0-DAY UNNECESSARY: ATTACKING AND PROTECTING KUBERNETES, LINUX AND CONTAINERS

Learn how to attack and defend Kubernetes, Linux and containers from Jay Beale, who has led development of the Kubernetes CTF at DEF CON, Bastille Linux, the Center for Internet Security's first Linux security benchmark, and two Kubernetes tools: the Peirates attack tool and the Bust-a-Kube CTF cluster. In this fully hands-on course, you'll get an x86 computer to keep, filled with capture-the-flag (CTF) machines, Kubernetes clusters, and containers, which you will attack and defend. We start the class without any passwords for the computer - in the first exercise, you break into your computer! You'll also get access to our cloud environment, allowing you to attack cloud-based Kubernetes clusters.
This training focuses on giving you practical attack skills from real penetration tests, coupled with solid defenses to break attacks. Every single topic in the class has a long attack exercise, where you use Kali Linux to compromise a system, and a matching short defense exercise, where you will use new skills to break that attack, confident that it will break other attacks. In this well-reviewed class, we attack the container orchestration system, Kubernetes, along with the Linux operating system and containers that make it up!
This class is more than 50% hands-on, where you get a real concept background, but then learn by doing. We start by building a real true understanding of containers, building a container without Docker or any other container runtime. We then move onto attacks on container images and registries. We see how Kubernetes orchestrates machines running containers, and then use that to learn how to attack clusters at every level. For example, in our privilege escalation attacks, you'll move from a restricted shell with non-root privilege in a container into full unrestricted root access in that container, then break out of the container. You'll learn how to break that attack. You'll learn a host of container breakouts, From container breakout, you'll learn to use the host to take control of the Kubernetes cluster and the cloud environment. We also use containers/pods to attack the Kubernetes control plane and the cloud APIs. By the time we're through, you will have compromised at least 14 CTF scenarios. You will also have broken attacks hands-on with AppArmor, SecComp, and the latest in container and Kubernetes security controls. Our Kubernetes work will include: authorization settings, role-based access control, network policies and service meshes, pod security standards, and admission controllers like Kyverno and OPA Gatekeeper. These will enable and enforce the powerful technologies we've learned: AppArmor, SecComp, SELinux, root capability dropping, and filesystem controls. We'll see how both on-prem and cloud-based clusters can be attacked, attack our own clusters, and then harden those Kubernetes clusters to break our attacks.
We will cover each of the following, with exercises in both attack and defense:

• Cloud Native Attack and Defense

• Attacking Public Cloud Services (AWS and GCP)

• Advanced Privilege Escalation, including via Linux Capabilities and Namespaces

• Container Breakouts via Multiple Methods

• Privilege Escalation and Lateral Movement via Kubernetes Node Attacks

• Secret Brute Forcing for API Privilege Escalation

• Privilege Escalation and Persistence via Evil Admission Control

• Container Profile Enforcement with AppArmor, Syscall, and Capability Restriction

• Detecting Container Attacks with Falco

• Ingresses with ModSecurity WAF functionality

• Docker/Container Run-time Attack and Defense

• Kubernetes Cluster Attacks

• Defeating and Defending Multi-tenant Clusters

• Kubernetes RBAC – Attack and Defense

• Attack and Assessment tools: Peirates, kubescape and kube-bench

• Kubernetes Secrets Abuse and Protection – Attack and Defense

• Kubernetes Network Segmentation and Service Meshes

• Kubernetes Admission Control: Kyverno, OPA Gatekeeper, etc.

• Attacking Public Cloud Environments to Compromise Kubernetes

• The class will also have a separate bonus webinar on SELinux.

• Includes a free computer!