New K8s Workload Created With Privilege Escalation

This alert occurs when Lacework detects a pod that can escalate its privileges.

Why this alert is important

After escalating their privileges, an attacker gains the ability to exploit various escalation paths, including:

• Mounting arbitrary secrets in the namespace:
  • This allows the attacker to access secrets intended for other workloads.
  • They can potentially obtain sensitive information by leveraging these secrets.
• Utilizing arbitrary Service Accounts in the namespace:
  • The attacker can impersonate other workloads and perform actions on the Kubernetes API.
  • They can execute privileged actions associated with the impersonated Service Account.
• Mounting configmaps intended for other workloads in the namespace:
  • By doing so, the attacker can obtain information meant for other workloads.
  • This may include sensitive details like database host names.
• Mounting volumes intended for other workloads in the namespace:
  • This enables the attacker to access and manipulate information intended for other workloads.
  • They can modify the data stored in these volumes, potentially leading to unauthorized changes.

Investigation

Follow these steps to investigate the alert:

1. Check if the suspicious workload has mounted secrets that are not intended for its use. Look for any unauthorized access or attempts to access secrets meant for other workloads.
2. Investigate if the user uses a different service account than the one assigned. Look for any impersonation attempts or unauthorized use of service accounts with higher privileges.
3. Examine if the workload has mounted configmaps that belong to other workloads within the namespace. This can indicate an attempt to obtain information meant for other workloads.
4. Check if the suspicious workload has mounted volumes that are intended for other workloads. This could suggest an attempt to access or modify data meant for other workloads.
5. Examine the permissions and access granted to the suspicious workload. Verify if the workload has been granted excessive privileges or if it can access resources that it shouldn't have access to. Look for indications that the user has expanded their privileges beyond what is authorized.

Resolution

Follow these steps to resolve the alert:

1. Identify the unauthorized workload associated with the privilege escalation and take immediate action to disable or remove it from the Kubernetes cluster. This will help prevent further unauthorized access.
2. Review and update the permissions and access controls for the affected namespace. Remove any escalated privileges granted to the unauthorized workload or user. Ensure that only necessary permissions are granted based on the principle of least privilege.
3. Conduct a thorough audit of other workloads and service accounts within the namespace. Look for any additional unauthorized access or suspicious activity. Remove unnecessary or unused service accounts or workloads to reduce the attack surface.
4. Evaluate your Kubernetes cluster's Role-Based Access Control (RBAC) configuration. Ensure that it aligns with best practices and follows the principle of least privilege. Review and update roles, role bindings, and cluster roles to ensure proper authorization.
5. Determine how the privilege escalation occurred. Investigate whether it was due to a misconfiguration, vulnerabilities, compromised credentials, or other security issues. Address the root cause to prevent similar incidents in the future.
6. Strengthen the security of your Kubernetes cluster by implementing additional security measures. This may include enabling multi-factor authentication (MFA) for user accounts, regularly patching and updating the cluster, and implementing logging and monitoring solutions to detect and respond to security incidents.
7. Monitor your Kubernetes cluster for any further unauthorized access attempts or suspicious activities. Implement real-time monitoring, alerting, and incident response mechanisms to detect and respond to security incidents quickly.