Warping the Defence Timeline: Non-disruptive Proactive Attack Mitigation for Kubernetes Clusters

In spite of being the de-facto standard of container orchestrators, Kubernetes reportedly suffers from security vulnerabilities and misconfigurations which may lead to severe security threats to the containerized environments it manages. Mitigating such threats based on alerts raised by existing security monitoring solutions (e.g., Falco) can be challenging. First, taking actions upon every alert can cause unacceptable service disruption, as many such alerts may turn out to be false positives. Second, validating each alert by administrators before taking actions may render the mitigation too late to prevent irreversible damages, e.g., denial of service. In this paper, we propose a non-disruptive proactive mitigation approach to address those limitations. Our main idea is to proactively trigger mitigation ahead of an attack to prevent irreversible damages, while designing the mitigation actions to be non-disruptive to avoid any service disruption caused by false alerts. We implement and integrate our approach with Kubernetes, and show its effectiveness and efficiency.