless deployments can be attacked, made secure, yet scalable, efficient and effective.

Course contents

The training consists of, but not limited to the following focus areas in Container Security and Serverless Deployment:

  • Introduction to Container Technology
  • Deep-dive into Container Technology
  • Introduction to Docker and other container engines
  • Containerized Deployments and Container Orchestration Technologies
  • Container Threat-Model
  • Attacking Containers and Security deep-dive
  • Container Orchestration Deep-dive
  • Introduction to Kubernetes
  • Threat-Model of Orchestration technologies
  • Attacking Kubernetes
  • Kubernetes Defense-in-Depth and Vulnerability Assessment
  • Logging & Monitoring Orchestrated deployments
  • Introduction to Serverless
  • Deploying Application to AWS Lambda
  • Serverless Threat-Model
  • Attacking a Serverless Stack
  • Serverless Security Deep-dive

Day 1

Session 1

Evolution to Container Technology and Container Tech Deep-Dive:

  • Introduction to Container Technology
    • Namespace
    • Cgroups
    • Mount
  • Hands-on Lab: Setting up a Minimal Container with nothing but Namespaces and CGroups

Introduction to Containerized Deployments – Understanding and getting comfortable using Docker.

  • An Introduction to containers
    • LXC and Linux Containers
    • Introducing Docker Images and Containers
  • Deep-dive into Docker
    • Docker Commands and Cheatsheet
    • Hands-on:
      • Docker commands
      • Dockerfile
      • Images

Session 2

Introduction to Basic Container Orchestration with Docker-Compose

  • Docker Compose
    • Introduction to docker-compose
    • Hands-on:
      • Docker-compose commands
  • Docker Compose Deep-Dive
  • Application Deployment Using docker
    • Hands-on
      • Containerize an application
      • Deploying a containerized application
      • Deploy a containerized application using docker-compose

Threat Landscape- An Introduction to possible threats and attack surface when using Containers for Deployments.

  • Threat Model for Containerized Deployments
    • Daemon-related Threats
    • Network related Threats
    • OS and Kernel Threats
    • Threats with Application Libraries
    • Threats from Containerized Applications
  • Traditional Threat-Modelling for Containers with STRIDE
    • Spoofing
    • Tampering
    • Repudiation
    • Information Disclosure
    • Denial of Service
    • Elevation of privileges

Session 3

Attacking Containers and Containerized Deployments

  • Attacking Containers and Containerized Deployments
    • Hands-on
      • Container Breakout
      • Exploiting Insecure Docker Configurations
      • OS and Kernel level exploits
      • Trojanized Docker images

Securing Containers and Container Deployments

  • Container Security Deep-Dive
    • Hands-on
      • AppArmor/SecComp
      • Restricting Capabilities
      • Analysing Docker images
    • Container Security Mitigations
      • Hands-on: Container Vulnerability Assessment
        • Clair
        • Dagda
        • Anchore
        • Docker-bench

Day 2

Session 1

Introduction to Scalable Container Orchestrators

  • Introduction to Container Orchestrators
  • Getting started with Kubernetes
  • Understanding Kubernetes Architecture and Components
  • Hands-on:
    • Exploring Kubernetes Cluster
    • Deploying application to Kubernetes

Session 2

Attacking Kubernetes Cluster

  • Kubernetes Threat Model
  • Attack Surface for a Kubernetes Cluster
  • Hands on:
    • Attacking application deployed on Kubernetes
    • Exploiting a Vulnerable Kubernetes cluster
    • Maintaining Persistent Access and Pivoting in the K8s Cluster
  • Dissecting the K8s Attack and identifying Security Missteps

Session 3

Kubernetes Security Deep-Dive

  • K8s Threat Model and its counterpoint in Security Practices
  • Hands-on: Ideal Security Journey: Kubernetes
    • Pod Security
    • Access Control
    • Secret Management
  • Hands-on: Kubernetes Vulnerability Assessment
    • Kube-sec
    • Kube-hunter
    • Kube-bench
  • Hands-on: Logging and Monitoring
    • Logging and Monitoring specific Parameters within the K8s Cluster
    • Identifying anomalies (especially security) with the K8s Cluster
  • Hands-on: Kubernetes Network Security Implementation
    • Network Security Policy
    • Service Mesh – Istio/Envoy

Day 3

Session 1

Serverless Introduction

  • Understanding Serverless and FAAS(Function-As-A-Service)
  • Quick tour of FAAS(Function-As-A-Service) and BAAS(Backend-As-A-Service)
  • Introduction to AWS Lambda, S3, Open-FAAS and other Serverless options

Serverless Deep-Dive

  • Introduction to Architecture of Serverless Deployments
  • Hands-on: Deploying a Serverless application

Session 2

Attacking Serverless applications

  • Serverless Architectures Security Top 10 – A Project similar to OWASP Top 10 for Serverless Apps
  • Function Data Event Injection Attacks against FaaS Implementations:
    • Hands-on Labs – Function Data Event Injection (Multiple Sources)
    • Other Injection and Remote Code Execution attacks against Serverless Apps
  • Broken Access Control
    • Hands-on: Attacking Stateless Authentication and Authorization (JSON Web Tokens)
      • Algorithm Confusion
      • Inherent JWT flaws – none signed token, etc
      • Attacks based on JWK and JWT Claims
    • Attacking Identity and Access Management through Serverless Implementations
      • Hands-on: View of IAM Sprawl and Permissions
      • Hands-on: Attacking with DynamoDB Injection + IAM Permissions creep
  • Other Serverless Attacks
    • Hands-on: Extracting Secrets from FaaS Implementations
    • Hands-on: Leveraging Vulnerabilities like ReDOS to perform Resource Exhaustion Attacks
    • Hands-on: Exploiting Function Execution Order for fun and profit!

Session 3

Securing Serverless applications

  • Securing Serverless applications
    • Identity and Access Management
    • Secret management
      • Hands-on Secrets Management with AWS Secret Manager + Rotation
    • Logging and Monitoring Functions
      • Hands-on: Security Practices for Logging Serverless Functions
      • Hands-on Using AWS X-Ray/Zipkin to leverage tracing for security
  • Hands-on: Serverless Vulnerability Assessment
    • Static Code Analysis[SCA]
    • Static Application Security Testing[SAST]
    • Dynamic Analysis Security Testing[DAST]

Capture The Flag

Attacking a Serverless Application – mini CTF Segment

Target audience

Attacking and Securing Applications leveraging containers and, serverless technology requires specific skill set with a deep understanding of their underlying architecture.

This course is aimed at Developers, DevOps Engineers, Penetration Testers and Security practitioners who use container or serverless technology as part of their product deployments and want to get a good understanding on how to secure their services and deployments. Training will be extremely hands-on to help understand all there is to attack and secure containers and serverless applications.

Requirements

Student

  • Students should have a basic understanding of Linux environment and know their way around the terminal.
  • A basic understanding of ‘OWASP TOP-10 Vulnerabilities’ and ‘Basics of Docker’ will be helpful, but not necessary.

Hardware and Software

  • Intel i5 and above preferred, 64bit Operating System (32 bit will NOT work), 8GB+ RAM preferred. Netbooks WON’T work
  • Minimum 80GB HDD space available
  • Working WiFi adapter with ability to connect to third party wireless networks
  • User must be able to use the USB port of the laptop to copy, install and run the Virtual Machine, which will be delivered in a USB Mass Storage Device(Flash Drive).

UPDATE :  The trainers have informed us that they will be providing each student access to the labs in the cloud, so there is no need to be able to running the VM machines locally. Please take into account these updated requirements :

  • Working WiFi adapter with ability to connect to third party wireless networks
  • We have created cloud labs for all the exercises and labs of the program to work. You will need a terminal program to SSH into the remote lab environments. These programs should work fine: Mac OSX => ITerm2 or Terminal (no need to install), Windows => Putty or Cygwin, Linux => Terminal (no need to install anything else).
  • We will be provisioning AWS accounts on our environment with restrictions, but it is HIGHLY recommended to get your own AWS accounts to get a more hands-on experience for the serverless labs.(We will be using ‘free-tier eligible’ resources, so it will not cost you)

Soft copy of the Slides  will be given to participants on a USB Flash Drive that will be formatted with the NTFS format.

Trainer Biography

Nithin Jois is a Solutions engineer at we45 – a focused Application Security company. He has helped build ‘Orchestron’ – A leading Application Vulnerability Correlation and Orchestration Framework. He is experienced in Orchestrating containerized deployments securely to Production. Nithin and his team have extensively used Docker APIs as a cornerstone to most of we45 developed security platforms and he has also helped clients of we45 deploy their Applications securely.

Nithin is a passionate Open Source enthusiast and is the co-lead-developer of ThreatPlaybook – An Open Source framework that facilitates Threat Modeling as Code married with Application Security Automation on a single Fabric. He has also written multiple libraries that complement ThreatPlaybook. Nithin is an automation junkie who has built Scalable Scanner Integrations that leverage containers to the hilt and is passionate about Security, Containers and Serverless technology. He speaks at meetup groups, webinars and training sessions. He participates in multiple CTF events and has worked on creating Intentionally Vulnerable Applications for CTF competitions and Secure Code Training.

Nithin was a trainer and speaker at events like AppSecUS 2018, LasCon 2018 and CodeBlue Japan and SANS Secure DevOps Summit. In his spare time, he loves reading about personal finance, leadership, fitness, cryptocurrency, and other such topics. Nithin is an avid traveler and loves sharing stories over a cup of hot coffee or a mug of cold beer.

Twitter : @bondijois

Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron”, a leading Application Vulnerability Correlation and Orchestration Framework.
He has created some pioneering works in the area of DevSecOps and AppSec Automation, including the world’s first hands-on training program on DevSecOps, focused on Application Security Automation. In addition to his work in Application Security Automation, he has created “ThreatPlaybook”, a unique open-source framework that marries Threat-Modeling (as-Code) with Application Security Automation.

ThreatPlaybook has been featured in several industry events and been recently featured in BlackHat USA 2018’s Arsenal event. In addition to this, Abhay is active in his research of new technologies and their impact on Application Security, namely Containers, Orchestration and Serverless Architectures.

Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA, EU and AppSecCali. His trainings have been sold-out events at conferences like AppSecUSA, EU, AppSecDay Melbourne, CodeBlue (Japan) and so on. He’s also an author and trainer on Pluralsight. He writes on IT and IT Security-focused areas in his blog. Abhay is the author of two international publications “Secure Java: For Web Application Development” and “PCI Compliance: A Definitive Guide”

Twitter : @abhaybhargav