MITRE ATT&CK compliance framework is a standardized set of regulations or requirements that organizations must adhere to. However, MITRE ATT&CK is widely used as a reference and a framework for improving cybersecurity defences, threat detection, and incident response. Organizations often leverage MITRE ATT&CK as a tool within broader security and compliance initiatives.

This framework, when integrated in SSD, gets converted to code format. The policies created based on this framework prompts an alert or prevents the deployment if the rule fails.

Example of MITRE-ATT&CK policies in SSD

  • C-0067 - MITRE - Audit logs enabled - Audit logging is an important security feature in Kubernetes, it enables the operator to track requests to the cluster. It is important to use it so the operator has a record of events that happened in Kubernetes.

  • C-0068 - MITRE - PSP enabled - Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is important to use PSP to control the creation of sensitive pods in your cluster.

  • C-0069 - MITRE- Disable anonymous access to Kubelet service - By default, requests to the kubelets HTTPS endpoint that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of system:anonymous and a group of system:unauthenticated.

  • C-0070 - MITRE - Enforce Kubelet client TLS authentication - Kubelets are the node level orchestrator in Kubernetes control plane. They are publishing service port 10250 where they accept commands from API servers. Operator must make sure that only the API server is allowed to submit commands to Kubelet. This is done through client certificate verification, and must configure Kubelet with a client CA file to use for this purpose.

  • C-0035 - MITRE - Cluster admin binding - Role-based access control (RBAC) is a key security feature in Kubernetes. RBAC can restrict the allowed actions of the various identities in the cluster. Cluster-admin is a built-in highly privileged role in Kubernetes. Attackers who have permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.

Refer MITRE-ATT&CK for more information.

Last updated