Nullcon is probably the oldest security conference happening in India - The first memories I have of it are writing a paper / presentation for the 2014 CFP, way back in late 2013. However, its another story that I didn’t send it out.
When I joined my current company in early 2014, I saw that they were sending people to the training sessions - I got kicked out of the list in the first year as I was the “new joiner”. The subsequent year, I had a team and I sent people from my team for the next 3-4 years.
This time, post-pandemic, I decided I had to go. And boy, what an adventure it was.
The Training
Since we were attending on company dime, I could only choose a training that was linked to the day job - which meant only two options. The DevSecOps one (which I felt was elementary) or the Kubernetes security one (which I felt would be more relevant). So, Kubernetes it was.
The training was a 3 day course delivered by Madhu Akula who has been doing great work in the docker / k8s security field for a while now. Looking at the training topics (here) I knew it would be jam packed, but it turns out, that was an understatement.
Day 1 started a little slow - the first half of the day was spent doing introductions, lab setup (which was deployed on Digital Ocean) and a basic K8s 101 session - exploring the Kubernetes architecture and the advantages of using k8s, followed by exploring the deployed cluster with kubectl. Each student was given their own private cluster on the cloud to use for the labs over the course of the next few days.
Post lunch on the first day, things started moving at warp speed. The training fully moved to a challenge / scenario based methodology where we were introduced to each scenario, which essentially described our attack vector to achieve the objective. Once this was done, we spent 15-20 min in actually trying to perform the attack, and then spend another 30 min to discuss / review the entire attack chain.
The following attacks were covered on day 1:
- Attacking the supply chain by exploiting a private registry where we obtained a repo API key from the registry metadata and used it to upload a custom image
- Attacking the supply chain by attacking a CI/CD pipeline where we were able to obtain the registry credentials from the build logs of the pipeline.
Looking at the topics, I had a feeling that day 2 was going to be packed - and I had a very hard time keeping up with the pace of the class by lunch time. I was severely challenged and was barely able to keep up with the information flowing in. We covered a variety of attacks on day 2:
- Cluster misconfigurations and exploiting the cluster
- Insecure defaults
- container to host escape techniques
- bypassing Network security policies and gaining unauthorized access to other microservices
- Privilege escalation / bypassing RBAC
- Exploiting k8s secrets and gaining access to third party services.
By the end of Day 2, I felt so drained out mentally (in a good way though) that I went back to the hotel and ordered room service and switched off - my brain just couldn’t function!
Day 3 was a little better as I could make some sense of the training. We covered:
- Gaining access to k8s volumes, logs and searching for secrets / sensitive data
- lateral movement from within a container to a node and then gaining complete cluster access
- Leveraging an SSRF vulnerability in an app deployed in a cluster to gain complete access to the cluster.
- Persisting access within a cluster
- Miscellaneous defense evasion techniques
- Helm / tiller bypass and cluster take over
- Defensive techniques for various attack scenarios - number of tools / audit benchmarks were discussed to ensure that the deployments had their defenses turned up, rather than the secure defaults.
My Take on the Training
One word - Awesome! Never in the recent past have I been so mentally challenged - I was almost brain dead by the end of each day, but kept pushing myself to understand the concepts and scenarios each day. Given the limitations of choosing a training that was relevant to my $day_job, I think it was time well spent. I would gladly spend this time (and money) to go through similar trainings again. There has been so much to unpack, that I’m looking forward to taking some time off at the end of the year to go through the entire training at my own pace.
Few things could have made this even better:
- The class had mixed experience with k8s - some of them were newbies like me, while others had actively worked on scenarios similar to those discussed in the class. This resulted in more pressure to keep up with the pace. The trainer could have published a list of pre-exercises or pre-reading to get people up to speed if required.
- There was so much material packed into three days that it could have easily been converted to a 4 day session. I believe that would have been a good duration with 3 days of offensive techniques, and one day of defensive techniques.
- We spent the last half of Day 3 on defensive techniques - which really did not give us an opportunity to go as in-depth as the offensive techniques.
The Conference
The conference had a huge number of people coming in - I had a hard time choosing which talks to attend, because most of them were interesting and I could be in only one conference room at one time :). here are the list of talks I attended over two days:
- Do we get stuff done? We don’t get stuff done? Or do we? Or will we, maybe? Soon?
- A Kernel Hacker Meets Fuchsia OS
- Hacking Fintech Crime: Realities and Possibilities in India
- A New Secret Stash For Fileless Malware
- A UEFI firmware bootkit in the wild
- Elevating The TrustZone To Achieve A Powerful Android Kernel Exploit
- Jailbreaking iOS in the post-apocalyptic era
- The Different Faces Of macOS Malware: Detecting Anomalies In A Poisoned Apple
- Raining CVEs On WordPress Plugins With Semgrep
- Peeling Back The Onion: Taking Security Onion Into Battle
- Deep Dive: Red Team Test Operations
My Take on the conference
Stellar talks, I had an awesome glimpse of the current state of affairs in many fields (both related to work, and personal interest areas). As always, somethings could have been done better:
- The venue was too small to handle the number of invitees to the conference most of the conference rooms were packed and I was rarely able to get seating.
- Some of the workshops (the security onion one for example) required VM’s to be setup. While the presenter had a USB drive to distribute this, the talk was completed by the time the drive went around the class. Had this been informed in advance, we could have had it setup and spent time actually on the content.
- The networking party was hosted outdoors and the rains played a spoilsport - while most of the crowd found it enjoyable, I personally would have preferred an indoor location with a bigger area.
So that was it - 5 days spent completely away from work and being immersed in such a deep learning experience. Awesome experience and would completely go back again when ever the opportunity presents itself!