Full Report
Bridge the gap between Platform and Security teams with unified inventory and network visibility across Kubernetes clusters.
Analysis Summary
This article focuses on security visibility and inventory management within Kubernetes environments using Wiz's capabilities (KBOM and Network Graph). As such, it does not detail specific malware families, external attack tools, or offensive TTPs in the traditional sense. Instead, the techniques discussed relate to asset management, vulnerable component identification, and network flow analysis used for defensive monitoring and risk correlation.
Here is the summary structured according to your request, focusing on the described capabilities as 'techniques' for gaining visibility:
# Tool/Technique: Kubernetes Bill of Materials (KBOM)
## Overview
The Kubernetes Bill of Materials (KBOM) is a capability designed to provide teams with a complete, unified inventory of all technologies, workloads, and objects running across Kubernetes clusters. Its primary purpose is to bridge visibility gaps, especially concerning unmanaged or "shadow" resources that fall outside standard deployment pipelines, thereby enabling comprehensive risk assessment.
## Technical Details
- Type: Technique (Inventory/Visibility)
- Platform: Kubernetes Clusters
- Capabilities: Provides instant visibility into technologies (e.g., Istio, Envoy, PostgreSQL, Ingress-NGINX), identifies version drift, and correlates component risks with other findings (e.g., exposed identities).
- First Seen: Not explicitly stated, but correlated with the remediation need following the *IngressNightmare* vulnerabilities.
## MITRE ATT&CK Mapping
Since KBOM is a defensive inventory mechanism, direct offensive mappings are limited. However, the *ability to identify* components relates to the analysis phase.
- [TA0012 - Collection]
- [T1552 - Unsecured Credentials] (KBOM helps identify components that might house or improperly handle credentials)
- [T1546.008 - Event Triggered Execution] (Identifying vulnerable deployed software that could be exploited)
- [TA0009 - Collection]
- [T1552.006 - Searching Open Cloud Content Stores] (Identifying configuration flaws or sensitive data exposures within the inventory context)
## Functionality
### Core Capabilities
- **Instant Inventory:** Lists every workload, object, and technology deployed in the cluster, including manually installed Helm charts or Custom Resource Definitions (CRDs).
- **Vulnerability Correlation:** Links discovered risks within listed technologies (like specific software versions) with adjacent findings (like exposed identities) to surface "toxic combinations."
- **Version Drift Detection:** Highlights clusters running older, potentially vulnerable versions of software components compared to peers.
### Advanced Features
- **Shadow Resource Identification:** Uncovers resources operating outside of managed pipelines.
- **Risk Prioritization:** Provides context around identified risks based on asset inventory, facilitating effective prioritization and remediation.
## Indicators of Compromise
This capability focuses on identifying *vulnerable components* within the environment, not traditional network IOCs of active malware.
- File Hashes: N/A (Focus is on deployed software versions)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Focus is on summarizing state, not active threats)
- Behavioral Indicators: Identifying specific software running, such as **Ingress-NGINX** at vulnerable versions.
## Associated Threat Actors
Threat actors are not directly associated with this defensive tool. However, the analysis addresses risks exploited by threat actors targeting common Kubernetes components, such as those leveraging the **IngressNightmare** vulnerabilities (CVEs related to Ingress-NGINX).
## Detection Methods
- **Signature-based detection:** Identifying known software components and versions in the inventory listing.
- **Behavioral detection:** Detecting version discrepancies (drift) between similar clusters.
- **YARA rules if available:** N/A (This is an inventory system, not a pattern matching engine for malicious binaries)
## Mitigation Strategies
- **Patch Management:** Immediately identifying and prioritizing upgrades/patches for components showing version drift.
- **Configuration Management:** Ensuring all resources conform to established deployment pipelines to eliminate shadow IT.
- **Risk Correlation:** Using the analysis to address "toxic combinations" of vulnerabilities and exposed configurations.
## Related Tools/Techniques
- Software Bill of Materials (SBOM) generation for application components.
- Container image scanning tools.
- Configuration as Code (CaC) validation.
---
# Tool/Technique: Wiz Network Graph for Kubernetes
## Overview
The Network Graph, powered by the Wiz Runtime Sensor, visualizes communication paths between running Kubernetes deployments and external/internal services (e.g., AI platforms, messaging queues, SaaS applications). Its purpose is to turn the often opaque networking layer of Kubernetes into auditable evidence, allowing security teams to map traffic flows and secure inter-service communication.
## Technical Details
- Type: Tool/Technique (Network Visibility/Mapping)
- Platform: Kubernetes Deployments across clusters and regions.
- Capabilities: Visualizes communication flows, identifies open ports, detects cross-region traffic, and ties network flows back to specific workloads.
- First Seen: Not explicitly stated, noted as an "update" to existing Wiz visibility.
## MITRE ATT&CK Mapping
This technique directly aids in identifying command control, data exfiltration pathways, and unintended ingress/egress.
- [TA0010 - Exfiltration]
- [T1048 - Exfiltration Over Alternative Protocol] (By mapping external connections)
- [TA0011 - Command and Control]
- [T1102 - Web Service] (Identifying connections to external C2 infrastructure)
- [TA0005 - Defense Evasion]
- [T1090 - Proxy] (Identifying unexpected external connections that might signal tunnel usage)
## Functionality
### Core Capabilities
- **Communication Path Mapping:** Shows which deployments communicate internally and externally, including the location of open ports.
- **Traffic Flow Analysis:** Visualizes how traffic moves across clusters and regions.
- **Configuration Validation:** Helps confirm that segmentation policies and ingress/egress access controls are functioning correctly.
### Advanced Features
- **Unexpected Activity Detection:** Highlights external connections or cross-region traffic that deviates from established expected patterns.
- **Root Cause Acceleration:** Provides the ability to trace suspicious network activity directly back to the originating workload.
## Indicators of Compromise
This capability focuses on summarizing communication metadata, not specific threat identifiers.
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Identification of communication patterns, such as:
- Any Kubernetes deployment communicating with an **external AI model on the internet**.
- **Cross-region traffic** that deviates from expected baselines.
- Behavioral Indicators: Unintended layer 7 traffic flows or **open ports** visible only at the deployment level.
## Associated Threat Actors
N/A (This is a monitoring/visibility feature designed to detect activity by any threat actor leveraging non-compliant networking).
## Detection Methods
- **Signature-based detection:** Defining expected baseline communication patterns for automated anomaly flagging.
- **Behavioral detection:** Alerting on communication flows that match known risky patterns (e.g., egress to unknown external IPs).
- **YARA rules if available:** N/A
## Mitigation Strategies
- **Network Segmentation:** Utilizing flow visibility to configure and validate strict Kubernetes Network Policies.
- **Egress Filtering:** Closing unintended routes and blocking or restricting external connections that are not required for business operations (e.g., filtering connections to unknown external AI models).
- **Access Control Validation:** Confirming that intended access controls (like service meshes) are effectively enforcing segmentation.
## Related Tools/Techniques
- Kubernetes Network Policies enforcement.
- Service Mesh observability tools (e.g., tracing ingress/egress based on Envoy/Istio data).
- Cloud Native Application Protection Platform (CNAPP) network visualization.