Running misconfigured containers in Prod or any environment can lead to vulnerable scenarios. E.g. Running Privileged Containers, Running without Security Restrictions like AppArmor, Conrainers running as root.
An attacker might exploit an Application vulnerability and compromise a Container and with enough elevated privileges , might be able to break in to the underlying Host Kernel space.
And eventually, move laterally to other Containers sharing the same host kernelspace and say, starts running Miners in all Production Containers.
Container Forensics is challenging – one of the many reasons being short-lived nature of Containers. That’s how Containers are supposed to be.
However, we can audit for this security misconfigurations and remediate those proactively before a compromise actually takes place
We can use more complex osquery statements to audit for Docker Open Sockets
And as we have seen from our previous examples – Open Sockets might lead to pretty interesting information
For proactive theat-hunting, we might want to do an Outlier Analysis beyond a baseline of known good.
E.g. A newly seen process is running out of an unexpected file path and reaching out to a first-seen set of IP Addresses – not necessarily malicious but gives you an interesting subset of information to investigate further on.
And this is not just related to Containers, we can apply the same logic to more conventional environments as well.
But what if none of these Security flaws were detected or remediated and an attacker has been able to compromise ang gain access to a Container
Let’s try to put us in the attacker’s shoes
The attacker might want to download more malicious code in to the Container – or say, try to install and start running a miner
And he might just use a command like “curl” or “wget” to do so
And if this is not a commandline that’s expected in your runtime environment – that might just give you a very critical heads-up that some anomaly has just happened in your Container environment
As we approach the concluding part of the talk, I would want to reiterate that all that we have discussed today are not necessarily limited to just Osquery
We can extrapolate the detection mechanisms and apply to any Commercial EDR tool that you might be running or even better , build your own framework and open-source it
It’s basically unleashing the power of Open-Source and contribute to it – so that we , as a community, can be a step ahead of the bad guys