Written by: Vikram Navali, Senior Technical Product Manager – As more enterprises adopt a containerized approach for applications, the need for protecting containers becomes crucial. Container environments are a computing option that provides virtualization for microservice-based applications regardless of whether the target environment is a private data center or deployed in a public cloud.
One potential drawback of containerization is a lack of isolation from the core OS. Because the host OS on a VM does not abstract application containers, security experts warn that adversaries have easier access to the entire system. Common container threats are:
- Allowing unauthorized access across containers, hosts, or data centers
- Malware that scans internal systems for sensitive data from a compromised container
Below are some examples of container attacks:
- The Kinsing malware attack used a misconfigured Docker API port to instantiate another container
- CVE-2016-5195, the Dirty Cow container vulnerability
- CVE-2018-1002105, a privilege escalation vulnerability
- MongoDB and ElasticSearch ransomware attacks against vulnerable application containers
- New zero-day attacks on a container
The Attivo Networks ThreatDirect containers provide solutions for container environments across on-premises and cloud infrastructures, independent of attack vectors. ThreatDirect containers detect network-based attacks and provide visibility into any suspicious activity. Most public cloud computing providers, including Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform, have embraced container technology, using container software solutions like Docker and Kubernetes. The following discusses how the deployment of ThreatDirect containers helps in protecting a container infrastructure.
Deploying ThreatDirect containers in an isolated pod
ThreatDirect containers can deploy as a dedicated container in a Kubernetes pod or as a Docker container. Consider a Kubernetes-orchestrated environment, as illustrated below. When adversaries compromise a pod, they tend to seek out other pods that are reachable. During such lateral movement, the adversary engages with a ThreatDirect container, generating an alert.
Deploying Deflect in Kubernetes nodes
With the increase in east-west traffic generated from containers and microservices, there are potential opportunities to compromise an application and the container infrastructure. The Attivo Networks Endpoint Detection Net (EDN)Deflect function alerts on attacker reconnaissance as they scan for ports and services to exploit Kubernetes nodes. The Deflect function detects fingerprinting attempts and redirects both inbound and outbound connection attempts to decoys for engagement.
Deploying deceptive breadcrumbs in production containers
The Attivo ThreatDefend® platform provides a REST API interface to download deceptive credentials. DevOps teams can download these deceptive credentials using the REST API (Decoy AWS IAM access keys, Decoy database credentials, and others) and deploy them as part of production workloads. Once inside the network, attackers scan for various credentials to exfiltrate data from databases, file servers, storage buckets, and other targets. The ThreatDefend® platform monitors for and detects attackers using any decoy credentials.
It is hard for any traditional security solution to protect from adversaries’ attempts, especially in the container environment. By deploying the Attivo Networks ThreatDirect container and Deflect solutions, an enterprise can enjoy containerized application benefits without sacrificing security.
For additional information, please visit https://attivonetworks.com/solutions/threat-detection/cloud/.