pts2024

KubeHound: Identifying attack paths in Kubernetes clusters at scale with no hustle
2024-07-04, 09:00–12:00 (Europe/Paris), Workshop room 1

There’s no two ways about it: Kubernetes is a confusing and complex collection of intertwined systems. Finding attack paths in Kubernetes by hand is a frustrating, slow, and tedious process. Defending Kubernetes against those same attack paths is almost impossible without any third party tooling.

In this workshop we will present KubeHound - an opinionated, scalable, offensive-minded Kubernetes attack graph tool used by security teams across Datadog. We will cover the custom KubeHound DSL to demonstrate its power to identify some of the most interesting and common attack primitives living in your Kubernetes cluster. If the DSL is not enough, we will cover the basics of Gremlin, the language used by our graph technology so you can find relevant attack paths that matter to you.

As attackers (or defenders), there's nothing better to understand an attack than to exploit it oneself. So in this workshop we will cover some of the usual attack paths and exploit them. This way you will see by yourself, the difficulty (or not) to fully compromise a Kubernetes cluster (#DontDoThisAtHome).

At last, is this workshop we will also demonstrate two ways of using KubeHound: * As a standalone tool that can be run from a laptop * Or deployed as a service in your own Kubernetes clusters (KubeHound as a Service)

The main goal of this workshop is to show how defenders can find and eliminate the most dangerous attack paths and how attackers can have a treasure map to fully compromise a Kubernetes cluster by using the free and open source version of KubeHound.


Understanding interdependencies in a Kubernetes cluster, in particular gaps left open by seemingly innocent configuration changes, is beyond human capability. But all misconfigurations are not equal, some are not a big deal, but some can lead to the full take of an entire Kubernetes cluster. This illustrates the well-known adage: "Defenders think in lists, attackers think in graphs; as long as this is true, attackers win".

KubeHound (Open source - Apache-2.0 licensed), is an opinionated, scalable, offensive-minded Kubernetes attack graph tool used by security teams across Datadog, that can help you pinpoint the most critical attack within your Kubernetes cluster.

From a defender’s point of view, it means how to prioritize which security initiative is more important. To cover it, you need to: * Provide quantitative evaluation of risk with a Kubernetes environment. For example, calculate the % of high risk assets with a path to a critical asset. * Prioritize remediations. For example, calculate and rank the % change in the above metric from an application of a given remediation. * Prioritize threat detection efforts. For example, identify most common edges (aka attacks) in paths to critical assets and focus detection efforts on these.

From an attacker’s point of view, it means finding the lowest effort attack path that will lead to his goal, usually full take over of the entire cluster. Having a treasure map saves a ton of time for the attacker.

In short, single point security findings have little traction either for an attacker or defender. So we will demonstrate how KubeHound being a queryable, graph database of attack paths makes reasoning about security problems via data-driven testing of hypotheses extremely efficient.

See also:

Julien Terriac a French senior security researcher with a strong background of pentesting with a special taste for Windows authentication, Active Directory inner working and reverse engineering. He developed several offensive tools to automate such as ProtonPack, Lycos, ExploitPack, IAMBuster.

He led the R&D department at XMCO for 5 years before joining Datadog as the Team Lead for Adversary Simulation Engineering (ASE) where his team aims at building offensive tools and frameworks that will automate the simulation of real life attacks against Datadog.

Edouard is a Senior Security Engineer at Datadog, with a background in both security and software engineering. He enjoy working in large-scale infrastructure and distributed systems. He currently work as part of Datadog's Offensive Security team that is focused on building automation tools to enable proactive and continuous security assessments of the company's large-scale, cloud-first infrastructure.
Always up for a challenge and with a passion for information security, Edouard enjoys staying up to date on the latest security topics while pushing for stronger and more robust security tooling.