Cloud Security Newsletter
Posts
Kubernetes Nightmare of Vulnerabilities & Building Detection Engineering Excellence

Kubernetes Nightmare of Vulnerabilities & Building Detection Engineering Excellence

Critical Kubernetes vulnerabilities (CVSS score 9.8 🫣 ) threaten thousands of clusters while detection engineering practices gain importance as more vulnerabilities continue to get announced. Learn how to protect your environment from IngressNightmare CVEs and implement Detection as code strategies from Google Cloud's security experts.

Shilpi Bhattacharjee
March 26, 2025

Hello from the Cloud-verse!

Building Detection Engineering in Google Cloud

Incase, this is your 1st Cloud Security Newsletter! You are in good company!
You are reading this issue along with your friends and colleagues from companies like Netflix, Citi, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb, Block, Booking Inc & more who subscribe to this newsletter, who like you want to learn what’s new with Cloud Security each week from their industry peers like many others who listen to Cloud Security Podcast & AI CyberSecurity Podcast every week.

Welcome to this week's edition of the Cloud Security Newsletter!

Mini Announcement for the Newsletter!
We cover Cloud Security News too moving forward - Yes! Many of you asked us for it and as per your request we've also curated several critical security updates, including major Kubernetes vulnerabilities with one in particular rated as CVSS v3.1 base score of 9.8 (translation: Demands your immediate attention, if applicable to your environment).

We're still diving into Guest insights from Cloud Security Podcast episode. This week the topic is detection engineering in cloud environments with insights from seasoned practitioners. Our featured expert this week is David French, Staff Adoption Engineer for Security at Google Cloud, who brings valuable perspectives on implementing detection as code practices in Google Cloud. We're complementing his expertise with insights from Kat Traxler, a GCP security specialist focused on bug hunting and cloud security engineering.

THIS WEEK'S SECURITY NEWS

🚨 "IngressNightmare" Critical Vulnerabilities in Kubernetes Ingress NGINX Controller

Wiz Research has discovered multiple critical vulnerabilities (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974) in the Ingress NGINX Controller for Kubernetes, collectively dubbed "IngressNightmare." These unauthenticated remote code execution vulnerabilities could allow attackers to gain unauthorized access to all secrets across all namespaces in a Kubernetes cluster, potentially leading to complete cluster takeover. According to Wiz's research, approximately 43% of cloud environments are vulnerable, with over 6,500 clusters, including those of Fortune 500 companies, publicly exposing vulnerable admission controllers to the internet. More information - Wiz Blog, Kubernetes Security Blog

Why this matters: If you're using Kubernetes with ingress-nginx especially in production environments, update to versions 1.12.1 or 1.11.5 immediately. As Kubernetes adoption continues to grow to host AI workload, the security of these fundamental components becomes increasingly critical. This serves as a stark reminder that even widely adopted open-source projects can contain significant security flaws.

🔒 Entra ID Restricted Administrative Units Bug Could Create "Immutable" Users

Datadog Security Labs discovered and reported a bug in Microsoft Entra ID's restricted management administrative units (AUs) that could allow an attacker to create user accounts that can't be modified, deleted, or disabled—even by a Global Administrator. This vulnerability, now patched, could have been exploited by privileged attackers to protect accounts under their control, preventing containment during security incidents. The bug was remediated on February 22, 2025, after being reported to Microsoft in August 2024. More information DataDog Security Labs Blog

Why this matters: Identity is the most important part of Cloud, AI and more. This vulnerability highlights the importance of understanding privilege separation in cloud identity systems. Even with the fix in place, administrators should review their Entra ID configurations regularly, particularly focusing on administrative unit implementations, to ensure appropriate access controls & level of permissions.

⚠️ CVE-2025-1767: Another GitRepo Volume Vulnerability in Kubernetes

A new security vulnerability, CVE-2025-1767, has been disclosed in Kubernetes' gitRepo volume type. This flaw allows users who can create pods with gitRepo volumes to access any other git repository on the node where the pod is deployed. While situational, this vulnerability could expose sensitive information in environments where git repositories are stored on nodes. More information: Raesene’s Blog

Why this matters: No patch will be provided for this vulnerability as gitRepo volumes are deprecated, though they remain enabled by default with no built-in mechanism to disable them. Organizations should mitigate this by removing git from nodes where not needed, or implementing Validating Admission Policies to restrict gitRepo volume usage. Note: They're going to remove the whole feature in 1.33, which isn't too bad as it's been deprecated since 1.11! If you are not on the older version you can ignore this CVE 🙂

CLOUD SECURITY TOPIC OF THE WEEK

Detection Engineering in the Cloud: Building Scalable and Resilient Security Controls

Featured Experts This Week 🎤

David French: Staff Adoption Engineer for Security at Google Cloud
Kat Traxler: Principal Security Researcher, at Vectra AI.

Definitions and Core Concepts 📚

Before diving into the analysis, let's clarify some key terms referenced throughout the discussion:

Detection as Code: Applying software development practices to the creation and management of detection content, including version control, peer review, CICD, and testing.
PaaS (Platform as a Service): Cloud services that provide platforms for customers to develop, run, and manage applications without the complexity of building and maintaining infrastructure.
Administrative Units (AUs): In Entra ID, AUs provide a way to delegate administrative permissions over subsets of users and apply policies to specific groups.
Admission Controllers: Kubernetes components that intercept requests to the Kubernetes API server before object persistence, used to validate or modify requests.

        This week's Issue is sponsored by Tines

The new IDC Voice of Security 2025 results are in! And on March 26, join Tines and AWS for an in-depth look into the most important findings from the 900+ security leaders surveyed, including: 

🔸 How AI and automation are transforming security strategies

🔸 The biggest challenges leaders face - and what’s holding them back

🔸 What drives job satisfaction (and frustration) in security leadership

🔸 Where tooling helps vs. where it’s adding to the pain

🔸 What leaders look for when hiring security analysts

🧠 Our Insights from These Practitioners

1 - The Evolution and Importance of Detection Engineering in 2025

Detection engineering has emerged as a critical discipline within cloud security, combining traditional security monitoring with software development practices. David French highlights that detection engineering isn't just about writing alerts—it's about treating your detection capabilities with the same rigor as your preventative controls.

"We're not just writing detection rules for fun. We need to treat them as being just as important as our preventative controls." - David French

David recommended that without proper controls, security teams risk inconsistent implementation of detection capabilities:

"If you've got people logging into security tools and are able to create, update, or delete your detective security controls like on a whim or without any testing or approval, that's something that detection as code addresses." - David French

Insight Learned - This perspective marks a key maturity evolution in cloud security: moving from ad-hoc, UI-based security monitoring to structured, version-controlled, and peer-reviewed detection capabilities.

2 - Starting with Detection Engineering in Google Cloud

For organizations starting their detection engineering journey in Google Cloud, David recommends beginning with understanding the core logging capabilities:

Understand available logs: Start with Google Cloud audit logs, which provide the who, what, when, and where of activities in your environment.
- Admin activity logs (always enabled) capture important changes like service account key creation
- Data access audit logs capture API calls when accessing resources
Be strategic about log ingestion: Don't ship everything to your SIEM.
"If you're looking for a needle in a haystack and you're just onboarding everything, just background noise of systems just existing and doing their thing, you're just making that haystack even bigger." - David French
Leverage existing detection content: Google SecOps provides curated detections developed by Google Threat Intelligence with specific log requirements.
Identify common threat patterns: Focus initial detection efforts on high-value areas:
- Reverse shells in compute instances
- Infrastructure changes outside CI/CD processes
- Disabled audit logging
- Service account key creation and usage

Insight Learned - There is no detection without logs. Starting with even the most fundamental logs can be a great way to start building a Detection engineering practice irrespective of cloud provider.

3 - Detection Challenge with Cloud Security (not just GCP)

Kat Traxler provides complementary insights on the nuances of cloud services, particularly when examining “As a service” offering e.g Infrastructure as a Service(IaaS), Platform as a Service (PaaS) & Function as a Service (FaaS) offerings. She distinguishes between "old school" and "new school" PaaS:

"The old school ones are definitely ones where, let's say you hit the button that says I would like one cloud composer instance please, and you'll be able to interact with all of that via the cloud composer API, but that's running on some compute instances and you can also interact with those compute instances via the API for compute." - Kat Traxler

Insight Learned: This distinction is crucial for detection engineering, as the visibility into and control over these different types of cloud services vary significantly between compute types and service models like PaaS, IaaS, FaaS etc. The more abstracted the service, the more you need to rely on API and control plane logging rather than the underlying infrastructure.

4 - Steps to a Mature Detection as Code Pipeline

David outlines a practical approach to implementing detection as code:

Take inventory of existing detection content: Understand what you currently have in your environment
Consolidate into a single source of truth: Pull everything into a code repository
Implement change control processes: Define how changes are tested, reviewed, and approved
Test before deploying: Simulate attacker behavior in a controlled environment to validate detections
Monitor rule effectiveness: Track detection efficacy and tune as necessary

"You write it, you own it in that sense. I would probably monitor that detection for a week or two...I'm getting alerts from that for maybe one project or two projects in Google Cloud. I'm tuning it based on what's normal for my organization." - David French

5 - Key Skills for Modern Detection Engineers

The skills required for effective detection engineering have evolved beyond traditional SOC analyst capabilities. David describes the modern detection engineer as someone who:

Has the "defender's mindset" and can explore logs to identify suspicious behavior
Understands data quality and can work with various data sources
Has intermediate knowledge of software engineering practices
Can write code to stitch together APIs and automate processes
Understands CICD pipelines and version control systems

"Detection engineering is a discipline where you care about data, the quality of your data. You care about picking apart attacker tactics, techniques, and procedures, how to simulate them." - David French

Kat adds that understanding the cloud provider's identity models is particularly important. For example, she notes that Google Cloud's identity approach differs significantly from AWS:

"The more I've learned about GCP, the dumber I've gotten about AWS, there's just so much you have to unlearn. There's so many concepts you have to unlearn to get in the mindset of what IAM means in Google." - Kat Traxler

6 - Building Detection Team Capabilities Through Collaboration

Both experts emphasize the importance of collaboration across technical specialties. David suggests:

"I think practitioners with kind of unique experiences and skill sets will always make the best detections. So you might have someone who's an amazing network engineer, someone who knows Windows Endpoint and Attacker Tradecraft there, someone who knows Google Cloud, AWS... you can't know it all, right?" - David French

Kat recommends making friends with your engineers and admins to understand normal behavior:

"Get them on a call and workshop. Hey what's your day job? What are the five things that should absolutely not happen? They'll say, oh, okay. We don't allow service account key creation, or maybe we do from a couple of accounts..." - Kat Traxler

This collaborative approach leads to more effective detection capabilities that accurately reflect the organization's environment and expected behaviors.