Container Security Threats Added to MITRE Attack Framework

Aqua Security is building a Container Framework that will be incorporated into a larger cybersecurity framework that MITRE Corp created to help organizations better defend themselves against cyberattacks.

Assaf Morag, lead data analyst for the Team Nautilus research team at Aqua Security, says the company will contribute to a set of cloud security methodologies by detailing attack vectors and methods used against cloud-native application environments.

Specifically, company researchers will reveal how cybercriminals use exploits and other methods to build their own malicious images on hosts, abuse privilege escalations and evade defenses by, for example, disabling or modifying security tools. Those exploits and methods are discovered using the Dynamic Threat Analysis (DTA) security software developed by the company.

Over the last several months, Aqua Security published a series of container security reports detailing those threats. The latest report finds that it can take less than an hour to exploit vulnerable container infrastructure. Botnets are swiftly finding and infecting new hosts as they become vulnerable, with 50% of misconfigured Docker APIs being attacked within 56 minutes of being set up.

Attackers have also amplified their use of evasion and obfuscation techniques such as packing the payloads, running malware straight from memory and using rootkits, the report finds.

On average, daily attacks grew 26% between the first half and second half of 2020, with 40% of attacks involving either creating backdoors on the host, dropping dedicated malware, creating new users with root privileges and creating SSH keys for remote access.

Cryptocurrency mining is still the most common objective: more than 90% of the malicious images execute resource hijacking. While many consider the hijacking of compute resources to mine for cryptocurrencies to be the digital equivalent of a nuisance crime, these attacks make use of vulnerabilities that can be exploited later to, for example, compromise a software supply chain.

Interest in securing software supply chains has risen sharply in the wake of a spate of high-profile breaches. A large portion of new applications are being constructed using containers running on Kubernetes platforms, which has served to heighten awareness of the need to better secure these applications both as they are built and also deployed in production environments. It’s already been demonstrated that a single malware-infested container can take over an entire host environment.

The typical container only runs for a few seconds, so many developers assume that’s not long enough for a cybercriminal to exploit. However, as more stateful containerized applications are deployed, many containers are starting to run for longer periods of time before being ripped and replaced as part of an application update cycle.

As more organizations embrace DevSecOps best practices, it’s clear they are hoping to shift more responsibility for application security left toward developers. However, there simply may not be enough time to train developers and implement those practices before the existing software supply chain is compromised. As a result, cybersecurity teams, for now, at least, are taking the lead when it comes to container security. The hope is that one day, they’ll be able to count on DevOps teams to assume more of the application security burden than many do today.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1158 posts and counting. See all posts by Mike Vizard