Kubernetes Security - What is the TARA report? And why should DevOps pay attention to it? 🔗︎
Kubernetes security is key. A classic attack starts when a container vulnerability is exploited to perform actions on the container that has been breached. The cause for concern is greatly increased when the attacker obtains additional permissions to access the host and gain access to further containers connected to the same host. As the attack progresses the attacker reaches more nodes and can abuse cluster resources or even access the organization’s crown jewels.
TARA is short for Threat Assessment and Remediation Analysis. A TARA report is an engineering methodology that identifies and evaluates cyber vulnerabilities. It selects mitigating countermeasures that take utility and cost into account, and recommends mitigation procedures matching the required risk tolerance.
[[https://www.mitre.org/sites/default/files/publications/pr-11-4987-presentation-tara-overview.pdf|In 2013]], MiTRE Corporation launched its customizable version of TARA reports, providing an invaluable tool to strengthen applications’ cyber resilience, including Kubernetes security in Kubernetes native and hybrid apps.
Key features of the TARA Report methodology include:
- The ability to perform TARA assessments at various stages of systems’ lifecycle.
- Consistency between successive TARA assessment through stored catalogs of TTPs (Tactics, techniques, and procedures) and CMs (Countermeasures)
- High flexibility: ** Based on a combination of open-source and classified sources, TTP and CM catalog data can be selectively partitioned/filtered based on the scope of the TARA assessment ** Assessments’ rigor levels can be adjusted as necessary ** Default scoring tools provided in the TARA toolset to quantitatively assess TTP risk and CM cost-effectiveness can be adjusted or excluded as needed
MiTRE Corporation, the body behind TARA Report, is a Federally Funded Research and Development Center (FFRDC). It assists US government partners ranging from the Department of Defense to the IRS in research and development of advanced technologies. It’s best known in cyberspace for helping maintain the Common Vulnerabilities and Exposures (CVE) list and for the ATT&CK framework.
What is a MiTRE Corporation TARA Report? 🔗︎
[[https://www.mitre.org/sites/default/files/pdf/11_4982.pdf|TARA reports]] are published to document the TARA methodology’s three main steps applied to a specific system. Its goal is to identify, prioritize, and respond to cyber threats by applying countermeasures minimizing that system’s susceptibility to cyberattack.
TARA assessments are conducted on selected cyber assets rather than on the system as a whole. Those assets are defined as any IT asset used to store, transport, and/or process information within an enterprise, including servers, client systems, network appliances, and more.
Generating a TARA report requires applying TARA methodology to three activities:
- Cyber Threat Susceptibility Analysis (CTSA) This step is dedicated to evaluating a system resilience against an [[https://www.researchgate.net/figure/The-threat-agent-risk-assessment-TARA-methodology-provides-information-on_fig1_335589639|array of Attack Vectors (AVs)]] and TTPs, and leads to the generation of a Threat Matrix, ranking the list TTPs each asset is potentially exposed to. The CTSA options cover a range of cataloged aggressive strategies such as: ** ‘‘‘Cyberattacks’’’ target an enterprise’s use of cyberspace to disrupt, disable, destroy, or maliciously control a computing environment/infrastructure, or destroy the integrity of the data, or steal controlled information. ** ‘‘‘Electronic warfare’'’, typically military aggressions, rely, for example, on the use of electromagnetic and directed energy weapons to control the electromagnetic spectrum ** ‘‘‘Supply chain attacks’’’ insert implants or other vulnerabilities into hardware or software before installation in order to exfiltrate data or disrupt information technology hardware, software, operating systems, peripherals (information technology products), or services at any lifecycle stage.
There are 5 steps to a CTSA. They are:
- Establishing the assessment scope to define the set of assets to evaluate, the range of attack to consider, and the type of adversaries (external, insiders, or trusted insiders).
- Identifying candidate TTPs by evaluating the cyber architecture security capabilities against the TTPs listed in the MiTRE MAE catalog.
- Eliminating implausible TTPs to narrow the list of countermeasures to consider
- Applying the scoring model by assessing the risk posed by each plausible TTP relative to each other to define their priority order.
- Constructing the Threat Matrix listing plausible attack TTPs ranked by decreasing risk score and mapping them to cyber assets according to adversary type.
- [[https://www.mitre.org/publications/systems-engineering-guide/enterprise-engineering/systems-engineering-for-mission-assurance/cyber-risk-remediation-analysis|Cyber Risk Remediation Analysis]] (CRRA) Once the plausible threats have been identified and prioritized, it is time to establish the list of optimal countermeasures in terms of effectiveness and cost and identify the optimal lifecycle stage to implement them. For each asset selected when defining the scope of the TARA report, the following steps are followed:
- ‘‘‘Select which TTPs to mitigate’’’ by focusing either on high scoring threats in the Threat Matrix or on particularly sensitive assets or even by focusing exclusively on Crown Jewel Assets.
- ‘‘‘Identify plausible countermeasures’’’ with the CRRA mapping table that matches candidate countermeasures to individual or sets of TTPs. Each CM mapping is evaluated for its effectiveness in these criteria: a. Detecting b. Neutralizing c. Limiting d. Recovering
- ‘‘‘Assess countermeasure merit’’’ by ranking them based on a Utility/Cost factor for each of the four criteria listed above and generating a CM ranking table.
- ‘‘‘Identify an optimal CM solution’’’ to provide effective mitigation over a specified range of TTPs at the lowest cost.
- ‘‘‘Prepare recommendations’’’
Best Practices for TARA Report Remediation Analysis
The TARA report’s goal is to establish a strategy that provides maximal results at the lowest cost.
As such, this means not all assets listed during the assessment stage can be affordably fully protected, and the set of CMs is unlikely to provide the best possible mitigation as it will factor in the costs involved.
To maximize results, recommendations have to be laid out exhaustively.
To achieve this:
- ‘‘‘When identifying the optimal CM solution’'’, make sure to establish a viable CM selection strategy by defining the minimal conditions to be met to qualify as a viable solution. For example: a. Selecting at least one highly effective CM for each TTP b. Combining less effective CMs when necessary to satisfy #a. c. Requiring a ‘Detect CM’ is for TTPs that have no ‘Neutralize CMs’
- When preparing recommendations, make sure to include those three distinct sets of information for each asset identified during the scope assessment: a. The action, device, procedure, or technique recommended, i.e., which CM to apply b. The reason behind the required CM, i.e., the TTPs that it mitigates c. The implication or effect if the CM is not applied, i.e., the potential impact to mission capability resulting from compromise of the cyber asset
MiTRE Corporation TARA Report is an advanced methodology invaluable to analyze the extent of threats a system is exposed to and recommend actionable remediation plans. DevSecOps in charge of Kubernetes Security or any other system security should consider including it in their toolset. Our K8 Shield’s framework and matrix are modeled after the MITRE ATT&CK® Framework, but designed specifically for the Kubernetes ecosystem. It allows for the identification of attack patterns specifically within Kubernetes clusters, including pattern analysis, remediation suggestions and detailed reports – throughout the entire lifecycle, starting with continuous integration and through to production. Learn more about protecting your Kubernetes platform from multiple attack vectors with the K8SHIELD™ Framework here.
Read more about: 🔗︎
[[https://www.portshift.io/blog/k8shield-mitre-attck-framework/|Protection from Multiple Attack Vectors]] [[https://www.portshift.io/blog/can-you-detect-kubernetes-runtime-vulnerabilities/|Detecting Runtime Vulnerabilities]] [[https://www.portshift.io/blog/kubernetes-multi-cluster-service-mesh/|Securing a multi-cluster service mesh]] Or check our guide on how to Implement Kubernetes Security