Help Shape ATT&CK for Containers
One of the questions that pop up often for the MITRE ATT&CK® team is whether or not we have considered expanding ATT&CK to cover container technologies such as Kubernetes and Docker. We’ve heard your need for coverage in this space, and we’re thrilled to announce that in partnership with the Center for Threat-Informed Defense, the ATT&CK team is now investigating adversarial behavior in containers for potential inclusion in ATT&CK. If we find that there’s enough adversary behavior in containers to warrant ATT&CK coverage, we’ll consider that content for a future ATT&CK release.
There have been some excellent efforts executed across industries to research and publish what threats and vulnerabilities may exist in technologies such as Kubernetes and Docker and how to attack and defend these and related spaces. Since ATT&CK is based on real-world “in the wild” adversary behaviors, our investigation is focused specifically on gathering intelligence on what adversaries are actually doing with these technologies versus what researchers and red teams can do.
We also understand that the definition of “containers” can be fairly vast, so at this point we’re interested in what adversaries are doing across anything related to containers. For example, we’d be interested in how they gain initial access through the orchestration layer, evade defenses within a container, move laterally across a pod, or any other technique related to the container's space.
With that in mind — we need your help! Do you have visibility or knowledge of what real adversaries are doing in any facet of the container's space and want to engage with the ATT&CK team or submit contributions? If so, please let us know at firstname.lastname@example.org. We’re also interested in your opinions on how container-related techniques in ATT&CK should be represented. Should we just consider adding a Kubernetes matrix, for example, or should we divide the orchestration layer and container layer into separate matrices? Let us know what you think! We look forward to engaging with you and thank you for helping us continue to improve ATT&CK for the entire community.
© 2020 MITRE Engenuity. Approved for Public Release. Document number CT0013.
Originally published at https://medium.com on December 17, 2020.