As more and more organisations are migrating their workloads to containerised infrastructure, threat actors have shifted their focus to the orchestrator. But despite the rapid transition in technology, the human factor remains the weakest link, with operations teams struggling to adapt conventional security monitoring techniques. Fortunately, tried-and-true concepts like collaborative adversarial simulations can be applied to this new security realm.

In this workshop, we demonstrate how defenders can build capability to detect Kubernetes attacks, and how to validate it in practice using the latest release of Leonidas, Reversec’s (then WithSecure) cloud attack simulation framework. Students will be granted access to a Kubernetes environment, to practice attacks and familiarise with container security monitoring in a common SOC environment.

Through a hands-on walk-through, viewers following along will:

• Learn how to utilise Kubernetes audit logs, and how to forward them to an Elastic SIEM
• Deploy Leonidas within the cluster, and launch out-of-the-box attacks included in its test case database
• Write new Attack Definitions to extend Leonidas’ capabilities
• Organise and streamline simulation plans using Jupyter notebooks
• Experiment with detection building blocks, such as Sigma signatures