Running a CISA Hardening Test with Kubescape Cloud
Photo by Joshua Aragon on Unsplash
Manually scanning a wide area is impractical. Thus, which scanning techniques you choose to use is a crucial consideration. A suitable and dependable tool is vital to automating scanning. Kubescape, for example, scans exceptionally quickly, allowing you to customize the scanning to match your individual needs. Thus, it is a must have during the scanning procedure.
In this article, I'll show you how to run a NSA–CISA hardening test using Kubescape to discover Kubernetes misconfigurations. You can always choose from a variety of other frameworks available by Kubescape.
Kubernetes Security
It is tough to create simple and safe container orchestration to develop a simple and secure application. One the one hand, there are numerous occasions where temporarily relaxing security restrictions is more convenient. On the other hand, if small configuration problems are not fixed correctly and swiftly after a Kubernetes cluster is up and running, they might pose major security risks.
What Is CISA?
Certified Information Systems Auditor refers to a title issued by the Information Systems Audit and Control Association (ISACA). The position provides the industrial benchmark for those who work in information systems, namely in auditing, control, and security. CISA holders show companies that they have the knowledge, technical abilities, and competency to tackle the dynamic problems modern businesses face.
What Are the NSA–CISA Hardening Guidelines?
The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have come together to make a comprehensive set of recommendations that focus on strengthening the security of an enterprise’s Kubernetes system.
This 52-page cybersecurity report focuses on the typical reasons behind a compromised Kubernetes system and provides administrators with useful tips on how to operate Kubernetes safely. It determines how well your Kubernetes setups comply with the NSA–CISA guidance's best practice guidelines. Additionally, it examines how motivated hackers are to attack Kubernetes clusters, particularly those on public clouds, for a variety of purposes, such as stealing data, computing resources, or engaging in cryptocurrency mining.
Kubescape
Kubescape is an open source tool that provides risk analysis, security compliance, and software vulnerabilities. Using it, you can implement security rules and best practices in accordance with several compliance frameworks, such as NSA–CISA and MITRE, or even develop a custom framework. Kubescape also continuously monitors and strengthens Kubernetes, reduces its attack surface, and provides automated suggestions, and contextual insights.
Using Kubescape
Installation
If you haven’t installed Kubescape yet, you can install it by copying and pasting the following command in your terminal.
curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
Scanning Using the NSA–CISA Framework
You can copy and paste this command into your terminal to scan your Kubernetes cluster based on NSA–CISA guidelines.
kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
or
$ kubescape scan framework nsa test.yaml
Once you run this command, Kubescape will scan all the vulnerabilities in your project. The output of this command will show that the scan has successfully started, the output of each test, and the final results of each and every test.
Under Failed Resources, you can see how many resources failed during your test. You should immediately fix them as they can leave your project vulnerable.
Remember, you can choose from a wide range of frameworks available in Kubescape, i.e., NSA–CISA, MITRE ATT&CK, Armobest, and so on, to scan for vulnerabilities. So don;t hesitate to tinker around a little and see what all you can do in the tool.
Best Practices for Kubernetes Security
Using these practices can eliminate most threats.
RBAC
RBAC setup and enabling are given great focus. The latest recommendations involve further duty separation. For instance, it is recommended that administration and infrastructure management be kept distinct.
Restrict Users
The guidance emphasizes the danger from insider threats. The Kubernetes environment might be compromised by users, administrators, or cloud service providers with specific access privileges.
Auditing and Logging
The recommendation places a strong emphasis on alarms and log-based monitoring. Considerations for logging at the host, application, and cloud levels are all significant. It's crucial to understand who is liable for each layer of logging while running Kubernetes in a production environment.
Building Secure Container Images
To stop vulnerable or improperly configured pods from running in the cluster, the Kubernetes Hardening guide also advises deploying a scanner as an admission controller throughout the deployment process. Although this is a great idea in theory, there are certain considerations to keep in mind before putting it into action.
Use Third-Party Authentication
Integration with a third-party authentication service for Kubernetes is recommended (e.g. GitHub). In addition to adding multi-factor authentication, this guarantees that the kube-apiserver does not alter when users are added or withdrawn.
Monitor Network Traffic
Cluster networks are often extensively used by containerized applications. Learn how your application interacts with other applications by watching live network traffic and comparing it to the traffic permitted by Kubernetes network policy. It will help you spot suspicious communications.
Use Encryptions
Etcd is a sensitive resource and a prime target for attackers. If an attacker manages to gain access to the etcd, they may take control of the whole cluster. Thereafter, attackers can use the read access to exploit the cluster's security.
The report suggests recommendations for making your Kubernetes cluster more secure such as adopting transport layer security (TLS) to encrypt data in transit and at rest. Additionally, using firewalls and network regulations can minimize the damage that can be done in case the system gets compromised.
Keep Kubernetes Version Up to Date
The guideline encourages administrators to always run the latest version of Kubernetes.
Conclusion
Kubernetes is a trustworthy platform for developing cloud native applications. Keeping track of all the compliance and security standards, on the other hand, becomes difficult.
The NSA–CISA guidelines discuss the increasing use of Kubernetes and how protecting Kubernetes clusters and application containers remains a top focus.
In this article, we have discussed securing your Kubernetes cluster, best practices for this, and how you can run NSA–CISA tests to scan your Kubernetes cluster.