{"id":94626,"date":"2021-07-21T09:00:42","date_gmt":"2021-07-21T16:00:42","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=94626"},"modified":"2024-09-12T13:46:38","modified_gmt":"2024-09-12T20:46:38","slug":"the-evolution-of-a-matrix-how-attck-for-containers-was-built","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/07\/21\/the-evolution-of-a-matrix-how-attck-for-containers-was-built\/","title":{"rendered":"The evolution of a matrix: How ATT&CK for Containers was built"},"content":{"rendered":"

Note: The content of this post is being released jointly with the Center for Threat-Informed Defense. It is co-authored with Chris Ante and Matthew Bajzek. The Center post can be found here<\/a>.<\/em><\/p>\n

As containers become a major part of many organizations\u2019 IT workloads, it becomes crucial to consider the unique security threats that target such environments when building security solutions. The first step in this process is understanding the relevant attack landscape.<\/p>\n

The MITRE ATT&CK\u00ae<\/a> team has received frequent questions from the community about if or when ATT&CK would include coverage for adversary behavior in containers. Previous iterations of ATT&CK have included references to containers (for example, Resource Hijacking<\/a>) and some clearly container-relevant techniques (for example, Implant Internal Image<\/a>), but the coverage was insufficient to provide network defenders a holistic view of how containers are being targeted in enterprise environments.<\/p>\n

Addressing the need for a common framework for understanding container threats<\/h2>\n

Given clear community interest, inspiration from Microsoft\u2019s work on the threat matrix for Kubernetes<\/a>, and the publication of research from other teams, the Center for Threat-Informed Defense launched an investigation<\/a> (sponsored by several Center members including Microsoft) that examined the viability of adding containers content to ATT&CK. The purpose of the Container Techniques project was to investigate adversarial behavior in containerization technologies and determine whether there was enough open-source intelligence to warrant the creation of an ATT&CK for Containers matrix, resulting in either new ATT&CK content or a report on the state of in-the-wild Container-based tactics, techniques, and procedures (TTPs). The Center\u2019s research team quickly concluded that there was more than enough open-source intelligence to justify technique development, ultimately resulting in the new matrix.<\/p>\n

As of the ATT&CK v9 release<\/a>, the ATT&CK for Containers matrix<\/a> is officially available. More details about the Containers matrix can be found in MITRE-Engenuity’s announcement blog<\/a>. Some highlights of the new matrix include related software entries, procedure examples to help network defenders better understand new container-centric techniques, data sources to match the recent ATT&CK data sources refactor, and many others.<\/p>\n

\"A<\/p>\n

Figure 1. ATT&CK for Containers matrix.<\/em><\/p>\n

Evolving the threat matrix<\/h2>\n

MITRE ATT&CK has become the common vocabulary for describing real-world adversary behavior. ATT&CK offers organizations a method to measure their defenses against threats that impact their environment and identify possible gaps. With ATT&CK\u2019s approach of methodically outlining the possible threats, Microsoft built the threat matrix for Kubernetes<\/a>, which was one of the first attempts to systematically map the attack surface of Kubernetes. An updated version of the matrix was released earlier in 2021.<\/p>\n

\"A<\/p>\n

Figure 2: Threat matrix for Kubernetes.<\/em><\/p>\n

Microsoft took part in the Center\u2019s project and contributed knowledge that the company gained in the field of container security<\/a>. Microsoft\u2019s unparalleled visibility into threats helps to identify real-world attacks against containerized workloads and provide information about tactics and techniques used in those attacks. One example of such an attack is a cryptocurrency mining campaign<\/a> that targeted Kubernetes. In this incident, Microsoft saw evidence of the following techniques from the Microsoft threat matrix:<\/p>\n