Back to All Events

Attacking and Defending Linux, Kubernetes and Docker


Course Schedule

2 Day DOJO
March 20 to March 21 (Monday to Tuesday).

The instructor will be teaching remotely.
The instructor will be teaching on-site.

*Online & Onsite options available (teaching will be done remotely).
*Online & Onsite options available (teaching will be done on-site)

Last updated Feb. 25, 2023.

 

Course Abstract

Learn how to attack and defend Kubernetes, Linux and containers from Jay Beale, the creator of Bastille Linux, the Center for Internet Security’s first Linux security benchmark, and two Kubernetes tools: the Peirates attack tool and the Bust-a-Kube CTF cluster. In this fully hands-on course, you’ll get access to our cloud training environment, where you’ll have a Kali Linux system filled with capture-the-flag (CTF) virtual machines and a Kubernetes cluster, which you will attack and defend.

This training focuses on giving you practical attack skills from real penetration tests, coupled with solid defenses to break attacks. Every single topic in the class has a long attack exercise, where you use Kali Linux to attack Kubernetes and containerized programs, and a matching short defense exercise, where you will use new skills to break that attack, confident that it will break other attacks. In this well-reviewed class, we attack the container orchestration system, Kubernetes, along with the Linux operating system and containers that make it up!

We begin with a technical introduction to Kubernetes and containers. We learn how to work with container runtimes, hands-on, and then learn the beginnings of container breakout. We then take a deep dive into Kubernetes security measures, starting with authorization, before our next lab: a multi-step Kubernetes cluster compromise. The class continues in this fashion: concepts, then attack, then defense. In all, there are 14 lab exercises, including MitM attacks, node compromises, and cluster-to-cloud-to-cluster compromise.

Our defense work will include: authorization settings, role-based access control, network policies, pod security standards, and the Kyverno admission controller. These will enable and enforce the powerful technologies we’ve learned: AppArmor, SecComp, and root capability dropping. We’ll see how both on-prem and cloud-based clusters can be attacked, attack our own clusters, and then harden those Kubernetes clusters to break our attacks.

 

Course Pre-requisites

  • To take this class, you should be comfortable with a Linux command line and should have some understanding of a Linux system at a user level.

  • You do not need experience in containers or Kubernetes to take this class.

 

Course Learning Objectives

  • Gain practical attack skills to compromise Kubernetes and containers.

  • Learn to proactively defend Kubernetes and containerized workloads.

 

Course Agenda

We will cover each of the following, including exercises:

  • Cloud Native Attack and Defense

  • Attacking Public Cloud Services

  • Advanced Privilege Escalation, including via Linux Capabilities and Namespaces

  • Container Breakout and Kubernetes Node Attacks

  • Container Profile Enforcement with AppArmor, Seccomp, and Capability Restriction

  • Ingresses with ModSecurity WAF functionality

  • Docker/Container Run-time Attack and Defense

  • Kubernetes RBAC – Attack and Defense

  • Kubernetes Secrets Abuse and Protection – Attack and Defense

  • Kubernetes Internal Firewalling

  • Kubernetes Admission Control: Kyverno and Pod Security Standards

  • Attacking Public Cloud Environments to Compromise Kubernetes

  • The Peirates Attack tool

 

Hardware Requirements

You will need your own computer, from which you’ll access the cloud environment via a browser.

 

Software Requirements

All of our labs happen via a cloud environment, which you access via a web browser. Your operating system must support a HTML5-capable browser, with which you’ll access the cloud environment.

 

About the Instructor: Jay Beale

Jay Beale works on Kubernetes and cloud native security, both as a professional threat actor and as a co-lead of the Kubernetes project's Security Audit working group. He's the architect and a developer on the Peirates attack tool for Kubernetes. In the past,Jay created two tools used by hundreds of thousands of individuals, companies and governments, Bastille Linux and the Center for Internet Security's first Linux/UNIX scoring tool. He has led training classes on Linux security and Kuberntes at the Black Hat, CanSecWest, RSA, and IDG conferences, as well as in private corporate training, since 2000. As an author, series editor and speaker, Jay has contributed to nine books and two columns and given over one hundred public talks. He is CTO of the information security consulting company InGuardians.

 
 
Previous
Previous
March 20

Windows Kernel Exploitation Advanced

Next
Next
April 4

Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation