Help Shape ATT&CK for Containers

Written by Jen Burns

One of the questions that pops up often for the MITRE ATT&CK® team is whether or not we have considered expanding ATT&CK to cover container technologies such as Kubernetes and Docker. We’ve heard your need for coverage in this space, and we’re thrilled to announce that in partnership with the Center for Threat-Informed Defense, the ATT&CK team is now investigating adversarial behavior in containers for potential inclusion in ATT&CK. If we find that there’s enough adversary behavior in containers to warrant ATT&CK coverage, we’ll consider that content for a future ATT&CK release.

There have been some excellent efforts executed across industry to research and publish what threats and vulnerabilities may exist in technologies such as Kubernetes and Docker and how to attack and defend these and related spaces. Since ATT&CK is based on real-world “in the wild” adversary behaviors, our investigation is focused specifically on gathering intelligence on what adversaries are actually doing with these technologies versus what researchers and red teams can do.

We also understand that the definition of “containers” can be fairly vast, so at this point we’re interested in what adversaries are doing across anything related to containers. For example, we’d be interested in how they gain initial access through the orchestration layer, evade defenses within a container, move laterally across a pod, or any other technique related to the containers space.

With that in mind — we need your help! Do you have visibility or knowledge of what real adversaries are doing in any facet of the containers space and want to engage with the ATT&CK team or submit contributions? If so, please let us know at attack@mitre.org. We’re also interested in your opinions on how container-related techniques in ATT&CK should be represented. Should we just consider adding a Kubernetes matrix, for example, or should we divide the orchestration layer and container layer into separate matrices? Let us know what you think! We look forward to engaging with you, and thank you for helping us continue to improve ATT&CK for the entire community.

About the Center for Threat-Informed Defense

The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.

© 2020 MITRE Engenuity. Approved for Public Release. Document number CT0013.