February 1-2, 2023 | Seattle, WA
View More Details | Registration Information

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for CloudNativeSecurityCon North America 2023 to participate in these sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Pacific Standard Time (PST), UTC -8. To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

The schedule is subject to change.
Back To Schedule
Wednesday, February 1 • 1:55pm - 2:30pm
From the Cluster to the Cloud: Lateral Movements in Kubernetes - Yossi Weizman & Ram Pliskin, Microsoft

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
As K8s clusters usually reside in the cloud, access to a container in the cluster can be a foothold to the entire cloud workload. In this session, we’ll present novel techniques used in recent real-world attacks which allowed adversaries to move laterally from a container in a K8s cluster to external cloud resources. We'll start with inner-cluster lateral movement: We'll talk about K8s RBAC configurations that unexpectedly allowed inner-cluster lateral movement and were the root-cause of vulnerabilities in containerized apps. We'll discuss how one can identify such activities by native K8s tools. We'll continue to cluster-to-cloud lateral movement. The key concept in this area is cluster-to-cloud authentication. We'll introduce the various authentication methods used by the major cloud providers: Azure, AWS and GCP. All of the methods fall into one of these 3 buckets: Direct\modified access to IMDS, using K8s as an OIDC identity provider or storing credentials on the underlying nodes. Every authentication method comes with its default configuration, many of those unknowingly grant excessive permissions. We'll present real-world recent incidents of cloud environment takeovers which originated in K8s clusters. We'll explain how users can prevent and detect such activities.

avatar for Yossi Weizman

Yossi Weizman

Senior Security Research Manager, Microsoft
Yossi Weizman is a Senior Security Research Manager at Microsoft Defender for Cloud. He has 12 years of experience in the security research field, starting in the Israeli military. In his current role, Yossi’s main focus is container security. Yossi holds a B.Sc. in Computer Science... Read More →

Ram Pliskin

Principal Security Research Manager, Microsoft
Ram is a Principal Security research manager in the Cloud Security Research team at Microsoft. Ram gained his expertise serving more than a decade for the IDF Intelligence Corp, where he had hands-on experience in research and software development. He also led a team of security researchers... Read More →

Wednesday February 1, 2023 1:55pm - 2:30pm PST
Room 612
  Detections + Incidents + Response