Fake Kubernetes Secrets

Goal: To identify attackers attempting to steal sensitive information stored as Kubernetes secrets.

Approach: Monitoring access to the fake secrets and analyzing attacker behavior. This element involves creating fake Kubernetes secrets that mimic legitimate secrets but contain misleading or deceptive information.

Attackers who attempt to access or exfiltrate the fake secrets will be identified and their actions will be logged.

Engage Goals: EGO0001 Expose, EGO0003 Elicit

Engage Approach: EAP0001 Collect, EAP0002 Detect

Engage Actions: EAC0015 Information Manipulation, EAC0018 Security Controls

Name of Element: Fake Kubernetes Secrets

Description of Element:

Goal: To identify attackers attempting to steal sensitive information stored as Kubernetes secrets.

Approach: Monitoring access to the fake secrets and analyzing attacker behavior. This element involves creating fake Kubernetes secrets that mimic legitimate secrets but contain misleading or deceptive information.

Attackers who attempt to access or exfiltrate the fake secrets will be identified and their actions will be logged.

Technical Context:

This element can be combined with other deceptive elements, such as deceptive namespaces or fake pods, to enhance its effectiveness. It aligns with the MITRE ATT&CK technique T1528 (Steal or Forge Kerberos Tickets).

Other:

This element requires careful planning and execution to ensure that it does not interfere with the normal operation of the Kubernetes environment.

Leave a Reply