We launched Datadog Security Labs in July 2022 as a dedicated place to publish actionable and innovative security content for the practitioner community. In 2023, our first full calendar year, we continued to stay busy with open source projects, research into emerging threats and vulnerabilities, and educational content.
In this post, we look at the highlights from Security Labs in 2023.
Open source security tools
Here’s a look at the open source releases we made this year.
KubeHound
We open sourced KubeHound, an internal project used by our adversary emulation team to identify attack paths in Kubernetes clusters.
The project’s website, kubehound.io, contains a reference of dozens of common Kubernetes attack techniques, as well as information on how to reproduce and prevent them.
Managed Kubernetes Auditing Toolkit (MKAT)
At KubeCon EU 2023 in Amsterdam, we released MKAT, an easy-to-use toolkit for identifying common flaws in managed Kubernetes environments.
Since then, we've added support for the recently released EKS Pod Identity feature and made several improvements.
HTTP Agnostic Software Honeypot (HASH)
Honeypots are a popular way to gather threat intelligence from attackers who run mass or targeted exploitation over the internet.
In May 2023, we open sourced an internal project, HASH, that serves as a highly configurable and modular honeypot framework. Our security research team actively uses HASH to identify exploitation of vulnerabilities in the wild—see for instance our analysis of exploitation in the wild of the Confluence CVE-2023-22515 vulnerability—and we were happy to present it at BlackHat Arsenal MEA.
Doubling down on existing projects
We strongly believe that open source is about not only releasing new projects but also caring for and developing a community around existing ones. We continued to support our open source projects in 2023 by:
- Releasing 10 new attack techniques for Stratus Red Team, including three contributed by the community and three related to S3 ransomware activity
- Adding a new AWS CLI detonator to threatest
- Releasing version 1.0 of GuardDog, which added support for scanning npm packages and easy integration within GitHub Actions
- Starting to scan PyPI packages at scale using GuardDog and publishing an open source dataset with human-triaged malicious packages
Security research
After publishing our first State of AWS Security in 2022, we were excited to release our first State of Cloud Security in 2023, analyzing the security posture of thousands of AWS, Azure, and Google Cloud environments.
We also released a research project analyzing the (in)security of AWS IAM roles using OpenID Connect (OIDC) for GitHub Actions. Through our research, we identified a number of vulnerable organizations and even helped the UK government remediate a vulnerability that allowed us to retrieve credentials to one of their AWS accounts.
Finally, we published our first analysis of AWS threat actors, based on CloudTrail logs from real AWS production environments.
Vulnerability research
We discovered and disclosed several vulnerabilities in cloud providers' environments, including:
- Two (now fixed) vulnerabilities that allowed an attacker to bypass CloudTrail for some AWS IAM API calls, as well as for some AWS Control Tower and AWS Service Catalog API calls.
- A partial bypass of the login rate limiting in the AWS Console
We also published an analysis and proof of concept for a Windows command injection vulnerability in Kubernetes.
Educational security content
Securing a piece of technology starts by understanding it from the inside out. That's why in 2023, we launched Container security fundamentals, a hands-on, six-part series that dives into the inner workings of containerized workloads. Each of these posts also comes with an associated interactive YouTube video.
Since most containers today run in the cloud, we also released four pieces of content specifically targeted at better understanding, defending, and attacking managed Kubernetes environments:
- Attacking and securing cloud identities in Amazon EKS
- Deep dive into the new Amazon EKS Pod Identity feature
- Deep dive into the new Amazon EKS Cluster Access Management features
- Bringing Together Cloud Services and Managed Kubernetes Environments (KubeCon EU)
Last but not least, we released the Cloud Security Atlas, a curated and actionable encyclopedia of common cloud security misconfigurations and attacks.
Public speaking
We shared our work with the community at multiple conferences in 2023, including fwd:cloudsec, KubeCon EU, BlackHat, and ATT&CKcon.
We've also had a lot of fun participating in the Cloud Security Podcast on several occasions.
Refer to our About page for our full list of talks.
What's next
We have a number of projects in the works for 2024. In particular, we plan to release more hands-on cloud security content and analysis of cloud attacks in the wild.
Stay tuned! You can subscribe to our RSS feed here, or use this direct Feedly link.
